‘White Hat’ Hacker Returns $1 Million Stolen In Crypto Theft Disaster

The saga of the Multichain hack takes another strange turn, with one of the hackers returning the money they stole, but keeping “tips for me saving your money.”
Image: Westend61/GettyImages

A hacker who stole more than $1 million from users of a cryptocurrency platform and then promised to return it keeping a tip for their services has kept their word.

On Wednesday, a hacker that called themselves a “white hat”—cybersecurity lingo for hackers who have no malicious intent—posted a message on the Ethereum blockchain asking victims to send them their transaction details. 


“I give 80% back. The rest is the tips for me saving your money,” the hacker wrote. 

Earlier this week, Multichain, a platform that allows users to swap tokens between blockchains previously known as Anyswap, announced in a blog post that users needed to remove smart contract approvals to six tokens which were vulnerable to hackers. The announcement backfired and tipped off multiple hackers, who immediately started draining funds from the vulnerable accounts. As of Wednesday afternoon, hackers had stolen more than $3 million, according to Tal Be’ery, a cybersecurity researcher who has been tracking the hack since the beginning. One of those hackers turned out to be a self-styled good guy, however, positioning their own $1.2 million theft from multiple victims as a defensive hack and offering to return most of the funds. 

Negotiations happened on the blockchain itself, with the "white hat" hacker and victims, as well as the company itself, swapping messages in Ethereum transactions. A day later, the so-called white hat returned more than $800,000, according to a transaction on the blockchain spotted by Be’ery. who is the CTO of ZenGo, a crypto wallet app.  


“Well received, thank you for your honesty,” one victim, who lost nearly $1 million in ether and offered a 50 ETH (roughly $150,000) tip, wrote in a blockchain message to the hacker.

Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email

In another blockchain message directed to Multichain, the hacker said that they would return other stolen funds—63 ETH, or roughly $189,000, with the hacker keeping a 12 ETH "tip"—and stop “saving the rest” of the money that’s in vulnerable accounts since most users have now disabled permissions. 

“I sent back the biggest lost back to 0x3ee. And I will send back 63 eth and keep the same percent tips as bug bounty which is around 12 eth. So if you think this percent bounty is too much or too little, pls tell me,” the hacker wrote. “There are still some bots targeting it, but I think most users have been notified so I stop saving the rest. And also, pls give me an address that I can make sure is under the control of your team.”


At the time of writing, the hacker has also returned the 63 ETH, as they promised, according to two transactions registered on the Ethereum blockchain. 

Multichain did not immediately respond to a request for comment about the funds being returned.

In the last few days, users of the platform complained in the official Telegram channel, asking the company to do something about the hack and return their money while dealing with even more scammers posing as support staff moving in during the confusion. As Motherboard reported yesterday, one of the channel’s admins, who goes by Marcel, said that they “don’t have support here on Telegram.”

After the story was published, Marcel clarified to Motherboard in an online chat that Multichain has a ticket support system, just not on Telegram where its users gather due to the risk of scams. 

Hackers stealing cryptocurrency and then returning it is starting to become a trend in the crypto world. 

Last year, a hacker stole $600 million from cross-blockchain cryptocurrency platform Poly Network. The company pleaded with the hacker in a message posted on the blockchain, referring to them as “Dear Hacker,” and “Mr. White Hat,” and going as far as promising them a job. Eventually, against all odds, the hacker actually returned the money

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.