Munchables Hacker Returns Stolen $62.8M in Ethereum

Mar. 28, 2024
Munchables Hacker Returns Stolen $62.8M in Ethereum

In a dramatic turn of events, the Munchables developer responsible for siphoning $62.8 million worth of Ethereum from the Ethereum-based nonfungible token (NFT) game has opted to return the stolen funds. The saga began on March 26, at approximately 9:30 pm UTC, when Munchables reported a hack drained over 17,400 ETH from its GameFi app.

Munchables, along with blockchain investigators such as PeckShield and ZachXBT, began tracking the movements of the stolen funds. Their goal was to intercept the funds before they could be further exploited.

ZachXBT claimed the exploit stemmed from the Munchables team hiring a North Korean developer known by the alias “Werewolves0943.” On March 27, 4:40 am UTC, Munchables identified the hacker as one of its developers. An hour of negotiations led the former developer to agree to return the hacked funds. In an official statement, Munchables said:

“To help recover user funds, all private keys used by the Munchables developer have been shared. Specifically, these are the key with approximately $62,535,441.24 USD, the one with WETH of 73 and lastly the owner key which keeps remaining funds.”

Community Relief as Stolen Funds Returned

The Blast blockchain’s Ethereum layer-2 developer, who goes by Pacman, thanked ZachXBT while revealing that “the ex-Munchables dev opted to return all funds in the end without any ransom required”.

Therefore, the Munchables team will collaborate with Pacman since they built Munchables on the Blast blockchain. Additionally, victims should avoid entertaining refund scams but actively seek only official communication channels, as the attackers may have compromised these channels during the attack.

Thus, after another breach, The Munchables incident happened. A hacker stole around $24k from four individual decentralized finance (DeFi) aggregator ParaSwap addresses. Nevertheless, the protocol quickly initiated recovery processes and started compensating affected users.

Furthermore, ParaSwap fixed the breach through friendly hackers’ intervention. They removed permissions for the AugustusV6 smart contract, which was vulnerable. According to ParaSwap, this vulnerability impacted 386 addresses. However, as of March 25, 213 addresses had yet to revoke allowances for the flawed contract.

Related Reading | Crypto Analysts Warn of Potential Bitcoin Price Drop

Rida Fatima

News writer
An ardent wordsmith with a rich five-year background in delving into the realms of finance and cryptocurrencies. Alongside curating captivating blogs, Unique's talents extend to crafting imaginative and engaging content.