The CEO of Match Systems, Andrey Kutin, revealed that the attacker responsible for the $68 million address poisoning attack on Wrapped Bitcoin (WBTC) was identified through digital evidence, including a device fingerprint. Kutin stated that this evidence helped strengthen the victims’ position in negotiations and led to the return of all the stolen funds.
According to Kutin, the attacker did not use regulated exchanges that comply with Know Your Customer and Anti-Money Laundering requirements, making it difficult to definitively prove their identity. However, investigators found secondary evidence indicating that the attacker had not exercised proper due diligence and had obtained the stolen funds through negligence. This evidence played a crucial role in negotiations.
The address poisoning attack occurred on May 5 against an Ethereum account starting with “0x1e.” The attacker conducted a fake transaction that appeared to transfer the victim’s token to themselves, creating the illusion that the victim had willingly sent funds to the attacker’s address in the past. As a result, the victim sent $68 million worth of WBTC to the attacker’s address, causing a 97% loss.
However, on May 10, the attacker returned almost all of the stolen funds to the victim, resulting in a near-full recovery. Match Systems claimed that this turnaround was the outcome of negotiations facilitated by their team, with assistance from the Cryptex cryptocurrency exchange.
In a conversation with Cointelegraph, Kutin shared new details about how they convinced the attacker to return the stolen funds. The Match Systems team became aware of the attack on the day it happened through social media accounts discussing a crypto “whale” transferring $68 million in WBTC to a new address. They posted a message on the Ethereum network, urging the hacker to refund the funds and seek their help.
A third party acting as a liaison contacted the Match researchers on behalf of the victim, who chose to remain anonymous. Cryptex also participated in facilitating negotiations. Although the attacker did not use regulated exchanges or attempt to cash out the stolen funds, the team was able to trace some of their transactions to IP addresses in Hong Kong. These IP addresses served as a starting point for further investigation.
Match Systems connected the IP addresses to additional digital evidence, including a device fingerprint, which helped identify the attacker. Kutin emphasized that such digital evidence is crucial for catching cybercriminals in today’s environment. Instead of targeting laundering services, Match Systems focuses on gathering digital evidence that can be used to identify scammers.
The evidence collected was circumstantial but showed that the person who executed the transactions had not conducted due diligence in verifying the source of the funds. The team used this evidence in negotiations with the attacker, who eventually returned all the funds. However, the attacker has not been prosecuted.
Kutin acknowledged that some may view this as an unsatisfactory outcome since the attacker escaped punishment. However, he argued that recovering all the funds is a better result than most alternatives. Address poisoning attacks are a common problem in the blockchain space, and experts advise users to carefully inspect sending addresses to avoid falling victim to such attacks.