Author: Frank, PANews

In the dark forest of encryption, hackers are eyeing on-chain assets and waiting for an opportunity to act. Among the many victims of phishing, the whale that lost 1,155 bitcoins was ultimately a lucky one.

Due to the huge amount of money involved, the development of this "phishing case" has been followed by the community. The story begins on May 3, when a whale user suffered a phishing attack with the same first-number address by a hacker and lost 1,155 WBTC, worth about $70 million. Subsequently, the hacker exchanged all WBTC for 22,955 ETH and transferred them to dozens of accounts. On May 4, the victim began to call out to the hacker through on-chain information, asking the other party to keep 10% and return the remaining 90%. In addition, the ETH addresses of the two have also become a centralized communication space, and many addresses have participated in the tug-of-war in this coin-chasing operation. Until May 9, the hacker replied to the victim, asking him to leave a telegram message, indicating that he would take the initiative to contact him.

On May 9, the hacker began to return ETH to the victim, and eventually returned all the ETH. Was the hacker forced to do this or did he make a change of heart? PANews got some information from the communication information on the chain.

Bounty hunters deter hackers

Since May 4, the victim has repeatedly called out to the hacker. In addition to saying that he could give the other party 10%, he also stated that he did not post anything on Twitter and advised the hacker: We all know that 7 million will definitely make your life better, but 70 million will not make you sleep well.

Unfortunately, after calling out many times, there has been no response from the hacker. It seems that the victim lacks solid evidence to confirm the hacker's true identity, including the SlowMist threat intelligence network, which only located a mobile base station in Hong Kong and does not include the possibility of VPN. Therefore, the hacker is also in a state of fearlessness.

Until May 7, an address at 0x882c927f0743c8aBC093F7088901457A4b520000 sent a message to the victim saying: "Hello, I am one of the programmers of ChangeNow. I have access to the ChangeNow database. Hackers have used this platform many times. I can leak all his data, but I ask for a reward of $100,000 in exchange for data such as the IP address and the address of the exchange where the funds were sent. I can only provide this information; the rest is up to the police to contact the exchange and collect his personal data such as KYC and location associated with the address. If you want to pursue this case, please send a confirmation message."

Although the victim did not respond to the bounty demand of this address, it was after this message that the hacker suddenly transferred 51 ETH back to the victim, with a note asking to add the victim's TG account.

PANews found through on-chain analysis that multiple accounts of the hacker did interact with the ChangeNow exchange. The funds in the address of the bounty hunter who called out were also withdrawn from ChangeNow. Perhaps it was this information that hit the hacker's soft spot, making him start to fear this unknown informant.

ChangeNow is an exchange that hackers are very keen on. Generally speaking, it is used as a currency mixing tool due to its anonymity and KYC exemption. According to PANews, if hackers have used the fiat currency exchange function on the platform, KYC is indeed required.

However, judging from the bounty hunter’s on-chain information and the information left, the other party’s identity cannot be confirmed to be a ChangeNow staff member. Finally, judging from the on-chain information, the bounty hunter does not seem to have received the $100,000 bounty as he wished.

The real victim may be a big user of Bored Ape.

On May 5, Pauly, the founder of Pond Coin and the whistleblower of the PEPE founder, pretended to be a victim of lost tokens on Twitter, perhaps to gain popularity through this incident. However, after analysis by PANews, it was found that Pauly was not the victim of this incident.

According to the TG information left by the victim on the chain, a user @BuiDuPh was connected to Twitter. The user was introduced as a Vietnamese software engineer. He retweeted the media's reports on the incident several times after the incident. PANews tried to contact the user but received no response. By May 12, the user had cancelled his Twitter account and deleted all related content. However, browsing the user's previous Twitter dynamics, the user only retweeted some related content after the incident, and maintained a large number of browsing and interaction with other content every day. He did not look like a person who lost $70 million. The user may just be helping token holders deal with the incident.

PANews found out through on-chain information tracking that the real owner of the lost tokens is likely to be the user @nobody_vault. Nobody_vault is a well-known NFT player and was once the largest holder of the Bored Ape NFT. As of now, he still holds 49 Bored Ape NFTs and has previously invested in an Undeads blockchain game project. According to on-chain information, the address where the lost tokens were traded with the address of nobody_vault.

The hackers didn’t stop

According to the information on the chain, the hacker has recently conducted about 25,000 small transactions for phishing through the two addresses 0x8C642c4bB50bCafa0c867e1a8dd7C89203699a52 and 0xDCddc9287e59B5DF08d17148a078bD181313EAcC. So far, it seems that the hacker has no intention of stopping. After returning 1155WBTC to the victims, the hacker is still using this method to fish. In addition to this fishing, according to SlowMist analysis, the hacker has recently made a profit of more than 1.27 million US dollars through this method.

Another user 0x09564aC9288eD66bD32E793E76ce4336C1a9eD00 also left a message on the chain saying that the hacker has phished more than 20 addresses using this method.

But compared to the victims who lost 1,155 WBTC, other users do not seem to be so lucky. Due to the small amount, these small phishing victims did not attract public attention. And the hacker seemed to be exempted from all legal responsibilities after returning the funds. Not only did he continue to be at large, but he also continued his old business.

For ordinary users, this incident also reminds everyone to carefully confirm their address before transferring money.