$71 million worth of stolen cryptocurrencies from a recent wallet poisoning scam has been returned to the victim in a fortunate but mysterious turn of events.

The unknown attacker returned $71 million worth of Ether (ETH) tokens on May 12, after the high-profile phishing incident caught the attention of multiple blockchain investigation firms. On-chain security firm Lookonchain unpacked the details in an X post on May 13:

“SlowMist_Team released a report on this incident 3 days ago, tracking multiple attacker’ IPs possibly from Hong Kong (the use of VPNs has not been ruled out). After that, the attacker replied to the whale and returned all the funds.”

This comes as a surprising development to the attack from May 3, when an investor sent $71 million worth of Wrapped Bitcoin (WBTC) to a bait wallet address, falling victim to a wallet poisoning scam. The scammer created a wallet address with similar alphanumeric characters and made a small transaction to the victim’s account.

Related: El Salvador launches $360M Bitcoin treasury monitoring website

Like most investors, the victim validated the wallet address by matching the first and last few characters and transferred 97% of their assets to it. However, the difference would have been noticeable in the middle characters, often hidden on platforms to improve visual appeal.

White hat hacker, good samaritan, or scared thief?

Despite returning all the stolen funds, on-chain transactions leading up to the event suggest this was not the exploiter’s initial intention.

After receiving the stolen funds, the attacker immediately converted the 1,155 WBTC to approximately 23,000 ETH — a popular move by malicious hackers that can help launder stolen funds via privacy protocols and crypto mixing services such as Tornado Cash.

On May 8, the attacker started spreading the funds across over 400 crypto wallets, which ultimately ended up in over 150 separate wallets, before returning the assets.

The return of the funds came shortly after on-chain security firm SlowMist published an analysis on the attacker’s potential Hong Kong-based IPs, suggesting that the thief got scarred by the potential consequences.

The $71 million theft is only a small part of the phishing attempts associated with the WBTC tief, according to a May 10 incident report by SlowMist:

“Upon investigating this fee address, we observed that from April 19 to May 3, this address initiated over 20,000 small transactions, distributing small amounts of ETH to various addresses for phishing purposes.”

The amount of crypto stolen from hacks and scams fell to $25.7 million in April, markings the lowest historical figure since 2021 when on-chain intelligence firm CertiK started tracking the data.

Related: Ether turns inflationary for the first time since the Merge