Euler Autopsy: $177M Returned, 15 Months Dormant, Still Escalate
What happened
On March 13, 2023, an attacker exploited a missing health check in the donateToReserves function of Euler Finance's eToken contract. A series of flash-loan-funded transactions drained roughly $197M in stablecoins and staked ETH to a single attacker wallet on Ethereum. It was the largest DeFi exploit of the year at the time.
The story took an unusual turn. Over the following two weeks, the attacker began returning the funds. On-chain messages encoded in transaction calldata identified the attacker as "Jacob" and included a written apology. By the end of April 2023, approximately $177M of the stolen $197M had been returned to the Euler protocol.
The wallet went silent shortly after. It has been dormant for more than fifteen months at analysis time.
The verdict, three years later
Run through CredScore today — years after the funds were returned and the wallet went dormant — the verdict is:
High Risk. Score 12/100. Escalate. 72% confidence.
Same shape it would have returned in March 2023, because the on-chain history that drove it has not changed.
This is a different story from the Drift and Bybit autopsies. Drift was about catching unlabeled wallets on behavior alone. Bybit was about sanctions-cap enforcement holding under adversarial pipeline conditions. Euler is about a specific compliance question: does returning the money clear the wallet?
CredScore's answer is no.
Why the verdict persists
Three high-severity drivers stack on this wallet:
Sanctions-sensitive exposure context. The attacker's wallet interacted (once, historically) with a counterparty on the sanctions registry — the Lazarus Group-attributed Axie Infinity Ronin Bridge hack proceeds wallet, an OFAC-sanctioned address. A single interaction with a sanctioned entity is a hard escalation signal for compliance review, independent of how much time has passed.
High-confidence sanctions attribution. The engine treats the Lazarus interaction as a high-confidence finding — the sanctioned counterparty is on the curated registry, not inferred from clustering heuristics.
Hack / exploit proceeds attribution. The wallet itself is labeled "Euler Finance Hack 2023" in CredScore's entity registry. The label persists because the on-chain record persists. A wallet that received the proceeds of a documented exploit is treated as carrying that label until the registry is changed — not until the funds are returned.
Behavior doesn't unhappen
This is the design choice that separates behavior-over-labels engines from sanctions-only screens.
A pure sanctions screener asks: "Is this wallet on a list right now?" If the answer is no, the wallet clears. If the attacker settles with the victim protocol and comes off any watchlists, the wallet is treated as clean.
CredScore asks a different question: "What has this wallet done, and does its history warrant elevated scrutiny in a compliance workflow?" The wallet drained a DeFi protocol via flash-loan exploit. It interacted with Lazarus laundering wallets. Those facts are permanent on the ledger. The verdict reflects them and will continue to reflect them for as long as the on-chain record exists.
For a compliance officer processing a payment to or from this address years after the fact, that's the right posture. The attacker's remorse and restitution matter for reputational and legal proceedings — but "we returned it" is not the same as "we were never involved." A compliance workflow needs to distinguish those two states.
What this autopsy does not claim
Retrospective. The Euler attacker was doxxed by chain-analytics investigators within days of the exploit. CredScore did not discover the attacker. What this autopsy demonstrates is different: the verdict is reproducible on a wallet whose story is essentially closed, and it holds up under the compliance-relevant question of "should the wallet clear after restitution?"
Not a legal judgment. The Euler case ended in restitution and no criminal prosecution followed. That is a fact about the legal proceedings. It has no bearing on whether the wallet's on-chain history warrants continued scrutiny in a compliance workflow — and CredScore's verdict is a compliance signal, not a legal conclusion.
The wallet is dormant. The exploiter address hasn't moved funds in over a year. If it moves again, the verdict updates. The engine is not stuck on a historical snapshot — it reads whatever the current chain state says at analysis time.
The Euler exploiter verdict is a compact demonstration of CredScore's behavior-over-labels frame.
Three high-severity drivers stack:
1. Sanctions-sensitive exposure context — one historical interaction with the Lazarus Ronin Bridge hack proceeds wallet (0x098b716b8aaf21512996dc57eb0615e2383e2f96, OFAC SDN). Single-hop sanctioned interaction is a hard escalation signal regardless of time elapsed.
2. High-confidence sanctions attribution — curated registry match, not clustering-inferred. Compliance review treats this as materially urgent.
3. Hack/exploit proceeds attribution — the wallet itself carries the "Euler Finance Hack 2023" label in the entity registry. The label is tied to the on-chain event, not to a legal status; restitution doesn't remove it.
Score composition (from the six-dimension scorecard): Entity dimension is the dominant negative pressure (−36 points), driven by the sanctions interaction plus hack-proceeds attribution. Behavior, Temporal, and Coverage add smaller negative contributions. Stability earns a small positive offset for the 3.3-year history. Final: 12/100, High Risk, Escalate, 72% confidence.
In the CredScore [Behavioral Watermark](/watermark), this wallet's shape is distinct: rapid inbound bursts (749 rapid inflows during the post-exploit accumulation phase) followed by rapid outbounds (51, during the restitution period) followed by extended dormancy. That specific temporal signature — heavy activity, then silence — is a signature of exploit-then-return wallets. Other Watermark matches on similar temporal shapes would surface related historical events even without a direct label.
shared_analyses so if they get re-run later, the latest verdict surfaces on this page.