Ethereum-based lending protocol Euler Finance may be one step closer to recovering funds stolen in last week's $196 million flash loan attack, and has now begun private discussions with the attackers.
In an on-chain message to Euler on March 20, days after sending the funds to a red-flagged North Korean address, the exploit claimed they now wanted to “make a deal” with Euler. "We want to make it easy for everyone affected. No intention of keeping something that doesn't belong to us. Set up secure communications. Let's make a deal," the exploiter said.
A few hours later, Euler replied to his own on-chain message, acknowledging the message and asking the exploiter to chat "in private", stating: "Message received. Let's discuss privately on blockscan with the Euler Deployer address and one of your EOAs, a signed message via email contact@euler.foundation or any other channel of your choice. Answer your preferences."
Euler had previously attempted to strike a deal with the exploiters after the exploit, insisting that they return 90% of the stolen funds within 24 hours or risk legal consequences.
There was no response, and 24 hours later, Euler launched a $1 bounty reward for any information that would lead to the exploiter being caught and the funds returned. While the identity of the exploiters is unclear, recent language used by the exploiters may indicate that more than one person was involved.
In a March 17 tweet, blockchain analysis firm Chainalysis said that a recent transfer of 100 ether (ETH) to a North Korea-linked wallet address could mean the hacker was "North Korea" the work of the Democratic People's Republic of Korea. .
However, it may also have been designed to mislead investigators, the company said. Other transactions from the exploiter's wallet address included 3,000 ETH, which was sent back to Euler Finance on March 18, along with funds sent to crypto mixer Tornado Cash, even the apparent victim of the exploit. On March 20, another address contacted Euler on-chain, claiming to have found a "reliable chain of connections" that would help them figure out who is who and where the exploit is.
