Munchables Developer Returns $62.8M Worth of Ether After Exploit

A Munchables developer, involved in a recent exploit, returned $62.8 million worth of Ether without demanding a ransom, nearly eight hours after the hack was reported.

On March 26, around 9:30 pm UTC, Munchables, an Ethereum-based nonfungible token (NFT) game, disclosed a hack that resulted in the theft of over 17,400 ETH from its GameFi app.

Following the incident, Munchables collaborated with blockchain investigators, including PeckShield and ZachXBT, to track the movement of the stolen funds and attempt to intercept them.

According to ZachXBT, the exploit was linked to the Munchables team hiring a developer known as "Werewolves0943," reportedly from North Korea.

By March 27, 4:40 am UTC, Munchables had identified the hacker as one of its developers. After an hour of negotiations, the former developer agreed to return the hacked funds. Munchables stated:

“The Munchables developer has shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds.”

The creator of the Ethereum layer-2 blockchain Blast, known as Pacman, expressed gratitude to ZachXBT for support and confirmed that "the ex-Munchables dev opted to return all funds in the end without any ransom required."

As Munchables operates on the Blast blockchain, Pacman will collaborate with the Munchables team to redistribute the stolen funds, now recovered.

Meanwhile, victims of the hack are advised to rely only on communications from official sources to avoid falling victim to refund scams.

This incident occurred nearly four days after a hacker stole approximately $24,000 from four different addresses associated with decentralized finance (DeFi) aggregator ParaSwap. The protocol successfully recovered the funds and initiated the refund process for affected users.

With assistance from white hat hackers, ParaSwap resolved the issue and revoked permissions for the vulnerable AugustusV6 smart contract. According to ParaSwap, 386 addresses were impacted by the vulnerability, with 213 addresses yet to revoke allowances for the flawed contract as of March 25.