The individual responsible for the address poisoning attack that drained $68 million worth of Wrapped Bitcoin (WBTC) was identified through digital evidence, including a device fingerprint, as stated by Match Systems CEO Andrey Kutin on May 23. Kutin claims that this evidence played a crucial role in negotiating the return of the stolen funds.
According to Kutin, the attacker did not use regulated exchanges that comply with Know Your Customer and Anti-Money Laundering regulations, making it difficult to definitively prove their identity. However, investigators discovered secondary evidence suggesting that the attacker had acted negligently and obtained the stolen funds due to lack of due diligence. This evidence strengthened their position during negotiations.
The address poisoning attack, which occurred on May 5, targeted an Ethereum account starting with “0x1e.” The attacker created a fake transaction that made it appear as though the victim had willingly transferred their tokens to the attacker’s address in the past. This led the victim to believe that the attacker’s address was safe, resulting in the transfer of $68 million worth of WBTC and a 97% loss.
However, on May 10, the attacker returned almost all of the stolen funds, leading to a near-full recovery. Match Systems claimed that this turnaround was the result of negotiations facilitated by their team, with assistance from the Cryptex cryptocurrency exchange.
In a conversation with Cointelegraph on May 23, Kutin revealed additional details about how they convinced the attacker to return the funds. The Match Systems team became aware of the attack on the day it occurred through social media accounts discussing the transfer. They decided to post a message on the Ethereum network, urging the hacker to refund the stolen funds. A third party contacted the researchers in response to this message, acting as a liaison between the victim and the team. Cryptex also joined in to help with the negotiations.
Since the attacker did not use regulated exchanges or attempt to cash out the stolen funds, it was challenging to determine their identity. However, the team traced some of the attacker’s transactions to IP addresses in Hong Kong, providing a starting point for further investigation. Match Systems was able to connect these IP addresses to other pieces of digital evidence, including a device fingerprint, which helped identify the attacker.
According to Kutin, digital evidence is crucial in catching cybercriminals today, as they rarely cash out through regulated exchanges. Instead, they use special laundering services that facilitate the exchange of crypto for cash. Match Systems focuses on finding a thin thread of digital evidence, such as IP addresses and device fingerprints, to identify scammers.
While the evidence in this case was considered secondary or circumstantial, it proved that the attacker had not conducted due diligence in determining the source of the funds. The team used this evidence during negotiations with the attacker, who eventually returned all of the funds without facing prosecution.
Address poisoning attacks are a common issue for blockchain users, and experts recommend inspecting the sending address in every transaction to avoid falling victim to such attacks.