WBTC address poisoner was exposed through ‘digital evidence’ — Match Systems

cyptouser6 months agoCryptocurrencies News77
55966e89>

The address poisoning attacker who drained $68 million worth of Wrapped Bitcoin (WBTC) was exposed through “digital evidence,” including a “device fingerprint,” according to statements made on May 23 by Match Systems CEO Andrey Kutin. These pieces of digital evidence eventually strengthened the victims’ hand in negotiations and resulted in the return of all the funds, he claimed.

According to the Match Systems CEO, the attacker did not use regulated exchanges compliant with Know Your Customer and Anti-Money Laundering requirements. Therefore, researchers couldn’t prove the person’s identity definitively. However, they discovered “secondary” or “circumstantial” evidence that the person they were investigating had not practiced proper due diligence and that stolen funds had fallen into their hands due to negligence. This is what strengthened their hand in negotiations.

The $68 million address poisoning attack occurred on May 5 against an Ethereum account that begins with “0x1e.” The attacker created a fake transaction that appeared to transfer the victim’s token to themselves. This confused the victim and caused them to believe that the attacker’s address was safe, as it created the appearance that the victim had voluntarily sent funds to this address in the past.

As a result, the victim sent $68 million worth of WBTC to the attacker’s address, causing losses of 97% to the account.

However, on May 10, the attacker sent nearly all of the stolen funds back to the victim, resulting in a near-full recovery. At the time, blockchain security platform Match Systems claimed that this sudden turn of events was the result of negotiations it had facilitated between the two parties. The team claimed that the Cryptex cryptocurrency exchange had also helped with these negotiations.

Source: Match Systems

In a May 23 conversation with Cointelegraph, Match Systems’ Kutin revealed new details about how they convinced the attacker to return the stolen funds. 

According to Kutin, the team first became aware of the poisoning attack on the day it happened, as multiple social media accounts began claiming that a crypto “whale” had transferred $68 million in WBTC to a new address. The team quickly realized the transfer was due to an address poisoning attack. However, the victim’s identity was unknown, and there was no obvious way to contact them.

The Match Systems team decided to post a message to the Ethereum network, addressing it to the victim. “If the hacker does not make a refund, please contact us for help,” the message stated.

In response, a “third party” contacted the Match researchers, Kutin stated. The victim did not want to identify themselves, so they used a liaison to facilitate communication. Cryptex also became involved during this period and offered to help facilitate negotiations.

The attacker did not seed their wallet with funds from a regulated exchange, nor did they attempt to cash out the stolen loot through one of these exchanges. As a result, there was no easy way to determine the attacker’s identity.

However, the team was able to trace some of the attacker’s transactions to IP addresses in Hong Kong, Kutin claimed. These addresses became the springboard for further investigation.

In a May 8 blog post, blockchain security platform SlowMist also claimed to have discovered the IP addresses. According to it, the addresses were found through SlowMist’s "intelligence network.” The IP addresses appeared to be related to “mobile stations” or cell phone towers, although SlowMist could not completely rule out the possibility that they were VPN servers.

The address poisoner’s suspected IP addresses with redacted portions. Source: Slowmist

According to Kutin, Match Systems was able to connect these IP addresses to further pieces of “digital evidence” that could be used to identify the attacker, including a “device fingerprint.”

 A “device fingerprint” can include information such as the user’s operating system, processor type, memory, screen resolution, browser version, plugins and extensions, time zone settings, language preferences, installed fonts, average typing speed, and browning habits, among other data, according to cybersecurity platform Trust Decision.

Related: AssangeDAO’s crypto activities suspicious, analysts urge caution

Kutin claimed that such digital evidence is the only way to catch cybercriminals in today’s environment. Attackers rarely attempt to cash out through regulated exchanges anymore. Today, there are “special laundering services” that make it easy for hackers to trade their crypto for cash.

The United States sometimes prosecutes these laundering services, but “maybe they have self-destroyed chats, and there will be nothing in their phones or their devices,” making it impossible for authorities to gather evidence against them, Kutin suggested. People have become “well educated on both sides.”

Instead of attempting to go after these laundering services, Match Systems focuses on finding a “very thin thread” of digital evidence that can be used to identify a scammer. This thin thread can include IP addresses, device fingerprints, and other “tips and tricks.”

The evidence was “secondary” or “circumstantial,” Kutin acknowledged. Since it only proved that a device was used to launder the stolen funds, it could not be tied directly to the attack itself. However, it could still prove that the person who performed the transactions had not practiced due diligence in determining the source of the funds received.

“Oh no, we received the stolen money. It’s not our stolen money,” Kutin said, mimicking what he often hears from attackers. But “you must know the very simple principle of due diligence,” he said.

The team used this evidence in negotiations with the attacker, who it contacted using a blockchain message and attempted to start a conversation. The end result was that the attacker returned all of the funds and has not yet been prosecuted.

Kutin acknowledged that this could be seen as a bad result since the attacker was no longer of public interest for prosecution. However, he argued that the result is better than most alternatives, as at least the victim was able to recover all of their funds. “It could be a not very good end because the criminal will go away without any punishment, but it’s not very bad for both sides,” he argued.

Address poisoning attacks are a common problem for blockchain users, although most do not result in the massive losses originally seen in this case. Experts suggest that users should inspect the sending address in every transaction to ensure they do not fall victim to this type of attack.

Related: Cybersecurity experts catch hacker selling stolen tokens on Telegram

The content on this website comes from the Internet. Due to the inconvenience of proofreading the authenticity and accuracy of the copyright or content of some content, it may be temporarily impossible to confirm the authenticity and accuracy of the copyright or content. For copyright issues or other issues caused by this, please Call or email this site. It will be deleted or changed immediately after verification.

related articles

Tether's Bitcoin wallet swells to 66,400 BTC, tallying up unrealized gains of over $1B

Tether's Bitcoin wallet swells to 66,400 BTC, tallying up unrealized gains of over $1B

Tether has significantly increased its Bitcoin holdings, now comprising more than 66,000 BTC, with a...

Riding the crypto surge: Can investors face euphoric market conditions safely?

The following is a guest post from Evgeny Filichkin, an Investment Advisor at Keytom neobank.When Bi...

Bitcoin miners could dump $5B in BTC after halving: 10x Research

Bitcoin miners could dump $5B in BTC after halving: 10x Research

1205f261˃There could be a large outflow of Bitcoin (BTC) from miners in the months following the hal...

History suggests Bitcoin poised for rebound in July

History suggests Bitcoin poised for rebound in July

55966e89˃Bitcoin (BTC) may see a strong rebound in July following a lackluster performance in June,...

NY Attorney charges 3 tied to 'Evolved Apes' NFT scam

NY Attorney charges 3 tied to 'Evolved Apes' NFT scam

55966e89˃Three British nationals tied to the “Evolved Apes” nonfungible token “rug pull” scam have b...

Marc Cuban wallet seen dumping NFTs after 2 years of inactivity

Marc Cuban wallet seen dumping NFTs after 2 years of inactivity

55966e89˃A crypto wallet belonging to billionaire Marc Cuban was spotted selling non-fungible tokens...