According to blockchain data, the individual who carried out an address-poisoning attack and managed to deceive a user into sending them 1,155 Wrapped Bitcoin (wBTC) valued at $68 million at the time, has returned almost all of the stolen funds. The attacker exchanged the funds for Ether (ETH) while in their possession, taking advantage of the falling price of ETH. However, they have now sent back approximately 22,960 ETH worth $65.7 million, which represents over 96% of the initial US dollar value of the stolen funds.
A glance at the victim’s wallet reveals that it now holds over 22,000 ETH. This information can be verified on Etherscan.
On May 10 at 8:47 am UTC, a series of wallets initiated the process of sending ETH to the victim’s account. The first transfer amounted to 29.999 ETH ($87,199 based on the ETH price at that time). Over the next day, more than 225 wallet transactions were executed from different accounts to send ETH to the victim’s address. The value of each transaction ranged from 29 to 67 ETH.
As a result of these transactions, the wallet balance reached over 29,000 ETH.
These transfers occurred after the victim and the attacker engaged in a series of conversations. Initially, the victim had agreed to allow the attacker to retain 10% of the funds as a reward. However, at the time of publication, the attacker had returned more than 90% of the funds.
Match Systems, a platform that investigated the incident, claimed to have obtained information that bolstered the victim’s position during negotiations. This implies that progress had been made in identifying the attacker. Match Systems, in collaboration with the cybersecurity agency and the Cryptex cryptocurrency exchange, facilitated the negotiations with the attacker, leading to the return of the entire stolen amount, 22,960 ETH, to the victim. As of now, the victim has no complaints against the attacker.
Address poisoning attacks can cause significant financial losses to cryptocurrency users. Experts recommend carefully scrutinizing the receiving address before each transaction to avoid falling victim to such attacks.
Related:
DEA gets fooled: Agency loses $55K in address poisoning scam
Update 5-11-2024 at 3:24 pm: This article has been updated to include additional information from the Match Systems statement.