Source: Adobe/Ilya Glovatskiy

The person(s) that attacked Lendf.Me, the lending protocol in the “decentralized finance protocol” dForce network – actually returned the money they had stolen, allegedly because they broke the number one rule in hacking: don’t reveal your identity.

As reported yesterday, Lendf.Me was attacked on Sunday and a whopping USD 25.2 million were drained from. This was done through a sophisticated – and known – reentrancy vulnerability that enables a hacker to withdraw imBTC (an Ethereum token valued at 1:1 rate with bitcoin (BTC) ) repeatedly.

Yet, in a peculiar turn of events, it seems that the attacker has returned the stolen funds. Already yesterday we saw reports that the attacker has been returning certain amounts of funds, but it wasn’t clear why this move was made. More of such reports started coming in today as well, turning out that the attacker returned all the stolen funds in the end.

Hacker returning dForce tokens? This is all quite interesting. pic.twitter.com/2ZtQb87kWF — Matthew Graham (@mattysino) April 21, 2020

As to why this person would decide to return the millions they’ve worked on stealing is still not known precisely, but there are speculations. One of the most popular theories is that the attacker actually revealed their IP address, meaning that it could be traced back to them. Jason Choi, Head of Research at Spartan Group, a blockchain advisory and investment firm, noted that the hacker left “traces of identifying info when moving the loot around,” so they have to return the funds.

“Hearing dForce hacker open to risk of dox via his vpn usage and therefore realized he may get caught,” writes Su Zhu, CEO of Singapore-based investment management firm Three Arrows Capital. This version of events may have been confirmed. Matthew Graham, CEO of the China-based advisory company Sino Global Capital, also wondered if a revealed IP address could be the cause, sharing the information reported by Cointelegraph and The Block according to which Sergej Kunz, the CEO of 1inch.exchange, which is a decentralized exchange aggregator the hacker used to exchange some of the funds, confirmed that the attacker did indeed reveal personal metadata that may lead to their arrest.

“They leaked information and public pressure made the rest!,” commented 1inch.exchange.

“The crypto community is learning what “script kiddies” are,” says independent researcher focused on blockchain, Georgios Konstantopoulos. He goes on to say that LendF.me hacker used a public exploit and without proper precautions or with a clear laundering plan. “As a result, they are forced to return funds in fear of legal recourse,” he argues.

tfw when my ethics are even lower than a hacker pic.twitter.com/ksmwTaPJqH — 찌 G 跻 じ ⚡️ 🔑 (@DegenSpartan) April 21, 2020

Source