Wang Chun loses Bitcoin to ‘generous’ hacker

Wang Chun, a co-founder of the major Bitcoin mining pool F2Pool, recently shared a personal anecdote from last year while sharing his opinion on a separate phishing incident that cost another person 50 million USDT. 

Unlike Wang Chun, the victim is working with law enforcement to find the hacker, but has also given the person a way out for both of them.

Wang Chun loses Bitcoin to ‘generous’ hacker 

According to Wang Chun’s post, the incident he described in his post went down sometime last year, and it differs from regular scams in that the F2Pool cofounder already suspected something was off with that wallet. 

In his post, he recalled being suspicious that one of his wallet’s private keys had been compromised. To determine if the wallet was being actively monitored by the hacker, Wang Chun claims he deliberately sent in 500 BTC. 

Why he sent such a large amount is beyond anybody, but it could be that he needed a big enough bait to elicit a response from the hacker monitoring the wallet. Well, he got what he was looking for because immediately the funds hit the wallet, the hacker got busy. 

However, according to Wang Chun, this hacker was not completely greedy and only drained 490 Bitcoins, leaving 10 behind, which caused Wang to sarcastically tag the attacker “generous.” He joked that they could have drained the entire account but chose to leave enough for his “bread and butter.”

Wang’s post makes it clear that this was not a traditional exploit or accidental loss; it was him intentionally probing to eliminate doubt. And he was right. Although it cost him 490 Bitcoins. 

Wang shared the hacker’s address, “14H12PpQNzrS1y1ipjF4mPuVgQEpgfGA79,” for reference, but did not say anything about tracking the hacker down or attempting to recover the stolen funds. 

In the comment section, users commented with confusion and skepticism. They wanted to know why he had to test his suspicion with such a large amount. Some even implied he was just trying to play it cool and that he actually sent in the BTC without knowing the wallet was compromised. 

Others poked fun at him for claiming he needed 10 BTC for “bread and butter.” 

Did someone lose $50 million to phishing?

Wang Chun shared the story of his ordeal last year in response to posts about a phishing incident that occurred on December 20, where Cryptopolitan reported that the victim lost up to 50 million USDT. 

The F2Pool co-founder called the event regrettable, as he hoped the user would get his funds back. The funds were lost after the affected user mistakenly sent nearly $50 million in USDT to a scam address in what has been tagged a classic address poisoning attack.

According to on-chain investigator Web3 Antivirus, the victim lost 49,999,950 USDT after copying a malicious wallet address from their transaction history. The user was actually cautious, according to on-chain data, as they initially sent a small test transaction of $50 to the correct address. 

However, the scammer immediately spoofed a wallet with the same first and last four characters, then carried out an address poisoning attack. This worked because many wallets hide the middle part of the address with “…” to make the UI look better.

Most of CT is used to this, and many users will often copy the address from transaction histories, usually only checking the starting and ending letters. The victim was no different. 

When transferring the remaining 49,999,950 $USDT, the victim copied the fake address from his transaction history, checked the start and ending letters, and minutes later sent the full $50 million transfer to the poisoned address. 

Security researcher Cos, founder of SlowMist, has confirmed there was indeed a similarity between the addresses, and even though it was subtle, it was enough to deceive even experienced users. “You can see the first 3 characters and last 4 characters are the same,” he wrote.

The attacker has since swapped the stolen USDT for Ether, splitting it into multiple wallets, and partially moved it into Tornado Cash. However, the affected user, unlike Wang Chun, is not letting the funds go and has worked with law enforcement to trace the hacker. 

The user has sent an on-chain message to the hacker, revealing they have filed a criminal case and, with help from law enforcement and other agencies, gathered information on the hacker’s activities. 

According to the message, the hacker has a final chance to walk away from this incident without legal consequences. The hacker is required to send 98% of the stolen funds back within 48 hours and has been advised to keep $1,000,000 for identifying the vulnerability. The offer is dependent on their immediate cooperation. 

Failure to comply, the user promises to escalate investigations and unveil the identity of the hacker while pursuing civil and criminal action until justice has been fully served. 

The ETH Community Foundation weighs in

It is not the first time such an address poisoning scam has happened, but according to the Ethereum Community Foundation, it needs to be the last time. To that end, the ECF has called for an “end to the practice of truncating addresses with dots.”

According to the foundation, all screens can now display full addresses, so hiding the middle characters only serves to create avoidable risk. 

“Wallets and block explorers continue to ship UI choices that actively undermine user safety,” the foundation wrote on X. “This is solvable.”

The smartest crypto minds already read our newsletter. Want in? Join them.