By Frank, PANews

In the dark forest of encryption, hackers stared at on-chain assets and waited for opportunities, and among the longest victims of phishing, the whale who was fished for 1155 Bitcoins was ultimately a lucky one.

This "phishing case" has been concerned by the community because of the huge amount of money, and its movement has been concerned by the community, and the story begins on May 3, when a whale user was phishing by Hacker at the same number Address and lost 1,155 WBTC, worth about $70 million. Subsequently, the Hacker exchanged all the WBTC for 22,955 ETH and transferred it to dozens of accounts. On May 4, victims began shouting to Hacker through on-chain messages, asking them to leave 10% and return the remaining 90%. In addition, the ETH Address between the two has also become a short for centralized exchanges, and many Address have participated in this coin pursuit. Until May 9, the Hacker replied to the victim and asked him to leave a telegram message, saying that he would contact him.

On May 9, the Hacker began returning ETH to the victims, eventually returning the entire ETH. Did the Hacker make this move out of pressure or did they have a conscience? PANews has some reasons based on the communication information on the on-chain.

Bounty hunters deter Hacker

Since May 4, the victim has shouted to the Hacker longest, in addition to saying that he could give 10% to the other party, he also said that he did not post anything on Twitter, and admonished the Hacker: We all know that 7 million will definitely change your life for the better, but 70 million will not make you sleep well.

Unfortunately, after longing shouting, there has been no reply from the Hacker. It seems that the victims lack conclusive evidence to confirm the true identity of the Hacker, including the SlowMist threat intelligence network, which only located a mobile base station in Hong Kong, and does not include the possibility of a VPN. Therefore, Hacker is also in a state of impunity.

Until May 7, a 0x882c927f0743c8aBC093F7088901457A4b520000 Address sent a message to the victim: "Hello, I'm one of the programmers at ChangeNow. I have access to the ChangeNow database. Hacker have used this platform longing. I can divulge all his data, but I ask for a reward of $100,000 in exchange for data such as this as the IP Address and the Address of the Exchange where the funds are sent, I can only provide this information; The rest is up to the police to contact the exchanges and collect his personal data, such as KYC and location related to the Address. If you want to pursue the case, please send a confirmation. ”

Although the victim did not respond to the bounty request for this address, it was after this message that the Hacker suddenly transferred back 51 ETH to the victim with a postscript asking to add the victim's TG account.

Through on-chain analysis, PANews found that Hacker's longest linked accounts did interact with the ChangeNow exchanges. And the funds in the Address of the shouting bounty hunter were also coin by ChangeNow. Perhaps it was this message that poked at the Hacker's weakness and made him jealous of this unknown whistleblower.

ChangeNow is an exchange that Hackers are very keen on, and from a conventional point of view, it is used as a coin mixing tool with features such as anonymity and exemption from KYC. According to PANews, Hacker does need KYC if they have used the fiat currency exchange function on the platform.

However, judging from the on-chain information and the information left by the bounty hunter, the identity of the other party cannot be confirmed to be a staff member of ChangeNow. In the end, judging from the on-chain information, it seems that this bounty hunter has not yet received the $100,000 bounty as he wished.

The real victim may be a Large Investors of Bored Ape

On May 5, PEPE founder identity exposer, Pond Coin founder PAULY, may have used this incident to gain a wave of popularity, posing on Twitter that he was a victim of lost Tokens. However, an analysis by PANews found that PAULY was not a victim of the incident.

According to the TG information left by the victim in the on-chain, a @BuiDuPh user was connected to the tweet. The user is introduced as a software engineer in Vietnam. and forwarded the progress of media coverage of the incident longing after the incident. Attempts by PANews to contact the user were unresponsive, and by May 12, the user had logged out of his Twitter accounts and deleted all related content. But looking at the user's previous Twitter feed, the user only retweeted some relevant content after the incident, and maintained a large number of browsing and interacting with other content every day, and did not look like a person who lost $70 million, and the user may just help the Token holder deal with the incident.

According to the tracking of on-chain information, PANews found that the real owner of the lost Token this time is likely to be the user @nobody_vault, nobody_vault is a famous NFT player, and was once the largest holder of the Bored Ape NFT. As of now, he still holds 49 Bored Ape NFTs, and has previously invested in an Undeads blockchain game project. According to on-chain information, the loss of coin Address has a large number of transactions with the Address of nobody_vault.

The Hackers didn't stop

According to on-chain information, it can be seen that the Hacker has recently made about 25,000 microtransaction for fishing through two Address of 0x8C642c4bB50bCafa0c867e1a8dd7C89203699a52 and 0xDCddc9287e59B5DF08d17148a078bD181313EAcC. So far, it seems that the Hacker has no intention of stopping, and even after returning the 1155WBTC victims, the Hacker continues to use this method to fish. In addition to this phishing, according to Slowfog analysis, the Hacker has recently made more than $1.27 million in profits through this method.

Another user 0x09564aC9288eD66bD32E793E76ce4336C1a9eD00 left a message on the on-chain and said that the Hacker had fished more than 20 Address through this method.

But compared to the victims who lost 1155 WBTC, other users don't seem to be so lucky. Due to the small amount of money, these small fishing victims do not attract the attention of the public. And the Hacker also seems to be exempt from all legal responsibility after returning the funds. Not only continue to get away with it, but also continue to get back to the old business.

For ordinary users, this incident also reminds everyone to carefully confirm their Address before making a transfer.