ETH worth over $101 million had been returned to the lending protocol as of March 25. The exploiter still controls part of the stolen assets.
The hacker behind the $196 million exploit on lending protocol Euler Finance has returned the majority of the stolen assets, according to on-chain data.
In a transaction on March 25, the exploiter returned 51,000 Ether (ETH) worth around $88 million at the time of writing. A second transfer of 7,737 ETH was made on the same day, worth over $13 million. Previously, on March 18, the hacker sent 3,000 ETH to the protocol, worth nearly $5.4 million at the time. The exploiter still controls some of the stolen assets.
the euler exploiter has returned 51k ETH ($90m)— ekin (@eking0x) March 25, 2023
On March 13, the hacker carried out multiple transactions stealing nearly $196 million from the protocol in a flash loan attack, dubbed the largest DeFi hack of 2023 so far. Stolen assets include 8.8 million DAI, 849,000 wBTC, 85 million stETH, and 34 million USDC stablecoin.
A few days after the hack, the exploiter sent an on-chain message to Euler calling for an agreement with the protocol. “We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement,” they said.
Related: Euler attack causes locked tokens, losses in 11 DeFi protocols, including Balancer
The protocol had previously tried to negotiate with the exploiter, requesting that they return 90% of the funds they stole within 24 hours, and otherwise they would face legal action. No response was received, and 24 hours later Euler offered a $1 bounty reward for any information leading to the capture of the exploiter.
Other transactions have been made by the hacker, including a transfer of 1,000 nETH, approximately $1.65 million at the time, through sanctioned crypto mixer Tornado Cash.
According to blockchain analytics firm PeckShield, around 100 ETH was sent to a wallet address likely owned by one of the victims. An on-chain message sent by the wallet address had earlier pleaded for the attacker to return their "life savings."