In a surprising turn of events, a scammer who stole $24.2 million from a victim has returned $9.3 million to them. The funds were sent via two transactions using the DAI stablecoin—the first transaction occurred on July 8 and was worth $5.23 million, and the second $4.04 million on July 13.
They stole these funds on September 6, 2023, by orchestrating a phishing scam, siphoning away 9,579 Lido Staked Ether (stETH) and 4,850 Rocket Pool (rETH) tokens. Those tokens are worth about $47 million today. The victim granted the scammer access to their tokens by signing the “IncreaseAllowance” feature inherent to ERC-20 tokens. That feature allows authorized third parties to spend tokens on behalf of their owners.
Scam Sniffer documented this entire fiasco last year on X, “insane! someone lost $24.23m worth of stETH and rETH to crypto phishing 8 hours ago!” The post also provided the transaction details as visualized on Etherscan: https://etherscan.io/tx/0xcbe7b32e62c7d931a28f747bba3a0afa7da95169fcf380ac2f7d54f3a2f77913. Scam Sniffer replied to this post, mentioning, “the victim gave the token approvals to the scammer by signing “increaseAllowance” transactions.” Many have debated the existence of this feature as it allows scammers and developers with nefarious intentions to steal funds from unsuspecting users.
In a more recent post, Scam Sniffer updated the crypto community about the scammer sending funds to the victim, “The scammer returned $9.27M in DAI to the victim.” However, there is no explanation for why they sent a portion of the ill-gotten proceeds back to the victim. They did not leave an on-chain message explaining their action either.
While not the entire amount, the 38.4% of the funds returned from the phishing attacks is a silver lining to the victim’s troubles, as it is better than nothing. Tracking the scammer to get hold of all the stolen funds may prove difficult, as the transactions returning the funds via DAI occurred using a privacy protocol, obfuscating the bad actor’s fund flows.