Market maker Wintermute tells hacker to return funds or face legal action

Quick Take

  • Wintermute left an on-chain message for the hacker who stole $160 million worth of crypto from the firm.
  • It urged the person to accept a $16 million bounty reward and return the remainder of the stolen funds.

Market making firm Wintermute has sent a message over the Ethereum blockchain to the hacker that stole $160 million from the firm on Tuesday.

Sent at midnight UTC on Thursday, the message told the hacker to return the funds by end of the day, or else Wintermute would proceed to approach the authorities. It urged the hacker to accept a $16 million “whitehat” bounty reward and return the remainder of nearly $144 million back to Wintermute.

“We want to cooperate with you and resolve this matter immediately. Accept the terms of the bounty and return the funds within 24 hours before September 22nd UST by 23:59 while we can still consider this a white-hat event for a 10% bounty as offered,” the message said.

The message went on to say that if the hacker returned the funds, the person would be labeled as a "white hat," — a term given to ethical hackers. This points to an assurance that no legal action would be taken if the person complies with the request. 

At the time of writing, the hacker has another 12 hours to accept the bounty offer. On the flip side, if the exploiter does not give back the assets (minus the bounty), the team would move to approach the “appropriate authorities and avenues," the firm said in its on-chain message. 

“If the stolen funds are not returned by the deadline, you will force us to remove our bounty offer and white-hat label; we will then proceed accordingly with the appropriate authorities and avenues,” Wintermute wrote.

Wintermute grapples with its vanity address exploit 

On Tuesday, Wintermute’s Ethereum vault, a type of crypto wallet account holding its assets in a smart contract, was drained of $160 million in various crypto assets.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The exploit occurred because the vault relied on a vulnerable admin address with a prefix “0x0000000,” which analysts say is a “vanity address.” Vanity addresses contain identifiable names or numbers within them.

Wintermute's vanity address was generated using a certain online tool called Profanity. A few days prior to the attack on Wintermute, a security report from 1inch disclosed that all Profanity-based vanity addresses had a critical vulnerability. This vulnerability could allow hackers calculate their private keys using "brute force" attacks.

Wintermute used its Profanity-based address as an admin account to authenticate transactions on its Ethereum vault. Because of the same vulnerability, someone brute forced the private key of its admin address. This gave the hacker control over Wintermut's vault enabling the actor to drain the funds.

The firm picked this address because of potential transaction fee savings. These can be made with vanity addresses that have a string of several zeroes, Mudit Gupta, Polygon's chief information security officer, told The Block.

This was not the first time Wintermute has lost funds in a security exploit. In June, a hacker was able to take ownership of 20 million Optimism tokens sent to Wintermute by Optimism Foundation for market making of the token.

After the June incident, Wintermute offered a 10% bounty, which the hacker accepted after one day of on-chain correspondence between the two parties. This time, however, the hacker has yet to reply to Wintermute’s request.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]