On Monday, March 13, the year’s largest crypto hack so far occurred. Almost $200 million was stolen from decentralized lending protocol Euler Finance — on-chain messages show how negotiations with the hacker took place.
The attack was devastating to the Ethereum-based platform, whose total value locked (TVL) dropped by over 95%, as well as other DeFi projects which had funds tied up in Euler, such as Angle and Balancer.
Over the past few days, the hacker has returned the majority of stolen assets, communicating in part via transaction input data which is publicly visible on blockchain explorers such as Etherscan.
The hacker’s intention to return the funds was not always been clear, however.
Immediately following the hack, blockchain security researchers linked the attacker’s address to a previous exploit on Binance’s BNB Chain, and 100 ETH (worth $170,000 at the time) was deposited into crypto-mixer Tornado Cash.
A few hours later, the Euler team reached out to the hacker’s address with the following message: “We understand that you are responsible for this morning’s attack on the Euler platform,” they wrote. “We are writing to see whether you would be open to speaking with us about any potential next steps.”
Prospects of this being a whitehat hacker willing to return the funds were looking bleak. Another 1,000 ETH was sent to Tornado Cash via an intermediary address, with a further 2,500 ETH queued up and still sitting in the account. Perhaps most worryingly, 100 ETH was sent to North Korean state-sponsored hackers, hinting at a possible association with the notorious Lazarus Group responsible for last year’s $600 million Ronin Bridge hack.
It also became clear that the hacker was not a friend of the Ronin exploiter when they responded with what appeared to be a phishing message, containing a link to a compromised message decryption app:
The Euler team quickly sent a message to warn the hacker, knowing that if the Lazarus Group got hold of the funds, they wouldn’t be seeing a penny: “Do NOT use the suggested decryption tool,” they said. “It has an old version of ellyptic, which has a vulnerability.”
Euler hacker returns most of stolen funds
Eventually, five days after the initial attack, the hacker began to return some of the stolen funds, starting with 3,000 ETH (worth approximately $5.3 million at the time). Euler’s response reiterated the offer to return 90% of the stolen assets:
“Thank you for returning a portion of the assets. The original offer still stands if you would like to continue by returning the funds. The reward for information will be removed immediately and all our investigations will be dropped,” the team promised.
Two days later, the first confirmation came of the hacker’s intentions to return the funds: “We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement.”
An email address was sent to the Euler team in order to continue contact in private, and then on March 25, 51,000 ETH ($89 million) was returned. The remaining DAI and ETH were spread out over a number of addresses, but as of yesterday the majority has been returned to Euler.
The hacker is still in control of substantial quantities of stolen tokens. Their latest messages hint at troubles with off-chain communication, but assure their intentions are still to return what remains: “The rest of the money will be returned ASAP. I only look after my safety, and that is the reason for the delay. I’m sorry for any misunderstanding. Please read my next message.”
However, the hacker came across as increasingly desperate: “Jacob here. I don’t think what I say will help me in any way but I still want to say it. I f***ed up. I didn’t want to, but I messed with others’ money, others’ jobs, others’ lives. I really f***ed up. I’m sorry. I didn’t mean all that. I really didn’t f***ing mean all that. Forgive me.”
Perhaps they are simply playing for time, or maybe the attacker’s veil of anonymity has slipped since moving their communications to email.
On-chain messages are a way for users to interact without revealing anything more than their public key. A core technique used by crypto investigators involves linking blockchain addresses to screen names, exchange accounts, email addresses, and social media, such as in the case of Avraham Eisenburg who exploited Mango Markets in October and was arrested in December.
However, on-chain messages can also be a useful tool. In an industry well-known for scams and phishing, whitehat hackers can use the secure and transparent messages when organizing a rescue of hacked funds, such as in the case of 2021’s Poly Network hacker who was subsequently offered the role of chief security advisor and awarded a $500,000 bounty by the affected protocol.