Match Systems Exposes WBTC Address Poisoner Via Digital Footprint
Key Insights
- Digital evidence, including a device fingerprint, led to the identification and negotiation with the $68M WBTC thief.
- Match Systems traced transactions to Hong Kong IP addresses, providing crucial leads in recovering the stolen funds.
- Despite the attacker avoiding regulated exchanges, Match Systems facilitated a successful negotiation to return nearly all stolen WBTC.
On May 23, Match Systems CEO Andrey Kutin disclosed that digital evidence exposed the identity of the individual responsible for the $68 million Wrapped Bitcoin (WBTC) address poisoning attack. This evidence, including a device fingerprint, ultimately played a crucial role in the return of the stolen funds. The attack, which occurred on May 5, targeted an Ethereum account beginning with “0x1e,” misleading the victim into sending their funds to the attacker’s address.
Despite the attacker avoiding regulated exchanges compliant with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements, researchers uncovered circumstantial evidence pointing to negligence on the part of the person handling the stolen funds. This strengthened the victim’s position in negotiations, resulting in the return of nearly all the stolen funds by May 10.
Mechanism of the Attack
The attacker employed an address poisoning technique, creating a fake transaction that appeared to transfer the victim’s token back to themselves. This tactic confused the victim, leading them to believe that the attacker’s address was safe. Consequently, the victim transferred $68 million worth of WBTC to the attacker’s address, suffering a 97% loss to their account.
To communicate with the victim, who remained anonymous, Match Systems posted a message on the Ethereum network. A third party, acting as a liaison, facilitated communication between the victim and Match Systems. Cryptex, a cryptocurrency exchange, also assisted in the negotiation process.
The investigation revealed that the attacker did not use funds from a regulated exchange, making it difficult to ascertain their identity directly. However, the Match Systems team traced transactions to IP addresses located in Hong Kong. These IP addresses, discovered through SlowMist’s intelligence network, were linked to mobile stations or cell phone towers. While the possibility of VPN servers could not be ruled out, this data provided a crucial lead.
Further digital evidence, including a device fingerprint, was collected. A device fingerprint encompasses various data points such as operating system, processor type, memory, screen resolution, browser version, plugins, extensions, time zone settings, language preferences, installed fonts, typing speed, and browsing habits. This information can be instrumental in identifying cybercriminals who avoid using regulated exchanges.
Negotiations and Fund Recovery
Using the gathered digital evidence, Match Systems initiated contact with the attacker via a blockchain message, leading to negotiations. Despite the evidence being secondary or detailed, it demonstrated that the individual handling the stolen funds needed to conduct proper due diligence.
The pressure from the collected evidence and negotiations facilitated by Match Systems and Cryptex resulted in the attacker returning nearly all the stolen funds by May 10. While the attacker has not been prosecuted, the victim recovered their funds, which was considered a favorable outcome given the circumstances.
Challenges in Address Poisoning Attacks
Address poisoning attacks pose a recurring threat to blockchain users, although few have resulted in the significant losses seen in this case. To prevent such attacks, experts advise users to inspect the sending address in every transaction carefully. As blockchain technology continues to evolve, so do the methods employed by attackers. This incident underscores the importance of digital evidence in identifying and negotiating with cybercriminals.
Match Systems’ approach highlights the growing complexity of combating cryptocurrency theft. By focusing on digital traces such as IP addresses and device fingerprints, they were able to trace the attacker despite the lack of direct identification through regulated exchanges. This method proves effective in recovering stolen funds and offers a blueprint for addressing future cybercrimes in the cryptocurrency realm.
DISCLAIMER: It's essential to understand that the content on this page is not meant to serve as, nor should it be construed as, advice in legal, tax, investment, financial, or any other professional context. You should only invest an amount that you are prepared to lose, and it's advisable to consult with an independent financial expert if you're uncertain. For additional details, please review the terms of service, as well as the help and support sections offered by the provider or promoter. While our website strives for precise and impartial journalism, please be aware that market conditions can shift unexpectedly and some (not all) of the posts on this website are paid or sponsored posts.
