Last week, the crypto community spotted transaction fees of up to $2.6 million featured in several transactions on the Ethereum network. Vitalik Buterin has since suggested that the abnormous fees “may actually be blackmail," but some researchers have now challenged that claim. 

Blackmail theory

The first suspicious transfer took place on June 10, when $2.6 million in fees was paid to move just 0.55 Ether (ETH). Within 24 hours, a second transaction of 350 ETH was made from the same wallet, spending the exact same amount — $2.6 million — in gas.

The next day, the Ethereum blockchain processed a third abnormal transfer, although from a different wallet. The transaction saw 2,310 ETH — or roughly $0.5 million dollars — being paid to transfer 3,221 Ether.

On June 12, Chinese analysis firm PeckShield concluded that the multimillion dollar fees were paid by hackers seeking to ransom a cryptocurrency exchange after gaining limited access to the platform's operational functions. According to PeckShield, the hackers are threatening to empty the exchange’s wallet if they are not paid a bribe.

Vitalik Buterin has since retweeted that article, elaborating on the theory:

"Hackers captured partial access to exchange key; they can't withdraw but can send no-effect [transactions] with any gas price. So they threaten to 'burn' all funds via [transaction fees] unless compensated."

ZenGo researcher criticizes the theory

In a recent interview with Cointelegraph, Alex Manuskin, a blockchain researcher at Tel Aviv-based cryptocurrency wallet company ZenGo, said the blackmail theory “takes some very peculiar circumstances for it to be possible”. 

Manuskin stressed that after the first incident, the supposedly hacked account did not change its behavior, continuing to run in normal mode:

“Transactions continued going in and out. If the hackers controlled the key, why did they [the hacked entity] continue operating the service as usual?”

According to Manuskin, if hackers indeed gained limited access to the key that allowed them to send transactions to the “whitelist” addresses (such as customer addresses that have been preapproved by the entity controlling the hacked wallet), the hacked service would “do all it can to halt all operations and not put additional funds at risk.”

“If indeed this was a bug, not noticing such an incident is crazy,” Manuskin went on to argue, suggesting that the story behind the transactions remains a mystery for now. He added:

“But to imagine a service that operates 10M USD worth of funds, and does not keep backups for the keys of such funds and doesn't do anything to try and seal the breach is also crazy.”

The blockchain researcher suggests that the address could belong to “some service in east Asia” that users access “from various exchanges including Bithumb, OKEx, Coinone and others.”

Miners say no one approached them regarding the transactions

This week, two mining pools involved in the abnormal string of transactions — Etherchain and Sparkpool — both announced they are going to distribute the millions of dollars in fees they received from the strange transactions. Both pools have stressed that they have given sufficient time for the sender to get in touch with them.

“If it were indeed a blackmail attack, we would expect the victim to immediately contact the miners to retrieve the lost funds,” Manuskin argued in a blog post.