Ethereum-based lending protocol Euler Finance could be a step closer to recovering funds stolen in a $196 million flash loan attack last week, with private discussions now initiated with the exploiter.

In an on-chain message to Euler on March 20, days after sending funds to a red-flagged North Korean address, the exploiter claimed they now want to “come to an agreement” with Euler.

“We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement,” said the exploiter.

Hours later, Euler replied with its own on-chain message, acknowledging the message and asking the exploiter to talk “in private,” stating:

“Message received. Let’s talk in private on blockscan via the Euler Deployer address and one of your EOAs, via signed messages over email at contact@euler.foundation, or any other channel of your choice. Reply with your preference.”

Euler had previously tried to cut a deal with the exploiter after the exploit, insisting that they return 90% of the funds they stole within 24 hours or potentially face legal consequences.

There was no response, and 24 hours later, Euler launched a $1 bounty reward for any information that could lead to the exploiter’s arrest and return of the funds.

Related: Euler attack causes locked tokens, losses in 11 DeFi protocols, including Balancer

While the identity of the exploiter is not known, the recent language used by the exploiter could suggest more than one person is involved.

In a March 17 tweet, blockchain analytics firm Chainalysis said the recent 100 Ether (ETH) transfer to a wallet address associated with North Korea could mean the hack is the work of the “DPRK” — the Democratic People’s Republic of Korea.

However, this could also be an attempt to intentionally misdirect investigators, the firm said.

Other transactions from the exploiter’s wallet address include 3000 ETH, which was sent back to Euler Finance on March 18, along with funds sent to crypto mixer Tornado Cash and even an apparent victim of the exploit. 

On March 20, another address reached out to Euler on-chain, claiming to have found a “solid string of connections” that could help them find out who and where the exploiter was.

Cointelegraph reached out to the Euler Foundation for comment but did not receive an immediate response.