Munchables Hacker Returns $62.8 Million in Ethereum

In a notable twist in the world of cryptocurrency and blockchain games, a developer of the Ethereum-based non-fungible token (NFT) game Munchables has, after nearly eight hours of indecision, decided to return $62.8 million in stolen Ethereum to give.

This incident, which did not involve a ransom demand, followed a hack on March 26 around 9:30 PM UTC in which more than 17,400 ETH was stolen from the GameFi app.

Immediate action taken

The Munchables team, working with blockchain researchers such as PeckShield and ZachXBT, took immediate action by tracking the movements of the stolen funds in an attempt to recover them. The investigation revealed that the exploit was due to the Munchables team’s hiring of a North Korean developer, operating under the alias “Werewolves0943.”

In the early hours of March 27 at 04:40 UTC, Munchables managed to reveal the hacker’s identity as one of their own developers. After an hour of negotiations, the developer in question agreed to return the stolen resources. Munchables released an official statement confirming that the developer had handed over all relevant private keys needed to recover user funds, including a key worth $62,535,441.24 USD, another containing 73 WETH, and the owner key for the rest of the funds.

The developer’s action was praised by the creator of the Ethereum layer-2 blockchain Blast, known by the pseudonym Pacman, who also expressed his gratitude to ZachXBT for its support during this process. Pacman announced that the ex-Munchables developer has chosen to return the full amount without a ransom demand.

Victims advised to remain alert

While Munchables, which is built on the Blast blockchain, works with Pacman to redistribute the recovered funds, victims of the hack are advised to remain alert to official reporting to avoid possible scams.

This incident comes on the heels of another recent hack, where a hacker managed to steal approximately $24,000 from four different ParaSwap addresses, a decentralized financial aggregation (DeFi) platform. ParaSwap, with the help of white hat hackers, recovered these funds and started refunding users. The ParaSwap vulnerability, which affected 386 addresses, has now been resolved by revoking authorizations for the affected AugustusV6 smart contract. However, as of March 25, 213 addresses had yet to claim their reimbursements from the defective contract.