Report: 88% of Nomad Bridge exploiters were "copiers."

The target token, token amount, and recipient addresses were changed, but the copycats utilised the same code as the original hackers.

According to a recent study, nearly 90% of the addresses involved in the $186 million Nomad Bridge heist last week have been identified as "copycats," who stole $88 million worth of tokens on August 1.

After the initial hackers discovered how to steal money in the bridge hack on August 1, Peter Kacherginsky, Coinbase's principal blockchain threat intelligence researcher, and Heidi Wilder, a senior associate of the special investigations team, confirmed in a blog post on August 10 that hundreds of "copycats" joined the party.

Security researchers claim that the "copycat" technique was a version of the first vulnerability, which made use of a flaw in Nomad's smart contract to let users withdraw money from the bridge that wasn't actually theirs.

The imitators then produced the exact identical code, but they altered the recipient addresses, target token, and token quantity.

Despite the fact that the first two hackers were the most successful in terms of the overall amount of money they were able to steal, after the technique was copied by others, there was a race to see who could take the most money.

According to Coinbase experts, the early hackers targeted the Bridge's wrapped-Bitcoin (wBTC), followed by wrapped-ETH and USD Coin (USDC) (wETH).

The wBTC, USDC, and wETH tokens were concentrated in the Nomad Bridge in the biggest proportions, therefore it made sense for the initial hackers to take them out first.

White-hat actions:

Unexpectedly, Nomad Bridge's request for stolen money resulted in a 17% return (as of August 9), with the majority of those tokens being in the form of USDC (30.2%), Tether (USDT) (15.5%), and wBTC (14.0%).

The fact that the bulk of the monies was returned in the form of USDC and USDT shows that the majority of the funds were from white-hat "copycats," as the original hackers mostly exploited wBTC and wETH. As of August 9, 49% of the stolen money had already been transferred from each recipient's address to a different location.

According to Coinbase's analysis, the first three recipient addresses were funded using Tornado Cash, an Ethereum-based system that permits anonymous transactions. The US Treasury blacklisted all USDC and ETH addresses linked to the protocol on Monday.

The $540 million Ronin Bridge hack in March and the $250 million Wormhole Bridge attack in February made the Nomad Bridge hack the third-largest hack in 2022 and the fourth-largest DeFi hack overall. As a result of its excessive centralization, which has drawn criticism, these cross-chain bridges are a popular target for attackers.