Behavior over labels$197M LossPublished 2026-06-20

Euler Finance Hack: Score 12, Escalate, Three Years After the Funds Were Returned

In March 2023, an attacker drained $197M from Euler Finance, apologized on-chain, and returned most of the funds within thirty days. The wallet has been dormant for fifteen months. Run through CredScore today, it still returns High Risk, Escalate, at 72% confidence. Behavior doesn't unhappen.

By Wade Wickingson, founder of CredScore
TL;DR
  • On March 13, 2023, a flash-loan exploit on Euler Finance's eToken contract drained roughly $197M to a single attacker wallet on Ethereum.
  • The attacker, who self-identified as "Jacob" in on-chain messages, apologized publicly and returned approximately $177M of the stolen funds within thirty days.
  • The wallet has been dormant for roughly fifteen months. Last on-chain activity was over 450 days ago at analysis time.
  • CredScore returned High Risk, score 12/100, Escalate, at 72% confidence. Three high-severity primary drivers fired: sanctions-sensitive exposure context, high-confidence sanctions attribution, and hack proceeds attribution. The engine also surfaced one historical interaction with a Lazarus Group-sanctioned address.
  • The wallet was identified directly by the engine's entity registry as "Euler Finance Hack 2023." The labels persist. The verdict doesn't soften because the attacker returned the money.

On March 13, 2023, an attacker exploited a missing health check in the donateToReserves function of Euler Finance's eToken contract. A series of flash-loan-funded transactions drained roughly $197M in stablecoins and staked ETH to a single attacker wallet on Ethereum. It was, at the time, the largest DeFi exploit of the year.

The story took an unusual turn. Over the following two weeks, the attacker began returning the funds. On-chain messages encoded in transaction calldata identified the attacker as "Jacob" and included a written apology. By the end of April 2023, approximately $177M of the stolen $197M had been returned to the Euler protocol. The wallet went silent shortly after, and as of the date of this analysis it has been dormant for more than fifteen months.

This case study is not a recap of the exploit. It is a question: does a CredScore run on the attacker wallet today, fifteen months after the funds were returned and the wallet went dormant, still produce a risk verdict? The answer is the whole point of behavioral scoring. Yes, it does. And the verdict it returns is exactly the same shape it would have returned in March 2023, because the on-chain history that drove it has not changed.

The full verdict is live at credscore.us/v/yzFdjv-gays. The screenshots below are unedited output from the analyst desk.

The wallet

The wallet, publicly tagged on Etherscan as "Euler Finance Exploiter," is the attacker's primary address. A separate front-running MEV bot captured a small portion of the exploit value, but the analysis below is on the primary attacker wallet only.

Euler Finance exploiter wallet0xb66cd966670d962c227b3eaba30a872dbfb995db3.3 years old · 1,140 transfers · 15 months dormantHigh / 12 / Escalate

The wallet is 3.3 years old at analysis time, holding 0.000198 ETH residual balance, with 1,140 observed transfers. It received 749 rapid inbound events (the primary post-exploit accumulation phase plus the later returns coming back from intermediary addresses) and made 51 rapid outbound events. Its last on-chain activity was 453 days before this analysis. It is, for all practical purposes, a closed file.

The verdict

CredScore verdict for the Euler Finance exploiter wallet: High Risk, score 12 out of 100, Escalate decision posture, 72 percent confidence, 1,140 transfers, 3.3 year wallet age
Verdict for the Euler Finance exploiter wallet, fifteen months after the funds were returned. High Risk, score 12 out of 100, Escalate decision posture at 72 percent confidence, on a 3.3-year-old wallet with 1,140 observed transfers.

CredScore returned High Risk, a score of 12 out of 100, an Escalate decision posture, at 72% confidence. The confidence is high because the wallet has 1,140 transfers of established history and the engine's entity registry resolves it to a known incident. The score is in the bottom decile because every primary driver is high severity. The decision is Escalate not because of one finding but because the combination of sanctions-sensitive context plus hack-proceeds attribution plus structural fan-out exceeds the threshold for any single signal alone.

The primary risk drivers

CredScore primary findings on the Euler Finance exploiter wallet, including a sanctioned entity interaction with the Lazarus Group Ronin Bridge hack proceeds wallet and three high-severity primary findings
Three high-severity primary findings stack on top of a hard sanctions-self detection. The wallet had one observed interaction with a Lazarus Group-attributed sanctioned address (Axie Infinity Ronin Bridge hack proceeds), and the engine's entity registry identifies the wallet itself as proceeds from the Euler Finance Hack 2023.

Three high-severity drivers carry the verdict.

Sanctions-sensitive exposure context. The wallet had one observed interaction with a counterparty on the sanctions registry. The engine's registry identifies the counterparty as the Lazarus Group-attributed Axie Infinity Ronin Bridge hack proceeds wallet (OFAC-sanctioned). Co-occurring entity labels include "Euler Finance Hack 2023", the DAI contract, and the Ethereum Foundation. The Ethereum Foundation label reflects the attacker's on-chain return of funds, including transfers routed through Foundation-controlled infrastructure addresses during the apology period.

High-confidence sanctions attribution. The engine treats the Lazarus interaction as a high-confidence finding rather than as a low-confidence label, because the sanctioned address is on the curated registry, not inferred from clustering heuristics. Sanctions-sensitive attribution is a hard escalation signal in compliance review regardless of base behavioral score.

Hack / exploit proceeds attribution. The wallet itself is labeled as "Euler Finance Hack 2023" in the entity registry. The label persists because the on-chain record persists. A wallet that received the proceeds of a documented exploit is treated as carrying that label until the registry is changed, not until the funds are returned. This is the design choice that separates behavior-over-labels engines from sanctions-only screens.

How the score was assembled

CredScore score composition for the Euler Finance exploiter wallet, showing the six risk dimensions and their weighted contribution to the final score of 12 out of 100
The six risk dimensions that produced the score of 12. Entity is the dominant pressure (-36 points), driven by the sanctioned interaction plus hack-proceeds attribution. Behavior, Temporal, and Coverage add smaller negative pressure. Stability earns a small positive offset for the 3.3-year history. Every signal is weighted and the arithmetic is reproducible.

Structural pattern observations

CredScore wallet relationship graph for the Euler Finance exploiter wallet, showing the structural fan-out distribution across multiple counterparties and identified protocol context including DAI contract, Ethereum Foundation, USDC contract, and Null Burn Address
The wallet relationship graph at analysis time. Eight observed counterparties and four protocol relationships (DAI contract, Ethereum Foundation, USDC contract, Null / Burn Address). The Ethereum Foundation edge reflects the attacker's on-chain return of funds during the March 2023 apology period.

Beyond the high-severity drivers, the engine surfaced one structural pattern: fan-out distribution at medium confidence. This reflects the post-exploit distribution phase, where the attacker spread funds across 432 unique counterparties (including the various return-of-funds intermediaries) before the wallet went dormant. The fan-out shape is not a misconduct finding by itself, but it adds review pressure when combined with the other signals already firing.

The interaction with Lazarus Group

One finding worth surfacing on its own. The CredScore engine recorded a single historical on-chain interaction between the Euler exploiter wallet and an OFAC-sanctioned address controlled by the Lazarus Group (DPRK), specifically the Axie Infinity Ronin Bridge hack proceeds wallet. The interaction count is one, and the timing relative to the Euler exploit is not resolved by behavioral data alone.

This is decision support, not an attribution claim. There is no public reporting that links the Euler attacker to DPRK operations, and the CredScore engine does not infer one. What it does is surface the on-chain fact that the two addresses have at some point shared a transfer relationship. For a compliance analyst, that is a finding worth at least a follow-up search before clearing the case. For a cold reader of this case study, it is a reminder that wallets visible to the engine carry their relationships forward even when those relationships predate the headline incident.

The written briefing

CredScore written analyst briefing for the Euler Finance exploiter wallet, including the executive risk verdict, decision posture, primary risk drivers (sanctions-sensitive exposure, high-confidence sanctions attribution, hack proceeds attribution), and offsetting factors
The full analyst briefing, generated deterministically from the signal set. Every claim ties back to a numeric value in the analysis. The briefing names the sanctioned counterparty interaction count, the entity labels including Euler Finance Hack 2023 and Ethereum Foundation, and the offsetting factors that did not soften the verdict.

Why this matters for compliance

Most wallet risk products evaluate the present state of a wallet. CredScore evaluates the on-chain record. Those are different questions, and they produce different answers.

The Euler exploiter wallet, evaluated by "is it active today, does it currently hold stolen funds, has it interacted with a sanctioned address in the last thirty days," would land somewhere between low risk and unknown. The wallet is dormant. It holds dust. Recent activity is zero.

The same wallet, evaluated by "what is the on-chain record this wallet carries," lands at High Risk, Escalate. That is the verdict CredScore is built to produce. Because in a compliance review, the on-chain record is the point. A wallet that drained $197M from a documented exploit, returned $177M, and went dormant, is still a wallet that drained $197M from a documented exploit. The math of what happened does not change because the actor felt bad about it.

For a forensic firm or a compliance desk, this is the behavior that separates a useful tool from a noisy one. A risk verdict that resets after a wallet goes dormant is a verdict that quietly clears every actor who waits long enough. A risk verdict that holds the on-chain record forward is a verdict that an analyst can defend in an internal review and an external audit, six months or six years after the fact.

What this study does not claim

Four limits on what this analysis is.

This is retrospective, not a discovery. The Euler attacker wallet has been publicly identified since March 2023 and is tagged on Etherscan, Arkham, and every major chain analytics platform. CredScore did not catch the hack first. The claim is narrower: the engine independently produces a High Risk Escalate verdict on the wallet today, fifteen months after the funds were returned and the wallet went silent, on the on-chain record alone.

The Lazarus interaction is decision support, not an attribution. One historical on-chain interaction between two addresses does not establish operational connection, shared control, or intent. The engine surfaces it because a compliance analyst should see it. The case study cites it for the same reason. It does not claim the Euler attacker was a DPRK operator.

The verdict is a statement about the wallet, not about the person. The attacker self-identified as "Jacob", returned the majority of the funds, and has been publicly silent for over a year. None of that information is in the engine, and none of it changes the verdict. The verdict is about the address. The address did what it did.

The score is decision support, not a legal conclusion. Escalate posture is a recommendation that human context resolve the finding. The on-chain record is one input to a compliance decision, not the whole decision. This is consistent across every CredScore verdict.

What this case study proves

Three things.

Behavior doesn't unhappen. A wallet that did something at a specific time keeps doing that something in the on-chain record, even if the actor returned the proceeds and walked away. The engine reads the record. The record persists. The verdict reflects the record.

Labels persist. The wallet is identified in the engine's entity registry as "Euler Finance Hack 2023." That label is a historical fact, not a current state. A risk engine that drops the label after the funds are returned is a risk engine that produces verdicts a compliance analyst cannot defend.

The on-chain record contains relationships the engine surfaces. The one observed interaction between the Euler exploiter and a Lazarus-controlled sanctioned address is the kind of finding a compliance analyst wants surfaced and a non-behavioral screen will miss. The engine does not claim it means anything beyond what it is. It surfaces it because the analyst should see it.

Enterprise blockchain analytics tools can produce a comparable verdict on this wallet, but behind a large annual contract and a multi-week procurement process. If you want a feature-by-feature comparison, see CredScore vs Chainalysis, CredScore vs TRM Labs, and CredScore vs Elliptic.

Run a wallet you already know

The best way to judge CredScore is not to read a case study. It is to paste in an address whose risk profile you already know and see whether the engine agrees with you.

Try the engine free

Paste any Ethereum, Tron, Base, Arbitrum, Optimism, or Polygon wallet and see a full briefing in seconds: score, decision posture, signal breakdown, and entity context. One free analysis, no signup.

Try CredScore freeView the live verdictMore case studies

Frequently asked questions

How much was stolen in the Euler Finance hack?

Approximately $197M in stablecoins and staked ETH was taken from Euler Finance on March 13, 2023, in what was the largest DeFi exploit of that year. The attack exploited a missing health check in the donateToReserves function on the eToken contract.

Did the Euler attacker return the funds?

Yes. The attacker, who self-identified as Jacob in encoded on-chain messages, apologized publicly and returned approximately $177M of the stolen $197M over the following thirty days. By April 2023 the protocol had recovered nearly all user-attributable losses.

What is the Euler Finance attacker wallet address?

The primary attacker wallet, publicly tagged on Etherscan as Euler Finance Exploiter, is 0xb66cd966670d962c227b3eaba30a872dbfb995db on Ethereum mainnet.

Why does CredScore still flag the wallet if the funds were returned?

Because behavior doesn't unhappen. The wallet's on-chain history still contains the original exploit transactions, the post-theft fan-out distribution, and the entity attribution that links it to a documented hack. A risk verdict is a statement about the on-chain record, not about whether the actor later did the right thing.

Did the Euler attacker interact with sanctioned wallets?

Yes. The CredScore engine found one historical interaction between the Euler exploiter and a Lazarus Group-attributed sanctioned address (the Axie Infinity Ronin Bridge hack proceeds wallet, OFAC-sanctioned). This is decision support, not an attribution claim — the interaction is surfaced because a compliance analyst should see it.

Is the CredScore engine using machine learning?

No. The engine is fully deterministic. Every score traces back to observable on-chain signals and entity attribution through a documented pipeline, so the same wallet produces the same auditable verdict every time.

Sources and further reading

  • Etherscan tag for the Euler Finance Exploiter wallet at etherscan.io
  • Chainalysis: "Euler Finance Flash Loan Attack Explained"
  • CoinDesk: "Hacker Behind $200M Euler Attack Apologizes, Returns Millions in Ether, Dai to Protocol" (March 28, 2023)
  • CoinDesk: "Euler Finance Hacker Sends 51,000 Stolen Ether Back to Protocol" (March 25, 2023)
  • SlowMist: "An Analysis of the Attack on Euler Finance"
  • Immunebytes: "Euler Finance Hack — March 13, 2023 — Detailed Hack Analysis"
  • CredScore engine documentation at /docs
Published 2026-06-20. Last updated 2026-06-20.
Analysis produced by CredScore. The wallet address referenced is publicly identified by Etherscan and multiple independent post-mortems of the March 2023 Euler Finance exploit. This analysis is retrospective and is decision support, not a legal conclusion.