Crypto scammer returns $34.7 million in stolen assets after victim offers bounty
Slow Mist reported that the attacker might be invlved in other phishing attacks targeting the Tron blockchain.
The crypto scammer who stole 1,155 Wrapped Bitcoin (WBTC), equivalent to $70.5 million, has begun returning the funds, according to on-chain data.
Blockchain security firm Peckshield reported that the attacker had returned 50% of the stolen funds— approximately 11,446.87 ETH worth $34.7 million—to the victim’s address as of press time.
10% bounty
This refund comes shortly after the scammer engaged with the victim through several on-chain messages over the past day.
On May 3, an unnamed crypto trader lost 1,155 WBTC through an address-poisoning phishing scheme. These illicit schemes typically lure individuals into transferring digital assets to fraudulent addresses owned by malicious actors.
Following the theft, the attacker swiftly converted the funds into 22,956 ETH and dispersed the digital assets across “a large number of wallets” to obfuscate the trail.
However, the victim proposed offering the perpetrator a 10% bounty in exchange for returning 90% of the stolen funds, cautioning that laundering the money would prove futile.
“We both know there’s no way to clean this funds. You will be traced. We also both understand the ‘sleep well’ phrase wasn’t about your moral and ethical qualities. Nevertheless, we officially admin your right to the 10%. Send 90% back,” the victim wrote.
On May 9, the attacker sent 51 ETH, worth more than $150,000, to the victim, including a message asking the victim to provide a Telegram username where they could be contacted.
Hacker’s profile
Blockchain security firm Slow Mist suggested that the attacker might be involved in several other phishing attacks targeting the Tron and Ethereum blockchains.
The firm said it “observed that from April 19 to May 3, [an address associated with the hacker] initiated over twenty thousand small transactions, distributing small amounts of ETH to various addresses for phishing purposes.”
Slow Mist furthered that several IPs suspected to be used by the hacker originated from mobile stations in Hong Kong