Copycats used the same code as the original hackers but modified the target token, token amount, and recipient addresses.

Close to 90% of addresses taking part in the $186 million Nomad Bridge hack last week have been identified as “copycats,” making off with a total of $88 million worth of tokens on Aug. 1, a new report has revealed.

In an Aug. 10 Coinbase blog, authored by Peter Kacherginsky, Coinbase’s principal blockchain threat intelligence researcher, and Heidi Wilder, a senior associate of the special investigations team, the pair confirmed what many had suspected during the bridge hack on Aug. 1 — that once the initial hackers figured out how to extract funds, hundreds of “copycats” joined the party.

Source: Coinbase

According to the security researchers, the “copycat” method was a variation of the original exploit, which used a loophole in Nomad’s smart contract, allowing users to extract funds from the bridge that wasn’t theirs.

The copycats then copied the same code but modified the target token, token amount, and recipient addresses.

But while the first two hackers were the most successful (in terms of total funds extracted), once the method became apparent to the copycats, it became a race for all involved to extract as many funds as possible.

The Coinbase analysts also noted that the original hackers first targeted the Bridge’s wrapped-Bitcoin (wBTC), followed by USD Coin (USDC) and wrapped-ETH (wETH).

Source: Coinbase

As the wBTC, USDC and wETH tokens were present in the largest concentrations in the Nomad Bridge, it made sense for the original hackers to first extract these tokens.

White-hat efforts

Surprisingly, Nomad Bridge’s request for stolen funds yielded a 17% return (as of Aug. 9), with the majority of those tokens being in the form of USDC (30.2%), Tether (USDT) (15.5%), and wBTC (14.0%).

Source: Coinbase

Because the original hackers mostly exploited wBTC and wETH, the fact that most of the returned funds came in the form of USDC and USDT suggests that the majority of the funds returned were from white-hat “copycats.”

Meanwhile, approximately 49% of the exploited funds (as of Aug. 9) have been transferred elsewhere from each of the recipient’s addresses.

Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis

Coinbase also noted that the first three recipient addresses were funded by Tornado Cash, an Ethereum-based protocol that allows users to transact anonymously. On Monday, the U.S. Treasury sanctioned all USDC and ETH addresses linked to the protocol.

The Nomad Bridge hack has become the fourth largest DeFi hack ever and the third biggest in 2022, following the $250 million Wormhole Bridge hack in February and the $540 million Ronin Bridge hack in March. Cross-chain bridges of these kinds have been accused of being too centralized, making it an ideal site for attackers to exploit.