- A scammer has returned $9.3 million of $24 million stolen in a cyberattack last September
- The thief sent the funds back last week, seemingly out of compassion
- The scammer’s wallet currently holds just over $3 million worth of tokens after transferring the rest
A phisherman who stole $24 million in a cyberattack last September has returned nearly $9.3 million to a victim, saying he wanted to give the money back. The incident was first reported by Scam Sniffer on July 13, revealing that the scammer used the DAI stablecoin to return the funds across two separate transactions. An initial transaction on July 8 saw $5.23 million returned, followed by another transfer of $4.04 million on July 13, according to data from Etherscan. The scammer’s wallet holds just over $3 million, having moved the rest of the funds out of the receiving wallet.
ERC-20 Token Permission to Blame for Loss
On September 6, 2023, the victim lost their entire holdings of Lido Staked ETH (stETH) and Rocket Pool ETH (rETH) after the hacker stole 9,579 stETH and 4,851 rETH. The scam exploited ERC-20 token permissions, which allow third parties to spend tokens owned by others using smart contracts. Experts have previously cautioned about the dangers of approving ERC-20 allowances, warning that malicious actors could use these permissions to deploy fraudulent smart contracts.
At the time, these assets were valued at $15.5 million in stETH and $8.5 million in rETH, amounting to a total loss of $24 million.
Thief Returns Funds Out of Compassion
Scam Sniffer, who was one of the first to point out the original hack, spotted the $9.3 million return on Saturday:
đź’° The scammer returned $9.27M in DAI to the victim.
(credits: @bax1337) https://t.co/xwSASQOUis pic.twitter.com/T5vF1Ak3wo
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) July 13, 2024
The return represents 38.4% of the stolen funds based on their value on September 6. However, given the appreciation of staked-Ether, the 14,429 staked-Ether involved in the theft would now be worth approximately $47.5 million.
Onchain data indicates that the returned DAI came from an address associated with Railgun Relay, an intermediary for a privacy protocol, before being transferred back to the victim. An onchain message from the hacker was also discovered, sent from a different wallet on July 6:
Hello, I am the guy who took your money. I want to give the moneyback.
Etherscan data shows that the scammer’s wallet holds just over $3 million, primarily comprised of a shitcoin on the BNB Chain, after he moved the rest out of the receiving wallet and through mixing services.