Address poisoning is a scam tactic that takes advantage of crypto traders' tendencies to copy and paste wallet addresses from their transaction histories, since the addresses are long strings of characters that are not practical to type from memory. By creating a new wallet address with identical start and/or ending character strings to addresses used by the victim, and spamming the victim with transactions from that similar address, scammers are sometimes able to get victims to erroneously copy the spoofed address for future transfers.
That's what appears to have happened in this case, when a victim transferred 1,155 wrapped bitcoin — tokens pegged to the bitcoin price meant for use on the Ethereum blockchain — to the malicious address.
The victim and the exploiter later reached an agreement for the return of most of the funds, with the exploiter keeping $7.2 million as a "bounty".