The alleged address-poisoning attacker, who managed to deceive a user into sending them $68 million worth of Wrapped Bitcoin (WBTC), has returned $153,000 worth of Ether (ETH) to the victim as a gesture of goodwill. Along with the returned funds, the attacker also sent a message expressing a willingness to negotiate and requested a Telegram username for further contact. The amount returned represents just 0.225% of the total stolen funds.
Blockchain data reveals that on May 5, the victim of the attack, whose account ends in 8fD5, sent three messages to an account ending in dA6D. The recipient of these messages had received funds from the attacking account, identified as “FakePhishing327990” on Etherscan, through various intermediate accounts. This suggests that the account ending in dA6D was likely under the control of the attacker.
The victim’s messages implied a proposal to give the attacker a 10% bounty and refrain from pursuing legal action if the remaining 90% of the funds were returned. At 11:37 am UTC on May 9, another account ending in 72F1 responded by sending 51 Ether (ETH) (worth $153,000 at the current price) to the victim. This account had also received funds from FakePhishing327990 through multiple intermediate accounts, indicating its connection to the attacker.
In the transaction that transferred the 51 ETH, the attacker included a message stating, “Please leave your telegram and I will contact you.” They subsequently corrected their punctuation at 11:43 am by posting another message that said, “Please leave your telegram and I will contact you.”
In response, the victim provided a Telegram username for further communication.
The negotiation took place after the attacker allegedly tricked the victim into mistakenly sending 1,155 Wrapped Bitcoin (WBTC) (worth $68 million at the time) to their account through an “address poisoning” transaction.
Blockchain data shows that at 09:17 am on May 3, the attacker used a smart contract to transfer 0.05 of a token from the victim’s account to their own account. The transferred token, referred to as “ERC-20” on Etherscan, had no specified name. Normally, an attacker cannot transfer a token from another user without their consent. However, in this case, the token had a custom design that allowed it to be transferred without the user’s permission.
Later that same day at 10:31 am, the victim mistakenly sent 1,155 WBTC to the same address. It is possible that the address appeared similar to one used by the victim to deposit funds into a centralized exchange or for another purpose.
Furthermore, the victim may have been influenced by a past transaction where 0.05 tokens were sent to the same address, leading them to assume it was safe. However, the 0.05 tokens were actually sent by the attacker, creating a false impression.
Security experts refer to this tactic used by attackers to confuse victims by spamming them with transactions that appear to come from the victims themselves as an “address poisoning attack.” To avoid falling victim to these types of attacks, experts advise users to thoroughly inspect the sending address before confirming any transaction.