On-chain analysts believe that the Ronin hacker might be trying to steal funds from the Euler hacker with a suspicious encrypted message.

The developments around the Euler finance exploit took an unexpected twist on Tuesday after the Ronin exploiter sent 2 ETH to the Euler hacker.

The Ronin exploiter encoded a message in the Ethereum transaction asking him to decrypt it using a GitHub repository using the private key that controls the stolen Euler funds.

Blockchain security analysts found that the GitHub repository linked in the message contained a security vulnerability, suggesting the Ronin hacker was attempting to phish the Euler hacker.

“Adding context – the package has a know signature malleability issue, so if the Euler exploiter signs a message with the package their private key could be compromised,” explained blockchain security firm Dedaub in a tweet. 

The repository in question belongs to an encryption and decryption library published by web3 consulting company LimeChain in 2018, forked from an open-source Ethereum ECIES library. LimeChain denied any connection to the hackers’ actions in a tweet shortly after.

“We’ve been building decentralized apps and infra since 2018, in hopes for a better and safer Web, and are open to helping affected parties if needed,” stated LimeChain.

The Euler team responded to the Euler hacker with a blockchain message, advising him to “be very careful using that encryption tool.” The Euler hacker has been in talks with the Euler team through on-chain messages over the last few days, discussing the potential return of $191 million worth of stolen crypto still in his possession. 

“We still want to do the right thing returning funds to the Euler team. Will communicate shortly,” replied the Euler hacker in a message shortly after.

Market participants are still undecided on whether the blockchain messages between the two hackers were part of an actual attempt to steal funds, or if it was merely two parties putting on a show. Last week, the Euler hacker sent 100 ETH to the Ronin hacker’s wallet address, creating confusion over potential links between them. One user described the unlikely series of events as the “most cringe public hacker-on-hacker.”