2024-05-10
The individual responsible for a fraudulent scheme involving $68 million has reached out to the victim, expressing a desire to negotiate.
As a gesture of goodwill, the attacker has returned $153,000 worth of Ether to the victim. However, this amount only represents a small fraction (0.225%) of the total funds that were allegedly stolen.
Analysis of blockchain data reveals that on May 5, the victim, identified by the account ending in 8fD5, sent three messages to an account ending in dA6D.
The recipient of these messages had received funds from the attacker's account, which was labeled as "FakePhishing327990" on Etherscan, through several intermediary accounts.
This suggests that the account ending in dA6D was likely controlled by the attacker.
The messages conveyed the victim's willingness to offer the attacker 10% of the funds as a reward and to abstain from pursuing legal action if the remaining 90% was returned.
The victim emphasized that it would be difficult to conceal the funds and that the attacker would be traceable.
Nevertheless, the victim officially acknowledged the attacker's entitlement to the 10% and set a deadline of 24 hours until 10 am UTC on May 6, 2024, for a life-changing decision to be made.
At 11:37 am UTC on May 9, another account ending in 72F1, also under the attacker's control, responded by sending 51 Ether (ETH) valued at $153,000 to the victim.
This transaction included a message from the attacker requesting the victim's Telegram username for further communication.
Subsequently, at 11:43 am, the attacker posted a correction to their previous message, clarifying their request for the victim to provide their Telegram username.
In response, the victim shared a Telegram username for contact purposes. The negotiation process began after the attacker allegedly deceived the victim into mistakenly transferring 1,155 Wrapped Bitcoin (WBTC) worth $68 million at the time.
This transfer was conducted through an "address poisoning" transaction.
According to blockchain data, at 09:17 am on May 3, the attacker utilized a smart contract to transfer 0.05 of an unnamed token from the victim's account to their own.
Normally, an attacker cannot transfer a token from another user without their consent. However, in this case, the token had a custom design that bypassed the need for user consent.
At 10:31 am on the same day, the victim unintentionally sent 1,155 WBTC to the attacker's address, possibly due to its similarity to an address previously used by the victim for depositing funds into a centralized exchange or other purposes.
The victim may have mistakenly believed the address was safe, as they had previously sent 0.05 of a token to it.
However, the 0.05 tokens were actually sent by the attacker and falsely appeared to originate from the victim.
When attackers attempt to confuse victims by inundating them with transactions that appear to be from the victims themselves but are actually from the attackers, security experts refer to it as an "address poisoning attack."
To avoid costly errors resulting from these types of attacks, experts advise users to carefully examine the sending address in a transaction before confirming it.
