The alleged address-poisoning attacker, who managed to deceive a user into sending them $68 million worth of Wrapped Bitcoin (WBTC), has now returned $153,000 worth of Ether (ETH) to the victim as a gesture of goodwill. The attacker also sent a message in the same transaction, expressing a willingness to negotiate and asking for a Telegram username to continue communication. It is important to note that the amount returned represents only 0.225% of the total funds that were allegedly stolen.
According to blockchain data, on May 5, the victim of the attack, whose account ends in 8fD5, sent three messages to an account ending in dA6D. This recipient had received funds from the attacking account, which was labeled as “FakePhishing327990” on Etherscan, through several intermediate accounts. This suggests that dA6D was likely under the control of the attacker.
In the messages, the victim indicated a willingness to offer the attacker a 10% bounty in return for returning the remaining 90% of the funds and avoiding prosecution. The victim stated:
On May 9, at 11:37 am UTC, another account ending in 72F1 responded by sending 51 Ether (ETH) (worth $153,000 at the current price) to the victim. It was discovered that 72F1 had also received funds from FakePhishing327990 through several intermediate accounts, indicating that it was also under the control of the attacker.
In the transaction that sent the 51 ETH, the attacker included a message stating, “Please leave your telegram and I will contact you.” However, they quickly corrected their punctuation error at 11:43 am by posting an additional message that said, “Please leave your telegram and I will contact you.”
In response, the victim provided a Telegram username for further communication.
The negotiation took place after the attacker allegedly deceived the victim into mistakenly sending 1,155 Wrapped Bitcoin (WBTC) (worth $68 million at the time) to their account through an “address poisoning” transaction.
Blockchain data reveals that on May 3, at 09:17 am, the attacker used a smart contract to transfer 0.05 of a token from the victim’s account to their own. This token, referred to as “ERC-20,” had no specific name listed on Etherscan. Normally, an attacker cannot transfer tokens from another user without their consent. However, in this case, the token had a custom design that allowed it to be transferred without the user’s consent.
At 10:31 am on the same day, the victim mistakenly sent 1,155 WBTC to this address. It is possible that the address appeared similar to one the victim had previously used to deposit funds into a centralized exchange or for some other purpose.
Furthermore, the victim may have been influenced by the fact that they previously sent 0.05 of a token to this address, assuming it was safe. However, it was actually the attacker who had sent the 0.05 tokens, making them appear as if they were from the victim.
When an attacker attempts to confuse victims by sending transactions that appear to come from the victims themselves but are actually from the attacker, it is known as an “address poisoning attack.” Security experts advise users to carefully inspect the sending address in a transaction before confirming it to avoid falling victim to these types of attacks.
Related:
How to avoid zero-value transfer address poisoning attacks