Author: Frank, PANews

In the dark forest of encryption, hackers are eyeing the on-chain assets, waiting for the right moment to strike. Among the many victims of phishing, the whale who lost 1155 bitcoins turned out to be lucky.

Due to the significant amount involved, the community has been closely following this "phishing case." The story begins on May 3 when a whale user fell victim to a phishing attack at the same primary address, losing 1155 WBTC, worth about $70 million. Subsequently, the hacker exchanged all WBTC for 22955 ETH and transferred them to dozens of accounts. On May 4, the victim started calling out to the hacker through on-chain messages, requesting them to leave 10% and return the remaining 90%. Additionally, their ETH addresses became a central communication space, with many addresses getting involved in the pursuit of the coins. It wasn't until May 9 that the hacker replied to the victim, asking them to leave a Telegram message, indicating they would proactively reach out.

On May 9, the hacker began returning ETH to the victim, eventually returning all the ETH. Was the hacker compelled by pressure to make this move, or did a sense of conscience drive them? PANews has gleaned some insights from on-chain communication.

Bounty Hunter Deters Hacker

Since May 4, the victim had been calling out to the hacker multiple times, offering to give them 10% and advising them that while $7 million would surely improve their life, $70 million wouldn't let them sleep well.

Unfortunately, despite several calls, the victim did not receive any response from the hacker. It seemed that the victim lacked concrete evidence to confirm the hacker's true identity. Even the threat intelligence network from SlowMist only traced the activity to a mobile base station in Hong Kong, without ruling out the possibility of VPN usage. Consequently, the hacker remained fearless.

It wasn't until May 7 that an address, 0x882c927f0743c8aBC093F7088901457A4b520000, messaged the victim, saying, "Hello, I am one of the programmers at ChangeNow. I have access to the ChangeNow database. The hacker has used this platform multiple times. I can leak all of their data, but I request a reward of $100,000 in exchange for such data, such as IP addresses and exchange addresses where funds were sent. I can only provide this information; the rest will be handled by the authorities contacting the exchanges and collecting the hacker's personal data, such as KYC related to the address and location. If you want to pursue this case, please send a confirmation message."

Although the victim did not respond to this bounty hunter's reward request, it was after this message that the hacker suddenly returned 51 ETH to the victim and requested the victim's TG account to be added.

PANews' on-chain analysis revealed that several associated accounts of the hacker did indeed interact with the ChangeNow exchange. The funds in the bounty hunter's address were also withdrawn from ChangeNow. Perhaps it was this message that hit a nerve with the hacker, making them wary of this unknown informant.

ChangeNow is a popular exchange among hackers, typically used as a mixing tool due to its anonymity and exemption from KYC requirements. According to PANews' findings, if a hacker had used the platform for fiat currency exchange, KYC would indeed be necessary.

However, based on the on-chain information and messages left by the bounty hunter, their identity as a ChangeNow staff member cannot be confirmed. Ultimately, from the on-chain data, it appears that this bounty hunter has not yet received the $100,000 reward.

Real Victim or Bored Ape NFT Holder

On May 5, the identity revealer of PEPE founder and Pond Coin founder PAULY may have pretended to be a victim who lost tokens on Twitter to ride the wave of attention from this incident. However, PANews' analysis revealed that PAULY was not a victim of this incident.

Based on the victim's TG information left on-chain, it was linked on Twitter to a user @BuiDuPh, described as a software engineer from Vietnam. This user had been sharing media reports on the incident's progress on Twitter. PANews attempted to contact this user but received no response. By May 12, the user had deactivated their Twitter account and deleted all related content. However, looking at the user's previous Twitter activity, they had only retweeted some relevant content after the incident and continued to engage in a significant amount of browsing and interaction with other content daily, not resembling someone who lost $70 million. This user may have simply been assisting token holders in handling the incident.

Based on PANews' on-chain tracking, the true owner of the lost tokens in this incident is likely the user @nobody_vault, a prominent NFT player and former largest holder of Bored Ape NFTs. As of now, they still hold 49 Bored Ape NFTs and had previously invested in an Undeads blockchain gaming project. On-chain data shows significant transactions between the lost token address and nobody_vault's address.

Hacker Continues Unabated

Based on on-chain information, it is evident that this hacker conducted approximately 25,000 small transactions through the addresses 0x8C642c4bB50bCafa0c867e1a8dd7C89203699a52 and 0xDCddc9287e59B5DF08d17148a078bD181313EAcC recently for phishing. It seems that the hacker has not shown any intention of stopping, as even after returning the 1155 WBTC to the victim, they continue to use this method for phishing. In addition to this phishing incident, according to SlowMist's analysis, the hacker has made profits exceeding $1.27 million through this method recently.

Another user, 0x09564aC9288eD66bD32E793E76ce4336C1a9eD00, left a message on-chain indicating that the hacker had phished over 20 addresses using this method.

However, unlike the victim who lost 1155 WBTC, other users seem to be less fortunate. Due to the smaller amounts involved, these small-scale phishing victims have not garnered public attention. After returning the funds, the hacker seems to have evaded all legal responsibilities, continuing their illicit activities freely.

For ordinary users, this incident serves as a reminder to carefully verify their addresses before making transfers.