It took nearly eight hours for the Munchables hacker — a Munchables developer — to have a change of heart and return $62.8 million worth of Ether stolen in an exploit without demanding a ransom.

On March 26, roughly around 9:30 pm UTC, Ethereum-based nonfungible token (NFT) game Munchables reported a hack that drained over 17,400 ETH from the GameFi app.

Munchables, along with blockchain investigators such as PeckShield and ZachXBT, began tracking the movements of the stolen funds in an attempt to intercept them.

ZachXBT claimed the exploit stemmed from the Munchables team hiring a North Korean developer known by the alias “Werewolves0943.” 

On March 27, 4:40 am UTC, Munchables identified the hacker as one of its developers. An hour of negotiations led the former developer to agree to return the hacked funds. In an official statement, Munchables said:

“The Munchables developer has shared all private keys involved to assist in recovering the user funds. Specifically, the key which holds $62,535,441.24 USD, the key which holds 73 WETH, and the owner key which contains the rest of the funds.”

The creator of the Ethereum layer-2 blockchain Blast, who uses the pseudonym Pacman, thanked ZachXBT for his support, as he announced that “the ex-Munchables dev opted to return all funds in the end without any ransom required.”

As Munchables was built on top of the Blast blockchain, Pacman will work with the Munchables team to help redistribute the stolen — now recovered — funds.

In the meantime, victims of the hack are advised to ensure they follow only communications from official sources to avoid falling for refund scams.

The exploit occurred nearly four days after a hacker stole roughly $24,000 from four different decentralized finance (DeFi) aggregator ParaSwap addresses. The protocol managed to recover the funds and began refunding users.

ParaSwap, aided by white hat hackers, successfully resolved the issue and revoked permissions for the vulnerable AugustusV6 smart contract. 

In total, ParaSwap revealed that 386 addresses were affected by the vulnerability. However, 213 addresses have yet to revoke allowances for the flawed contract as of March 25.

Source