Refund of $70M ‘address poisoning’ scam ongoing, over 50% returned

The victim of a $70 million ‘address poisoning’ scam is in the process of being refunded, following on-chain negotiations with the perpetrator.

At the time of writing, over half of the funds (14,500 ETH, worth $43.5M) have been returned to the victim’s Ethereum address.

Beginning at around 8AM UTC, almost exactly a week after the initial loss of 1155 WBTC, transactions of between 25 ETH ($75k) and 50 ETH ($150k) began to stream into the victims address. The transfers came directly from the hundreds of addresses into which the attacker had previously dispersed the stolen funds.

Address poisoning is a method scammers use to trick crypto users into sending funds to an address which appears almost identical to one they have interacted with previously.

As crypto security firm SlowMist’s report explains, the attack requires pre-emptively generating thousands of addresses, before monitoring blockchain transactions for potential targets. Scammers then send ‘dust’ transactions (of negligible value) from an address which has matching leading and trailing characters, in order to ‘poison’ the victim’s transfer history.

Once the trap is set, the attackers rely on the victim accidentally copy-pasting the malicious address from a wallet or block explorer, inadvertently sending funds directly to the scammer.

Read more: Crypto security firms more concerned with social media clout than the details

In this case, once the attack had proved a success, the resulting 1,155 WBTC were swapped to 22,955 ETH, before being layered into hundreds of further addresses.

The day after making their costly error, the victim sent a message to the scammer via Ethereum’s input data messaging system:

“You won bro.
Keep 10% to yourself and get 90% back.
Then we’ll forget about that.
We both know that 7m will definetely make your life better, but 70m won’t let you sleep well.”

Read more: Here’s what on-chain messages reveal about the $200M Euler Finance hack

The victim kept up the pressure the following day, sending three more messages and setting a deadline for the ‘bounty’ offer.

In SlowMist’s report, published Wednesday, the firm identified previous attacks carried out by the perpetrator as well as an exchange address, OTC desks and IP addresses connected  to their activities (though, as SlowMist points out, these may be simply be VPN addresses). 

Yesterday, the scammer sent an on-chain message asking for the victims’s Telegram handle along with 50 ETH, seemingly a gesture of good faith. From there, negotiations went off-chain.

Earlier today, the refund process began. Over half of the stolen amount has so far arrived over the course of more than 200 transactions, following the victim’s confirmation of receipt of the first batch.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on XBluesky, and Google News, or subscribe to our YouTube channel.