In a fortunate and enigmatic turn of events, a victim of a recent wallet poisoning scam has had $71 million worth of stolen cryptocurrencies returned to them. The unknown attacker returned the stolen Ether (ETH) tokens on May 12, following the attention drawn to the high-profile phishing incident by multiple blockchain investigation firms. Lookonchain, an on-chain security firm, provided further details in a post on May 13.
The attack took place on May 3 when an investor fell victim to a wallet poisoning scam and sent $71 million worth of Wrapped Bitcoin (wBTC) to a bait wallet address. The scammer had created a wallet address with similar alphanumeric characters and made a small transaction to the victim’s account. Like many investors, the victim validated the wallet address by matching the first and last few characters, but failed to notice the discrepancy in the middle characters, which are often hidden on platforms for visual appeal.
Interestingly, despite returning all the stolen funds, on-chain transactions leading up to the event suggest that the attacker did not originally intend to do so. Upon receiving the stolen funds, the attacker promptly converted 1,155 WBTC to approximately 23,000 ETH, a common tactic used by malicious hackers to launder stolen funds through privacy protocols and crypto mixing services like Tornado Cash. On May 8, the attacker began distributing the funds across more than 400 crypto wallets, which eventually ended up in over 150 separate wallets before being returned.
The return of the funds occurred shortly after on-chain security firm SlowMist published an analysis on the potential Hong Kong-based IPs associated with the attacker, leading to speculation that the thief may have been scared by the potential consequences.
It is worth noting that the $71-million theft is just a small part of the phishing attempts related to the WBTC theft. According to a May 10 incident report by SlowMist, the total amount of crypto stolen from hacks and scams in April was $25.7 million, the lowest figure since 2021 when on-chain intelligence firm CertiK began tracking the data.
In an unrelated development, Ether has recently become inflationary for the first time since the Merge.