$71 million worth of stolen cryptocurrencies from a recent wallet poisoning scam has been returned to the victim in a fortunate but mysterious turn of events.The unknown attacker returned $71 million worth of Ether (ETH) tokens on May 12, after the high-profile phishing incident caught the attention of multiple blockchain investigation firms. On-chain security firm Lookonchain unpacked the details in an X post on May 13:This comes as a surprising development to the attack from May 3, when an investor sent $71 million worth of Wrapped Bitcoin (WBTC) to a bait wallet address, falling victim to a wallet poisoning scam. The scammer created a wallet address with similar alphanumeric characters and made a small transaction to the victim’s account.Related: El Salvador launches $360M Bitcoin treasury monitoring websiteLike most investors, the victim validated the wallet address by matching the first and last few characters and transferred 97% of their assets to it. However, the difference would have been noticeable in the middle characters, often hidden on platforms to improve visual appeal.White hat hacker, good samaritan, or scared thief?Despite returning all the stolen funds, on-chain transactions leading up to the event suggest this was not the exploiter’s initial intention.After receiving the stolen funds, the attacker immediately converted the 1,155 WBTC to approximately 23,000 ETH — a popular move by malicious hackers that can help launder stolen funds via privacy protocols and crypto mixing services such as Tornado Cash.On May 8, the attacker started spreading the funds across over 400 crypto wallets, which ultimately ended up in over 150 separate wallets, before returning the assets.The return of the funds came shortly after on-chain security firm SlowMist published an analysis on the attacker’s potential Hong Kong-based IPs, suggesting that the thief got scarred by the potential consequences.The $71 million theft is only a small part of the phishing attempts associated with the WBTC tief, according to a May 10 incident report by SlowMist:The amount of crypto stolen from hacks and scams fell to $25.7 million in April, markings the lowest historical figure since 2021 when on-chain intelligence firm CertiK started tracking the data.Related: Ether turns inflationary for the first time since the Merge
