Crypto Scam and Heist Takes a Twist: $71 Million Returned

In a remarkable series of events, $71 million in stolen cryptocurrencies were returned to their rightful owner following a high-profile wallet-poisoning crypto scam.

The unexpected resolution came after an unknown attacker, who had initially managed to steal the hefty sum in Ether tokens, returned the full amount on May 12. The return occurred shortly after blockchain security firms intensified their scrutiny of the incident.

The Initial Crypto Scam and Victim’s Response

The attack originally unfolded on May 3, when an investor was duped into sending $71 million in Wrapped Bitcoin (WBTC) to a deceptive wallet address set up by the scammer. This fraudulent address, crafted to resemble the victim’s legitimate one, included only minor differences in its alphanumeric characters—differences strategically placed in the middle of the address and typically obscured by user interfaces for better visual clarity.

The victim, checking only the beginning and end of the address, transferred 97% of their holdings, falling prey to the scam. The scam was first detected when the attacker made a negligible transaction to the victim’s wallet, which is a common tactic used to establish a sense of trust. The victim confirmed the legitimacy of the wallet by matching only the visible parts of the address before initiating the transfer. 

Following the Money Trail

Following the theft, the perpetrator quickly converted the stolen WBTC into approximately 23,000 ETH. The transformation of these assets is a known strategy among cybercriminals, often used to obfuscate the trail of stolen funds through privacy protocols and crypto mixing services like Tornado Cash. The laundered ETH was then dispersed across more than 400 different cryptocurrency wallets, ending up in over 150 separate wallets in a likely attempt to hide the funds’ origins.

However, the tide turned when on-chain security firm SlowMist stepped in. On May 10, SlowMist released an investigative report suggesting the attacker was operating from IP addresses potentially located in Hong Kong, though they noted the possibility that the perpetrator might have used virtual private networks (VPNs) to mask their actual location. The firm’s findings, coupled with their tracing of over 20,000 small transactions linked to the attacker’s address from April 19 to May 3, painted a comprehensive picture of the scheme, which involved distributing small amounts of ETH to various addresses for phishing purposes.

This in-depth analysis seemed to have an impact. On May 13, just a day after SlowMist’s revelations were made public, the entire stolen sum was unexpectedly returned to the victim. This move by the attacker, coming just days after the security firm’s report, suggests that the threat of exposure and the ensuing potential legal repercussions may have motivated the return of the funds. 

Trends in Crypto-Theft and Security

The incident concludes as part of a broader trend in the crypto space, which saw a significant decrease in the amount of funds stolen through hacks and scams. According to on-chain intelligence firm CertiK, in April 2024, the total losses from crypto-related hacks and scams reached their lowest point since 2021, with a combined figure of approximately $25.7 million, according to blockchain security firm CertiK. This figure represents a 141% decrease from the previous month. The breakdown of these losses included roughly $4.3 million from exit scams, $129,000 from flash loan attacks, and $21 million from various exploits.

Looking at broader trends, the first quarter of 2024 saw the cryptocurrency industry losing $336 million to hacks and fraud, as reported by security platform Immunefi. Comparatively, in 2023, the amount stolen by hackers was estimated at $1.8 billion, which was significantly lower than the $4 billion recorded in the previous year. This data highlights the fluctuating nature of security challenges within the digital currency space.