A Multi-Million Mystery: Likely ETH Fee ‘Victim’ Steps Into Spotlight

A deeper dive into the story involving a potential scam operation paying millions in ETH transaction fees twice in a row.

The hottest Ethereum topic in June so far has been mysterious transactions that involved millions of dollars being paid to transfer small-to-medium amounts of Ether (ETH) — an activity which normally doesn’t cost more than a few dozen cents.

Researchers have managed to track down the potential victim — a suspicious South Korean crypto exchange — which either experienced a major bug or was threatened by hackers in a very sophisticated way. So what are the main theories behind what happened, and will these millions of dollars be returned to their owner after all?

What happened?

A chain of Ether transactions with abnormally high fees took place between June 10 and 11, in which someone appears to have paid $2.6 million to transfer ETH, which normally would cost around $0.50 to a few dollars even for extremely large transactions. And it happened three times.

The first transfer took place on June 10 when someone moved 0.55 ETH, or around $140, and paid over $2.6 million in gas prices for it. Within 24 hours, a second transaction was made from the same wallet, spending the exact same amount — $2.6 million — on fees, this time to send 350 ETH.

Curiously, there was a third abnormal transfer around that time, although it came from a different wallet address and seems to be an isolated incident. That transaction involved 2,310 ETH — or roughly $500,000 — being paid to transfer 3,221 ETH.

The owner of that last wallet reached out to F2Pool — the mining pool that processed the said transaction — and managed to prove experiencing a “malicious attack on their node wallet.” As a result, F2Pool decided to return 90% of the ETH gas price to the original owner and use the remaining 10% to sponsor a one-week period of ETH zero-fees mining.

The story behind the first two transactions, however, seems to be much more complicated.

Swapped fees?

ETH senders can manually set fees for their transactions to get them processed faster, although most cryptocurrency wallets suggest an automatically calculated commision that rarely exceeds several dollars worth of ETH, preventing users from overpaying. Therefore, the crypto community initially assumed that the June 10 transaction was an honest yet very expensive mistake.

“They almost certainly swapped the fee with the amount to send,” tweeted AVA Labs blockchain protocol founder and Cornell University professor Emin Gün Sirer. Ethereum co-founder Vitalik Buterin soon agreed that it was “definitely a mistake.” He also mentioned a protocol upgrade that would “reduce” the need for manual fee setting: “I’m expecting EIP 1559 to greatly reduce the rate of things like this happening by reducing the need for users to try to set fees manually.”

Similarly, Bitfly’s Ethermine ETH pool, which processed the second mysterious transaction, asked the sender to contact them regarding this accident to resolve it.

The blackmail theory

On June 12, Chinese analytics firm PeckShield came forward with one possible explanation. According to the researchers, the multimillion-dollar fees might have been initiated by hackers seeking to threaten a cryptocurrency exchange into paying them ransom. According to PeckShield’s theory, the hackers gained limited access to the platform’s operational functions, which allowed them to send transactions to “whitelisted” addresses and set enormous fees to show their willingness to burn all of the victim’s funds. Vitalik Buterin soon retweeted the article, seemingly agreeing with the new explanation:

“Hackers captured partial access to exchange key; they can’t withdraw but can send no-effect [transactions] with any gas price. So they threaten to ‘burn’ all funds via [transaction fees] unless compensated.”

Hartej Sawhney, CEO of U.S.-based cybersecurity agency Zokyo Labs, agreed that a hacker has seemingly got operational control of an exchange “and is not stealing keys but setting high mining charges on large transactions.”

Notably, some experts find the blackmail theory improbable. Speaking to Cointelegraph, Alex Manuskin, a blockchain researcher at Tel Aviv-based cryptocurrency wallet firm ZenGo, argued the blackmail hypothesis “takes some very peculiar circumstances for it to be possible.” According to Manuskin, the hacked account would most likely change its behavior after realizing it was hacked, while the address nonetheless continued to receive and send transactions: “If the hackers controlled the key, why did they [the hacked party] continue operating the service as usual?”

Viktor Bunin, protocol specialist at blockchain infrastructure firm and Libra Association member BisonTrails also said that the blackmail theory “does not seem realistic” in a conversation with Cointelegraph: “If it were a blackmail situation, one would expect it would stop receiving money.”

In Bunin’s view, the transactions were likely caused by “a bug in their bot or business logic that sweeps those addresses.” He elaborated: “The gas price was identical and highly specific in both transactions, which is extremely unlikely from fat fingering.” According to Bunin, the wallet address might belong to an exchange that doesn’t want to come forward and admit to having a security breach this large:

“An exchange would suffer too much reputational harm by making such enormous mistakes because this would expose their system’s deficiencies, make them a target for hackers, and users would not want to keep their assets with them. This would be devastating, so they may have chosen to eat the loss.”

Rod Hsu, co-founder of Canada-based cryptocurrency platform Coincurve, suggested that the address in question might have been set up specifically for money laundering activities. He believes that a degree of manual intervention or override was done to the wallet that was seemingly used as a deposit address. He went on to add: “The originating wallet has a very consistent pattern of gas price used (60 GWei) but all of a sudden there is this incredibly high gas fee paid, not once but twice.”

Since no one had come forward claiming connection to the transactions with proper proof at the time that Cointelegraph spoke with Hsu, he assumed that “this may have been an act of washing coins through the network with the possibility of this group having some controlling block in those mining pools.

Similarly, Sawhney told Cointelegraph that “it is highly unlikely that this is a script error,” explaining further: “I would bet that the script owner contacted mining pools given that this news has been widely circulated in both Chinese and English media.”

Newer findings

According to the latest findings of PeckShield, the wallet address belongs to a recently launched South Korea-based peer-to-peer crypto exchange called Good Cycle, which may act as a front for a Ponzi scheme. The researchers made a deposit to Good Cycle, and noticed that the transaction appeared in the same wallet address that sent two out of the three suspicious transactions described above.

PeckShield co-founder Jeff Liu elaborated on how they managed to find the wallet’s owner for Cointelegraph: “Using our tools and data we found the clues, and it was verified by manually registering account at Good Cycle site.”

Additionally, the report stressed that the exchange’s security seems lackluster. For instance, Good Cycle does not even use the encrypted HTTPS protocol for its website. Liu points out that the South Korean operation might be a scam: “Good Cycle appears to be a scam site, Ponzi Scheme to be exact, although this incident doesn’t seem to be part of the scam.”

Liu clarified that although it is still not clear whether Good Cycle was attacked or lost funds by accident, “they are the victim in this incident, in the sense that they paid the huge transaction fee.”

According to an announcement from Good Cycle shared by PeckShield, the platform described suffering a hack, subsequently halting withdrawals and doing a “security upgrade.” According to a South Korean media report, Good Cycle revealed that “the hacker attacked the good cycle several times and made 3 fake IDs to prevent deposits and withdrawals.”

The exchange has limited presence on social media and seems to list no contact details on its website. According to videos uploaded by a YouTube user who identifies himself as “the leader” of South Korean crypto firm Karatbars (which has been flagged as a potential pyramid scheme), Good Cycle is an “exchange-based” business that attracts customers to join on a membership basis.

What happened to Good Cycle?

Despite the recent findings and an announcement from Good Cycle, the extremely overpriced transactions remain a mystery, says Liu, “We actually cannot be sure what’s happened exactly. What we do know is that Good Cycle paid the huge transaction fee, either because somebody attacked them, or some error on their part.”

Good Cycle has seemingly confirmed that it was attacked, since on June 17, the exchange sent two transactions to Ethermine and SparkPool with a message that says: “I am the sender.” Notably, it happened after PeckShield ousted Good Cycle as the potential victim. Experts are scratching their heads over why the funds couldn’t have been moved earlier. Manuskin told Cointelegraph:

“This is the missing link in the ransomware theory. If the service still had custody of the key, they could have contacted the miners earlier, as well as move the funds out as they did.”

It appears that Good Cycle has missed both deadlines set by Ethermine and Sparkpool. “Now the funds have already been distributed by the mining pools, so they will not be returned to the account,” Manuskin asserted. Indeed, on June 15, four days after the mysterious transactions took place, Etheremine pool announced the decision to distribute the fee to its miners, explaining that no one had approached them claiming to be the owner. SparkPool was scheduled to do the same on June 16. Cointelegraph reached out to both pools to confirm that they had distributed the fees before they were approached by Good Cycle, but received no reply as of press time.

If it was a bug, it means that the victim only noticed the discrepancy four days after losing millions of dollars, Manuskin added. Consequently, if Good Cycle was attacked by hackers, it seems like they were able to regain control of their server only recently according to Manushkin: “Both cases suggest complete disregard for funds, and basic operational security, thus either [theory] is still possible.”

Nonetheless, it seems that Good Cycle is back to whatever it was doing before losing millions of dollars. Around the same time the South Korean exchange approached the mining pools with the “I’m the sender” message, it moved the remaining funds — around 18,000 ETH, or more than $4 million — to a new address, which is now performing the same actions as the previous one albeit the abnormally priced transactions.