On-chain transactions leading up to the return suggest this wasn’t a white hat hacker but a malicious actor who intended to steal the funds before investigators got involved.