The entity that was behind the mysterious $5 million Ethereum transaction fees that baffled the cryptocurrency community last week has seemingly been identified as a little-known South Korean peer-to-peer cryptocurrency exchange.

The cryptocurrency exchange, Good Cycle, was first identified by blockchain analytics and security firm PeckShield, which pointed out on Twitter it “appears to be a Ponzi Scheme project.” PeckShield noted its investigation found several security flaws with the project, including the use of HTTP instead of HTTPS, which could have seen it get hacked.

On its website, Good Cycle has published a notice revealing it suffered “repeated” hacks. The address that sent the transactions paying millions in gas fees is now believed to belong to the cryptocurrency exchange. It has, as reported, sent transactions to the mining pools that facilitate the transactions, Ethermine and SparkPool.

In these transactions, made shortly after the address moved most of its remaining funds to a new address on the Ethereum network, it added a message reading “I am the sender,” presumably in an attempt to get its funds back.

After mining the transactions both mining pools set a deadline to wait for contact before distributing the funds between their miners. Ethermine’s deadline has already passed and the funds have been distributed, but the message was sent before SparkPool’s deadline expired.

While it’s unclear what SparkPool’s move will now be, the Ethereum mining pool has been in this situation before. As CryptoGlobe reported last year it mined a transaction with $300,000 in transaction fees attached to it, and ended up splitting the funds with the user after being contacted.

It’s worth noting it isn’t yet clear whether Good Cycle was hacked, or has been targeted in a blackmail attempt. PeckShield initially theorized that hackers used a phishing scheme to get access to its wallets, but were unable to withdraw directly to a wallet they controlled. Instead, they simply moved funds to whitelisted addresses in an attempt to get a ransom out of the exchange before they “burned” everything.

Featured image via Pixabay.