The hacker who syphoned almost $200 million from DeFi protocol Euler Finance earlier this month has returned around 84% of the stolen funds and, in his latest public message today, begged for forgiveness.
After an initial message earlier saying that the “rest of the money will be returned ASAP,” the hacker revealed himself as someone called Jacob.
“Jacob here. I don’t think what I say will help me in any way but I still want to say it. I fucked up,” the hacker wrote. “I didn’t want to, but I messed with others’ money, others’ jobs, others’ lives. I really fucked up. I’m sorry. I didn’t mean all that. I really didn’t fucking mean all that. Forgive me.”
These messages, in addition to earlier ones using the pronoun “we,” suggest the hacker is more than one person, or an individual trying to give the appearance that multiple people are involved.
However, others have pointed out that such messages could be a tactic for the hacker to further obfuscate their identity.
Michael Bentley, CEO of Euler Labs that maintains Euler Finance, told DL News that negotiations are “still ongoing” but declined to specify what those negotiations are about. “That’s all I can say for now,” he said.
Wallets controlled by the hacker hold around 11,600 ETH and 13.8 million of the dollar-pegged DAI stablecoin.
After a fragmented back and forth via on-chain messages – text inscribed on blockchain transactions – spanning weeks, Euler has recovered $176 million worth of crypto across more than a dozen transfers by the hacker.
“We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement,” the hacker said publicly on March 20.
Before the hack, users had deposited approximately $263 million into Euler. Now, less than $10 million remains.
But despite eventually returning the majority of the stolen funds, law enforcement agencies, who were reportedly working with Euler, may continue pursuing the hacker for a different reason.
That’s because the hacker sent 100 ETH, worth approximately $170,000 at the time, to a wallet controlled by the state-sponsored North Korean crime syndicate Lazarus Group on March 17.
Natalia Aguilar, a regulatory lawyer at law firm Freeths, told DL News that by sending money to the North Korean-controlled wallet the hacker had breached international sanctions, a crime “treated with the utmost seriousness by the authorities.”
“Penalties can include fines, from thousands to millions per breach, and / or imprisonment of individuals involved,” Aguilar said, adding that given the difficulties the crypto market has faced in recent months, “law enforcement will be keen to show that such actions will not be tolerated.”
After the hacker sent funds to a North Korea-tied wallet, some in the DeFi community speculated that Lazarus Group may, in fact, be behind the exploit.
But that theory was mostly ruled out after the hacker started returning funds – something uncharacteristic of Lazarus Group.
Another action uncharacteristic of a hacker took place on March 16, when they gave 100 ETH to a victim who sent an on-chain message asking for his funds back.
DL News identified the victim as an Ethereum developer from Argentina. He said he wasn’t behind the exploit and that the hacker “was probably moved by my message,” as the reason he alone was made whole after the hack.
NOW READ: Euler hack victim who got 100 ETH: ‘He was probably moved by my message’
The already tense situation has not been without additional drama.
On March 25, one of the hacker’s wallets containing $10 million DAI sent an on-chain message offering to “give up every fucking thing about the hacker for 15%.” Minutes later, another message came through, this time offering the same information for “10% like offered.”
The same wallet also sent a message including a public temporary email address. “Euler exploiter 3 here.. please just email xxxyyy990@umail.edu.pl .. will reply with info ASAP.. don’t care about bounty,” the message read.
What a turn of events to the Euler Finance saga!
— Dedaub (@dedaub) March 25, 2023
One attackers is trying to collaborate, but they are using an unsecure temp email! pic.twitter.com/KBcY6n9V4K
Several people pointed out that the hacker’s inbox is a temporary account and could be accessed by anyone. The hacker deleted all received messages and stopped using the address. DL News had reached out to the hacker before this surfaced but did not receive a response.