The individual responsible for the address-poisoning attack, in which they deceived a user into sending $68 million worth of Wrapped Bitcoin (WBTC), has made a gesture of goodwill by returning $153,000 worth of Ether (ETH) to the victim. Alongside the transaction, the attacker included a message expressing willingness to negotiate and requested a Telegram username for further contact. However, the amount returned represents only 0.225% of the total stolen funds.
According to blockchain data, on May 5, the victim, identified by the account ending in 8fD5, sent three messages to an account ending in dA6D. The recipient of these messages had received funds from the attacking account, labeled as “FakePhishing327990” on Etherscan, through several intermediary accounts. This strongly suggests that the account ending in dA6D was likely controlled by the attacker.
The victim’s messages implied that they were willing to offer the attacker 10% of the funds as a bounty and refrain from pursuing legal action if the remaining 90% was returned. At 11:37 am UTC on May 9, another account ending in 72F1 responded by sending 51 Ether (ETH) worth $153,000 to the victim. The account ending in 72F1 had also received funds from FakePhishing327990 through various intermediary accounts, indicating it was also under the attacker’s control.
In the transaction that sent the 51 ETH, the attacker added a message saying, “Please leave your Telegram, and I will contact you.” They subsequently corrected their punctuation at 11:43 am by posting an additional message that read, “Please leave your Telegram, and I will contact you.”
In response, the victim provided a Telegram username for contact purposes.
The negotiation between the victim and the attacker occurred after the latter allegedly deceived the former into mistakenly transferring 1,155 Wrapped Bitcoin (WBTC) worth $68 million into their account through an “address poisoning” transaction.
Blockchain data reveals that at 09:17 am on May 3, the attacker utilized a smart contract to transfer 0.05 of a token from the victim’s account to their own. The token transferred did not have a specified name on Etherscan and was simply referred to as “ERC-20.” Typically, an attacker cannot transfer a token from another user’s account without their consent. However, in this case, the token had a customized design that allowed unauthorized transfers.
At 10:31 am on the same day, the victim mistakenly sent 1,155 WBTC to this address. It is possible that the address appeared similar to one used by the victim for depositing funds into a centralized exchange or for other purposes.
Additionally, the victim may have seen a previous transaction of 0.05 tokens sent to this address and assumed it was safe. However, those tokens were actually sent by the attacker but appeared to originate from the victim.
When attackers attempt to confuse victims by spamming them with transactions that seem to come from the victims themselves but are actually from the attackers, it is referred to as an “address poisoning attack” by security experts. Experts advise users to carefully scrutinize the sending address before confirming a transaction to avoid falling victim to these costly attacks.
Related: How to avoid zero-value transfer address poisoning attacks