Original author: Frank
Original source: PANews
In the dark forest of encryption, hackers stared at the assets on the chain and waited for an opportunity, and among the many victims who were phished, the whale who was fished out of 1,155 bitcoins was finally the lucky one.
The story begins on May 3, when a giant whale user was phished by hackers with the same number of addresses and lost 1,155 WBTC, worth about $70 million. Subsequently, the hackers exchanged all WBTC for 22,955 ETH and transferred it to dozens of accounts. On May 4, the victim began shouting at the hacker through on-chain messages, asking them to keep 10% and return the remaining 90%. In addition, the ETH addresses of the two have also become a centralized communication space, and many addresses have participated in this coin chasing action. Until May 9, the hacker replied to the victim and asked him to leave a telegram message, saying that he would take the initiative to contact him.
On May 9, the hackers began returning ETH to their victims, eventually returning the entire ETH. Did the hackers make this move out of pressure, or did they have a conscience? PANews has a glimpse of some reasons based on the information exchanged on the chain.
Bounty hunters deter hackers
Since May 4, the victim has repeatedly shouted at the hacker, in addition to saying that he can give 10% to the other party, he also said that he did not post anything on Twitter, and admonished the hacker: We all know that 7 million will definitely make your life better, but 70 million will not make you sleep well.
It's a pity that after shouting many times, there has been no reply from the hackers. It seems that the victim lacks conclusive evidence to confirm the true identity of the hacker, including the threat intelligence network of SlowMist, which only located a mobile base station in Hong Kong, and does not include the possibility of a VPN. As a result, hackers are also in a state of impunity.
Until May 7, a 0x882c927f0743c8aBC093F7088901457A4b520000 address sent a message to the victim: "Hello, I'm one of the programmers at ChangeNow. I have access to the ChangeNow database. Hackers have used this platform several times. I can divulge all his data, but I ask for a reward of $100,000 in exchange for data such as this as the IP address and the address of the exchange where the funds are sent, I can only provide this information; The rest is up to the police to contact the exchange and collect his personal data, such as KYC and location related to the address. If you want to pursue the case, please send a confirmation. ”
Although the victim did not respond to the bounty request for this address, it was after this message that the hacker suddenly transferred back 51 ETH to the victim with a postscript asking to add the victim's TG account.
Through on-chain analysis, PANews found that multiple of the hacker's linked accounts did indeed interact with the ChangeNow exchange. The funds in the address of the shouting bounty hunter are also withdrawn by ChangeNow. Perhaps it was this piece of information that poked at the hacker's weakness and made him jealous of this unknown whistleblower.
ChangeNow is an exchange that hackers are very keen on, and it is traditionally used as a mixing tool for features such as anonymity and exemption from KYC. According to PANews, hackers do need KYC if they have used the fiat currency exchange function on the platform before.
However, judging from the on-chain information and the information left by the bounty hunter, the identity of the other party cannot be confirmed to be a staff member of ChangeNow. In the end, judging from the on-chain information, it seems that this bounty hunter has not yet received the $100,000 bounty.
The real victim may be a large Bored Ape household
On May 5, PEPE's founder identity whistleblower and Pond Coin founder PAULY posed on Twitter that he was a victim of lost tokens, perhaps in order to gain momentum through this incident. However, after PANews's analysis, it was found that PAULY was not a victim of this incident.
According to the TG information left by the victim on the chain, it was linked to a @BuiDuPh user on Twitter. The user is introduced as a software engineer in Vietnam. and retweeted the progress of media reports on the incident several times after the incident. PANews tried to contact the user but received no response, and by May 12, the user had deleted his Twitter account and deleted all related content. However, looking at the user's previous Twitter feed, the user only retweeted some relevant content after the incident, and maintained a large number of views every day to interact with other content, which does not look like a person who lost $70 million, and the user may just help the token holder deal with the incident.
According to the on-chain information tracking, PANews found that the real owner of the lost tokens this time is likely to be @nobody_vault user, nobody_vault a well-known NFT player, who was once the largest holder of Bored Ape NFT. As of now, he still holds 49 Bored Ape NFTs, and has previously invested in an Undeads blockchain game project. According to the information on the chain, the address of the lost coin has a large number of transactions with the address of the nobody_vault.
The hackers didn't stop there
According to the on-chain information, it can be seen that the hacker has recently made about 25,000 small transactions through the two addresses of 0x8C642c4bB50bCafa0c867e1a8dd7C89203699a52 and 0xDCddc9287e59B5DF08d17148a078bD181313EAcC for phishing. So far, it seems that the hackers have no intention of stopping, and even after returning the 1155WBTC victims, the hackers continue to use this method to fish. In addition to this phishing, according to Slowfog analysis, the hacker has recently made more than $1.27 million in profits through this method.
Another user 0x09564aC9288eD66bD32E793E76ce4336C1a9eD00 left a message on the chain saying that the hacker had phished more than 20 addresses through this method.
But compared to the victims who lost 1,155 WBTC, the rest of the users don't seem to be so lucky. Due to the small amount of money, these small fishing victims do not attract the attention of the public. And the hacker also seems to be exempted from all legal responsibility after returning the funds. Not only continue to get away with it, but also continue to get back to the old business.
For ordinary users, this incident is also a reminder to carefully confirm their address before making a transfer.