A person who stole $71 million worth of cryptocurrency from a victim recently returned all the money. This happened after some companies that investigated blockchain noticed what was going on.
The unidentified attacker gave back $71 million worth of Ether (ETH) tokens on May 12, following a widely publicized phishing incident that drew the focus of several blockchain investigation firms. Lookonchain, an on-chain security firm, provided a detailed analysis in a post on May 13.
On-chain added, “SlowMist_Team released a report on this incident 3 days ago, tracking multiple attacker’ IPs possibly from Hong Kong (the use of VPNs has not been ruled out). After that, the attacker replied to the whale and returned all the funds.”
The theft happened on May 3 when someone tricked an investor into sending their cryptocurrency to a fake wallet. The scammer made the fake wallet look similar to the real one, but some small differences that were hard to notice.
The victim didn’t see the differences and sent almost all of their cryptocurrency to the fake wallet. Usually, people check the first and last few characters of a wallet address, but the scammer made sure those matched.
Although the stolen funds were eventually returned, on-chain transactions before the incident indicate that the exploiter had different initial intentions. Upon receiving the stolen funds, the attacker promptly converted 1,155 WBTC to around 23,000 ETH, a common tactic among malicious hackers to launder funds through privacy protocols and crypto mixing services like Tornado Cash.
On May 8, the attacker began dispersing the funds among over 400 crypto wallets, eventually distributing them across more than 150 separate wallets before returning the assets.
Shortly after the return of the funds, on-chain security firm SlowMist published an analysis suggesting that the attacker, potentially based in Hong Kong, became wary of the consequences. The $71 million theft is just a fraction of the phishing attempts linked to the WBTC theft, as revealed in a May 10 incident report by SlowMist:
“Upon investigating this fee address, we observed that from April 19 to May 3, this address initiated over 20,000 small transactions, distributing small amounts of ETH to various addresses for phishing purposes.”