Last week the cryptocurrency community was baffled by a series of Ethereum transactions that paid $2.5 million in gas fees to move, in one case, as little as $130 worth of ETH. While an initial predominant theory suggested blackmail, a researcher is now arguing it could have been a bug.

According to a blog post published by ZenGo researcher Alex Manuskin, the mysterious Ethereum transactions were likely not a part of an elaborate attack. Blockchain analytics firm PeckShield estimated that the transactions were part of a blackmail scheme orchestrated by hackers who managed to access a crypto exchange’s wallet.

The hackers did so via a phishing scheme, PeckShield claimed, but once they had access they were unable to withdraw funds to their address, and could only send them to whitelisted addresses. In what was deemed a “gas price ransomware attack,” they proceeded to send transactions with enormous gas fees to pressure the exchange into paying them a ransom.

Per Manuskin, this theory may not be what actually happened as whoever owned the funds did not try to halt the outflows and do everything they could to stop the ETH transactions with millions in gas fees from being moved. The researcher argued:

For this to happen, the process controlling the address could not be operated from the victim’s environment, because if this were the case, they could have just shut it down, even if it meant shutting down all operations.

The address from which the ETH moved was not a smart contract, so someone is controlling its private key. The entity able to move the ether would then be able to move them to their address, instead of burning the ether in gas fees.

Since Manuskin’s post came out, the address the funds were sent from moved its entire 18,000 ETH stash (worth over $4 million) to another address. From the original address, it sent the mining pool that mined the blocks with the large gas fees – SparkPool and Ethermine – 0.01 ETH, to include a message that reads “I am the sender.”

According to the researcher, the millions paid in gas fees were likely the result of a bug in an automated script that was operating the address. This could also explain why the ETH user decided to move the funds.

Featured image via Pixabay.