Skip to content

Hacker returns $71 million worth of crypto to phishing victim

Hacker returns $71 million worth of crypto to phishing victim

A whale lost 1,155 Wrapped BTC (WBTC), worth $71 million, due to a phishing attack on May 3. Surprisingly, the attacker returned all the funds to the victim a week later.

On May 2, the whale spent $29.6 million DAI to buy 502 WBTC at $58,951. Later, on May 4, the victim created a new address and transferred 0.05 ETH for testing—a usual practice when moving large amounts.

As reported by Finbold, the attacker generated phishing addresses in advance and monitored users’ on-chain activities. When the victim whale was about to transfer WBTC, the attacker sent 0 ETH using a phishing address.

Victim’s transaction history. Source: Etherscan / Lookonchain

A specific phishing: Address poisoning attack

Interestingly, this attack used a technique known as “Address Poisoning,” as it poisons the victim’s transaction history. The phishing address had the same starting and ending letters as the whale’s new address.

This attack is particularly hard to spot because many crypto wallets hide the middle part of the address with “…” to improve the user interface. Moreover, users often copy addresses from transaction histories and only check the starting and ending letters.

Therefore, the whale mistakenly copied the phishing address and sent 1,155 WBTC to the attacker.

Attacker returns stolen $71 million to phishing victim

On-chain data shows that the attacker immediately converted the stolen WBTC into 22,960 ETH, possibly for money laundering purposes. Lookonchain reported the entire development of these events and summarized it in a post on X on May 12.

Attacker’s swap history. Source: Etherscan / Lookonchain

Notably, the whale tried to contact the attacker, offering a 10% bounty for returning 90% of the funds. Initially, the attacker did not respond, but as the cybersecurity company Slow Mist tracked the attacker’s IPs, possibly from Hong Kong, the attacker replied and returned all the funds.

To prevent such attacks, users should carefully check the entire address when making transfers. Saving trusted addresses in the address book and copying from there is recommended. Enabling small transaction filtering in wallets can also help filter out phishing transactions, further preserving the funds.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in 70+ cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. eToro USA LLC does not offer CFDs, only real Crypto assets available. Don’t invest unless you’re prepared to lose all the money you invest.

Read Next:

Weekly Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts