On Friday, May 3rd, a hacker illegitimately obtained over 70 million dollars in Bitcoin to his wallet thanks to a successful attempt of “address poisoning” against a whale.

The victim, who had mistakenly sent 1.155 WBTC to an address similar to his own, negotiated for days with the scammer through on-chain messages and on Telegram, offering a 10% bounty.

Finally, after a couple of days the hacker returned most of the stolen Bitcoins, however using ether currency as a refund.

Let’s see all the details below.

Hacker obtains 70 million dollars in Bitcoin through “address poisoning” attack on a whale’s wallet

According to reports dated May 3, 2024 from the cryptographic security company CertiK, an unlucky user would have accidentally sent a sum in Bitcoin equivalent to about 70 million dollars to a hacker’s wallet.

The whale in question was a victim of an “address poisoning” attack, which is a branch of phishing techniques that involves sending legitimate transactions to the victim using an address that is very similar (with the first and last six characters identical) to theirs.

The total loss amounts to 1,155 Wrapped Bitcoin (WBTC)

It all started on May 2nd, when the millionaire converted 29.6 million DAI into 502 WBTC, significantly increasing his Bitcoin balance, and then began transferring everything to a new wallet for obvious security reasons.

The user has sent 0.05 ETH to the new wallet, as a test transaction and to fund the gas fee (we are on the Ethereum network), when a few minutes later the hacker, noticing the on-chain movement, sends a transaction with 0 ETH to the victim using the “poisoned” address.

Often in the crypto world, many individuals, to move funds from one wallet to another, are used to copying and pasting the address from the transaction history, only checking that the initial and final part match at the time of sending the funds

At the same time, many wallet providers omit the middle part of an address in the history for the sake of UI aesthetics.

Hacker bitcoin wallet

The whale’s error, artificially induced by the hacker through this simple but at the same time effective phishing technique, cost him dearly.

At 12:31 on May 3, the unlucky user officially loses 1.155 WBTC by copying the wrong address and sending the fortune in Bitcoin to a wallet not controlled by himself.

We can only imagine his frustration when he realized the mistake, as trivial as it was decisive.

 Below are the details of the transaction reported by Etherscan:

Hacker bitcoin wallet

On-chain negotiations between hacker and victim

Immediately after detecting the victim’s error, the hacker tried to cover his tracks by fragmenting the loot into Bitcoin.

Initially, the 1,155 WBTC were sent separately to 8 different wallets, with batches ranging from 122 to 186 coins, and then further divided and spread across dozens of cryptographic wallets.

The entire stolen amount was then converted into ETH, potentially to be sent to decentralized mixers like Tornado Cash.

Hacker bitcoin wallet

The hacked whale immediately tried to contact the hacker by sending empty transactions to his address with notes inside.

The first message, breaking the ice with the expression “you won bro“, was sent on May 4th at 07:02 AM UTC, just one day after the incident.

In the message, the victim proposes to the hacker to keep a 10% as bounty, suggesting to return the 90%.

The following day negotiations continue with the victim urging his attacker to return the funds. Here is how he quotes:

“You have 24 hours until 10 AM UTC on May 6, 2024 to make a decision that, in any case, will change your life.”

In a press release, Andrei Kutin the CEO of Match Systems, the company of blockchain cybersecurity, claimed credit for the operations together with the Cryptex exchange, for participating in negotiations with the attacker who on May 5th contacted the victim asking for their Telegram nickname.

The hacker returns the majority of the funds in ETH after trying to cover his tracks

The negotiations continued on Telegram, presumably for about 5 days, before the hacker started returning the stolen amount in Bitcoin with hundreds of different transactions, the first of which was initiated on May 10th at 8:47 AM UTC.

The following day, over 225 wallet transactions were made from various accounts to send ETH to the victim’s address. The value of each transaction ranged from 29 to 67 ETH.

In total, the hacker has sent a total of 22,960 ETH, with a value of approximately 69.7 million dollars at the time of the transactions.

It seems that in the end the criminal returned more than 90% initially agreed upon.

Probably during the negotiation phase it emerged that the hacker had not managed to completely erase their tracks, while the cybersecurity company Match Systems was starting to strengthen its position.

In a Match Systems report, the platform stated that security experts were making progress in identifying who the attacker was. It stated:

The Match Systems team conducted a detailed analysis of the incident and identified several opportunities to strengthen the negotiating position for the subsequent communication with the attacker. Following negotiations with the attacker, conducted with the participation of the Match Systems cybersecurity agency […] and the Cryptex cryptocurrency exchange […], the hacker returned the entire stolen amount of 22,960 ETH to the victim. At this time, the victim has no complaints against the attacker.

All’s well that ends well. Always be careful when transferring your Bitcoin on-chain and double-check the wallet address you are sending the funds to.

Alessandro Adami
Alessandro Adami
Graduated in "Information, Media and Advertising", for over 4 years interested in the cryptocurrency and blockchain space. Co-Founder of Tokenparty, community active in spreading crypto-enthusiasm. Co-founder of Legal Hackers Civitanova marche. Information technology consultant. Ethereum Fan Boy and supporter of Chainlink oracles, strongly believes that smart contracts will be central in the development of society.