‘Stay Optimistic!’: Hacker Returns $15 Million In ‘Optimism’ Tokens

The victim asked the hacker to return the “bag of cash” they stole to avoid getting law enforcement involved.
Image: Pilin_Petunyia/Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Looks like it pays off to be optimistic after all. 

On Thursday, the crypto project Optimism disclosed that a hacker had stolen 20 million of the project’s tokens—worth roughly $16 million—by taking advantage of a botched transaction with liquidity provider Wintermute. In line with an emerging trend, Wintermute’s CEO Evgeny Gaevoy pleaded with the hacker to return the stolen tokens within a week and threatened to get authorities involved and dox the hacker. 


Just a day later, the hacker has returned most of the stolen crypto, according to blockchain records. 

At first, in the early morning of Friday, the hacker sent a message to Ethereum co-founder Vitalik Buterin on the Optimism blockchain, along with one million tokens. .

“Hello, Vitalik, I believe in you, just want to know your opinion on this. BTW, help to verify the return address and I will return the remaining after you. And hello Wintermute, sorry, I only have 18M and this is what I can return. Stay Optimistic!” the hacker wrote. 

Roughly six hours later, the hacker started sending back the remaining stolen tokens in batches of one million OP tokens. As of this writing, the hacker has returned 17 million OP to the wallet that Gaevoy advertised in his message on Thursday, which he identified as belonging to Optimism, according to the transactions recorded on the Optimism blockchain. That wallet is currently the top holder of OP tokens, holding nearly 30 percent of all tokens. 

Do you have information about hacks or hackers in the world of crypto? Or do you research vulnerabilities in web3 and DeFi projects? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email


That means the hacker is still in possession of one million OP tokens, other than the million they sold after the hack, which they sent to the mixing service Tornado Cash. It’s not clear if the hacker intends to keep the remaining one million as a sort of reward. 

On Twitter, Gaevoy posted a cryptic message after the hacker sent back the tokens, consisting of only an upside-down smiley face emoji.

“I am happy with how this situation has resolved. I think it teaches an important lesson about blockchain security for the industry—both for the actors engaging in movements of funds and for the security and protocol builders about making the products more secure, user-friendly and fool-proof,” Gaevoy told Motherboard in a Twitter DM. “It also sets an important precedent for resolving such attacks in future in a self-governing way. I would encourage the exploiter to accept their mistakes fully and publicly and offer bounties to those who find them, and for the exploiters to cooperate and choose the ‘right’ route by wearing the white hat. If this becomes the protocol to follow, it would help all of us to innovate in a more secure way”.

On Twitter, Optimism confirmed that they had received the stolen crypto, and that Wintermute “has committed to reimbursing the Optimism Foundation.”

The company also said that the remaining two million OP “was kept as a bounty.”

UPDATE, June 10, 11:25 a.m. ET: This story was updated to include Optimism’s statement on Twitter.

UPDATE, June 15, 1:54 p.m. ET: This story has been updated to include Gaevoy’s comments.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.