The so-called Ronin bridge exploiter, which last March stole $625 million worth from crypto game Axie Infinity, sent an on-chain note to Euler’s exploiter asking it to decrypt an encrypted message. But according to the experts CoinDesk spoke with, the message was a phishing scam attempting to steal the credentials for the Euler exploiter’s wallet.
The unlikely exchange from one crypto hacker to another spurred confusion on Crypto Twitter and rang alarm bells at Euler Finance, which was already days into its own on-chain effort to recover the $200 million. Euler is a platform for borrowing and lending cryptocurrencies on the Ethereum blockchain.
The Lazarus Group is a hacker group allegedly tied to North Korea. Observers have accused Lazarus of mounting a multibillion-dollar campaign against the crypto world, the proceeds of which are said to fund North Korea's weapons program.
Euler developers continued in a separate transaction, “Do not try to view that message under any circumstance. Do not enter your private key anywhere. Reminder that your machine may be also compromised.”
The Ronin hackers’ overtures may be a thinly veiled attempt to trick the Euler hacker into surrendering the private key – and thus the crypto – they stole from Euler Finance, said Hudson Jameson, a former developer at the Ethereum Foundation. But he said the motives behind the on-chain messages remain unclear.
“In my opinion, it is unknown why they are asking, but it definitely could be an attempt to see if the Euler hacker falls for a phishing attempt," Jameson told CoinDesk.
Stephen Tong, co-founder of security audit firm Zellic.io, speculated Ronin’s purported encrypted message may well contain an “offer” for the Euler hacker, “but we can't know for sure since we can't decrypt the message without the private key.”
The on-chain drama comes as Euler Finance tries to mount its own negotiation via messages encoded on the Ethereum blockchain. It was Euler Finance’s pleas for the return of $200 million that the hacker responded to Tuesday:
“We want to make this easy on all those affected. No intention of keeping what is not ours,” the hacker wrote back to Euler Finance, seemingly ignoring the Ronin exploiter’s attempted phish. The message continued: “will communicate shortly.”
The Ronin Bridge exploiter and the Euler Finance exploiter both did not immediately return a request for comment.
Tuesday’s messages weren’t the first time the two exploiters crossed paths. On March 17, the Euler Finance exploiter sent 100 ether (ETH) to wallets connected to the Lazarus Group’s Ronin heist. It was unclear why.
The messages highlight how Ethereum can be a platform for the unlikeliest of conversations, said Jameson.
“As opposed to centralized systems that maintain control of the messaging, the Euler exploiter provides an example of new age communications and processes in response to a public smart contract exploit."
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.