Munchables Hacker Returns Stolen $62.8M in Ethereum

In a dramatic turn of events, the Munchables developer responsible for siphoning $62.8 million worth of Ethereum from the Ethereum-based nonfungible token (NFT) game has opted to return the stolen funds. The saga began on March 26, at approximately 9:30 pm UTC, when Munchables reported a hack drained over 17,400 ETH from its GameFi app.

Munchables, along with blockchain investigators such as PeckShield and ZachXBT, began tracking the movements of the stolen funds. Their goal was to intercept the funds before they could be further exploited.

Munchables has been compromised. We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.

— Munchables (@_munchables_) March 26, 2024

ZachXBT claimed the exploit stemmed from the Munchables team hiring a North Korean developer known by the alias “Werewolves0943.” On March 27, 4:40 am UTC, Munchables identified the hacker as one of its developers. An hour of negotiations led the former developer to agree to return the hacked funds. In an official statement, Munchables said:

“To help recover user funds, all private keys used by the Munchables developer have been shared. Specifically, these are the key with approximately $62,535,441.24 USD, the one with WETH of 73 and lastly the owner key which keeps remaining funds.”

Community Relief as Stolen Funds Returned

The Blast blockchain’s Ethereum layer-2 developer, who goes by Pacman, thanked ZachXBT while revealing that “the ex-Munchables dev opted to return all funds in the end without any ransom required”.

$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required. @_munchables_ and protocols integrating with it like @juice_finance…

— Pacman | Blur + Blast (@PacmanBlur) March 27, 2024

Therefore, the Munchables team will collaborate with Pacman since they built Munchables on the Blast blockchain. Additionally, victims should avoid entertaining refund scams but actively seek only official communication channels, as the attackers may have compromised these channels during the attack.

Thus, after another breach, The Munchables incident happened. A hacker stole around $24k from four individual decentralized finance (DeFi) aggregator ParaSwap addresses. Nevertheless, the protocol quickly initiated recovery processes and started compensating affected users.

White hack recovery update: Assets have been returned to wallets which have revoked their permissions

If your wallet had assets transferred to 0x66e90d840d7c4f3473e25dd8ca361747058c6db0 and have not received them yet, your wallet is still vulnerable, PLEASE REVOKE ALL RELEVANT… https://t.co/zraj3tSFNe

— ParaSwap (@paraswap) March 24, 2024

Furthermore, ParaSwap fixed the breach through friendly hackers’ intervention. They removed permissions for the AugustusV6 smart contract, which was vulnerable. According to ParaSwap, this vulnerability impacted 386 addresses. However, as of March 25, 213 addresses had yet to revoke allowances for the flawed contract.

Related Reading | Crypto Analysts Warn of Potential Bitcoin Price Drop