After a week of searches, it appears that the culprit behind at least two of the anomalous high fee transactions on Ether (ETH) was found.

As reported by Chinese blockchain analytics company PeckShield on June 16, the originating address appears to be coming from Korean platform GoodCycle, a recently launched peer-to-peer exchange that provides “investment” opportunities to its users.

According to PeckShield, this platform shows all the signs of a Ponzi scheme, which would explain its rapid rise in popularity.

The analysts conducted a thorough blockchain analysis and found that a wallet beginning with “0xcdd6a2b” was the origin of the first two transactions. The team was able to make a deposit on the GoodCycle platform and conclusively proved that it went to that address.

Ransomware theory more likely

The analysts argue that due to GoodCycle relying on a pyramid scheme, it makes sense why it has not come forward to claim the money, as that would erode trust in the platform from its users and subsequently collapse the venture.

Jeff Liu, a co-founder of PeckShield, told Cointelegraph that GoodCycle is likely to be the victim of an attack, though he added that “there are still other possibilities, such [as] internal operation errors.”

The report from PeckShield notes that the exchange does not even use the encrypted HTTPS protocol, which would make it trivial to hack the exchange through “man-in-the-middle” attacks. 

A communication from GoodCycle itself seems to confirm that the platform is suffering a hack, subsequently blocking withdrawals and performing a “security upgrade.”

Announcement from GoodCycle

Announcement from GoodCycle. Source: PeckShield

Victim got in contact with the mining pools

Two transactions sent today to SparkPool and Ethermine from the wallet that was identified as GoodCycle’s are signed with a message stating “I am the sender.” 

It appears likely that the team finally regained control back, as it is unlikely that the hackers would have been able to make the transaction. 

When asked why the exchange did not move sooner in shutting itself down, which was one of the criticisms of the blackmail theory, Liu replied: 

“In my opinion, they are not very experienced exchange operators, and may need some professional help on how to deal with these operation issues.”

However, Ethermine has already decided to distribute the funds to miners, while SparkPool pledged to begin the process today as well.

The PlusToken connection

Anonymous researcher Frank Topbottom was able to identify that several addresses connected to the massive PlusToken Ponzi scheme were interacting with the address later associated with GoodCycle. Specifically, funds from a known PlusToken sent ETH to the same deposit address used for some transactions on the GoodCycle address.

It is unclear whether the association runs deeper. It is possible that GoodCycle was simply another venue used by the scammers to launder their proceeds.