Skip to content

Hacker returns $71 million worth of crypto to phishing victim

Hacker returns $71 million worth of crypto to phishing victim

A whale lost 1,155 Wrapped BTC (WBTC), worth $71 million, due to a phishing attack on May 3. Surprisingly, the attacker returned all the funds to the victim a week later.

On May 2, the whale spent $29.6 million DAI to buy 502 WBTC at $58,951. Later, on May 4, the victim created a new address and transferred 0.05 ETH for testing—a usual practice when moving large amounts.

As reported by Finbold, the attacker generated phishing addresses in advance and monitored users’ on-chain activities. When the victim whale was about to transfer WBTC, the attacker sent 0 ETH using a phishing address.

Victim’s transaction history. Source: Etherscan / Lookonchain

A specific phishing: Address poisoning attack

Interestingly, this attack used a technique known as “Address Poisoning,” as it poisons the victim’s transaction history. The phishing address had the same starting and ending letters as the whale’s new address.

This attack is particularly hard to spot because many crypto wallets hide the middle part of the address with “…” to improve the user interface. Moreover, users often copy addresses from transaction histories and only check the starting and ending letters.

Therefore, the whale mistakenly copied the phishing address and sent 1,155 WBTC to the attacker.

Attacker returns stolen $71 million to phishing victim

On-chain data shows that the attacker immediately converted the stolen WBTC into 22,960 ETH, possibly for money laundering purposes. Lookonchain reported the entire development of these events and summarized it in a post on X on May 12.

Attacker’s swap history. Source: Etherscan / Lookonchain

Notably, the whale tried to contact the attacker, offering a 10% bounty for returning 90% of the funds. Initially, the attacker did not respond, but as the cybersecurity company Slow Mist tracked the attacker’s IPs, possibly from Hong Kong, the attacker replied and returned all the funds.

To prevent such attacks, users should carefully check the entire address when making transfers. Saving trusted addresses in the address book and copying from there is recommended. Enabling small transaction filtering in wallets can also help filter out phishing transactions, further preserving the funds.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account?

Services

IMPORTANT NOTICE

Finbold is a news and information website. This Site may contain sponsored content, advertisements, and third-party materials, for which Finbold expressly disclaims any liability.

RISK WARNING: Cryptocurrencies are high-risk investments and you should not expect to be protected if something goes wrong. Don’t invest unless you’re prepared to lose all the money you invest. (Click here to learn more about cryptocurrency risks.)

By accessing this Site, you acknowledge that you understand these risks and that Finbold bears no responsibility for any losses, damages, or consequences resulting from your use of the Site or reliance on its content. Click here to learn more.