The hacker's address 0x645c77833833a6654f7edaa977ebeabc680a9109 does have a lot of historical traces. It has been active for 235 days. Figure 1 shows the traces on Ethereum, and Figure 2 shows the traces on Base. Although both have Binance interactions, other interactions suggest that it may just be a third-party trading platform that embeds the Binance account interface.

Another detail you can look at is this:
https://bscscan.com/tx/0x7bc84803296821a7da501fde50347ecbcda974f02e0d0c28fff1e17cd0340a16
A very small amount of money is transferred in, but the address above the source address is an address that has been marked as risky in the past. It may not necessarily have a strong relationship, but it may be a breakthrough.

If the hacker does not refund the money, he can only be very confident that he will not be caught with key clues, otherwise...