A whale lost 1,155 Wrapped BTC (WBTC), worth $71 million, due to a phishing attack on May 3. Surprisingly, the attacker returned all the funds to the victim a week later.
On May 2, the whale spent $29.6 million DAI to buy 502 WBTC at $58,951. Later, on May 4, the victim created a new address and transferred 0.05 ETH for testing—a usual practice when moving large amounts.
As reported by Finbold, the attacker generated phishing addresses in advance and monitored users’ on-chain activities. When the victim whale was about to transfer WBTC, the attacker sent 0 ETH using a phishing address.
Victim’s transaction history. Source: Etherscan / Lookonchain
A specific phishing: Address poisoning attack
Interestingly, this attack used a technique known as “Address Poisoning,” as it poisons the victim’s transaction history. The phishing address had the same starting and ending letters as the whale’s new address.
This attack is particularly hard to spot because many crypto wallets hide the middle part of the address with “…” to improve the user interface. Moreover, users often copy addresses from transaction histories and only check the starting and ending letters.
Therefore, the whale mistakenly copied the phishing address and sent 1,155 WBTC to the attacker.
Attacker returns stolen $71 million to phishing victim
On-chain data shows that the attacker immediately converted the stolen WBTC into 22,960 ETH, possibly for money laundering purposes. Lookonchain reported the entire development of these events and summarized it in a post on X on May 12.
Attacker’s swap history. Source: Etherscan / Lookonchain
Notably, the whale tried to contact the attacker, offering a 10% bounty for returning 90% of the funds. Initially, the attacker did not respond, but as the cybersecurity company Slow Mist tracked the attacker’s IPs, possibly from Hong Kong, the attacker replied and returned all the funds.
To prevent such attacks, users should carefully check the entire address when making transfers. Saving trusted addresses in the address book and copying from there is recommended. Enabling small transaction filtering in wallets can also help filter out phishing transactions, further preserving the funds.