MIT Students Stole $25 Million In Seconds By Exploiting ETH Blockchain Bug, DOJ Says (arstechnica.com) 112
An anonymous reader quotes a report from Ars Technica: Within approximately 12 seconds, two highly educated brothers allegedly stole $25 million by tampering with the ethereum blockchain in a never-before-seen cryptocurrency scheme, according to an indictment that the US Department of Justice unsealed Wednesday. In a DOJ press release, US Attorney Damian Williams said the scheme was so sophisticated that it "calls the very integrity of the blockchain into question."
"The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education to tamper with and manipulate the protocols relied upon by millions of ethereum users across the globe," Williams said. "And once they put their plan into action, their heist only took 12 seconds to complete." Anton, 24, and James Peraire-Bueno, 28, were arrested Tuesday, charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. Each brother faces "a maximum penalty of 20 years in prison for each count," the DOJ said. The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain. To uncover the scheme, the special agent in charge, Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office, said that investigators "simply followed the money."
"Regardless of the complexity of the case, we continue to lead the effort in financial criminal investigations with cutting-edge technology and good-ol'-fashioned investigative work, on and off the blockchain," Fattorusso said.
"The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education to tamper with and manipulate the protocols relied upon by millions of ethereum users across the globe," Williams said. "And once they put their plan into action, their heist only took 12 seconds to complete." Anton, 24, and James Peraire-Bueno, 28, were arrested Tuesday, charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. Each brother faces "a maximum penalty of 20 years in prison for each count," the DOJ said. The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain. To uncover the scheme, the special agent in charge, Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office, said that investigators "simply followed the money."
"Regardless of the complexity of the case, we continue to lead the effort in financial criminal investigations with cutting-edge technology and good-ol'-fashioned investigative work, on and off the blockchain," Fattorusso said.
Code is law (Score:5, Insightful)
Re: (Score:1)
$25M is too little for government protection. But there's good news - we appear to be approaching a territory where $25B will not do the job.
Will the raising prices kill corruption, what do you think :)
Re: (Score:1)
Finders keepers. That's the law of the crypto-jungle. Which is precisely why I am on the side of civilization.
Re:Code is law (Score:5, Insightful)
except when it's inconvenient to whoever has the most money. Then we run crying to Uncle Sam for protection.
Therefore, "code is law" is a big fat lie, peddled by the crypto-bros to scam the gullible. In a nation, the land of the law is the law, period. The only other laws in force are the laws of nature, arbitrary computer code not included.
Re: Code is law (Score:1)
Of course it is a lie. As was known always.
Re: Code is law (Score:5, Informative)
Re: (Score:2)
Code is law for the coin -- no outside entity can coerce the blockchain. They can _definitely_ coerce *you* though.
Re: (Score:2)
"code is law" is just a simple contract. contracts can be revoked/broken/violated/changed on how its enforced (hence we all run to gov't)....
The interesting thing about this story is that while it took 12 secs to do, it took a few minutes with full details (that it took 12 secs) to find the perps. This again, follows my intel gathering mantra: "if you can see me...I can see you."
Re: (Score:3)
With crypto, unless you're breaking into someone else's computer everything is 100% fair game, that's the whole point.
No it isn't, and you may learn it the hard way just like these guys if you try something stupid, like hacking some crypto and not covering your traces well enough.
Well... (Score:5, Funny)
If they had done it in 12 parsecs instead, they'd still be fine.
Re: (Score:1, Informative)
A parsec is a unit of distance, not of time.
Re:Well... (Score:5, Funny)
Not if you round down, buddy.
Re:Well... (Score:5, Informative)
whoosh
Re: (Score:3)
A parsec is a unit of distance, not of time.
You clearly have not watched a sufficient number of bad science fiction movies.
Re: (Score:2)
Han shot first.
Re: (Score:1)
Re: Well... (Score:2)
Re: (Score:2)
Time and distance are the same. How far to the shops? 10mins or 2 miles. Same
for human-achievable speeds, distance is constant but time varies significantly depending on speed / velocity
Motive (Score:2, Interesting)
What's the motive? Not of the fraudsters, that's easy. But of the US government. Do they intend to return that $25M? Something tells me this is just one money-grab benefiting from the other. The brothers weren't the biggest predatory fish in the sea.
Somehow integrity of the ETH network doesn't seem like something the US federal government would be interested in protecting.
Re:Motive (Score:5, Insightful)
Remember that at least two of those bank failures from last year were crypto related.
Re: (Score:3)
Yes, exactly this. For quite the same reason, government restricts gambling. To protect people. Most real world governments, including USA, are not libertarian dystopias where the people of lower will and/or intelligence can be subjected to unlimited exploitation. Thankfully.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Most real world governments, including USA, are not libertarian dystopias where the people of lower will and/or intelligence can be subjected to unlimited exploitation. Thankfully.
I agree that they're not.....yet.
Give it a little time.
Re: (Score:1)
The IRS led the investigation.
There's the motive.
Re: (Score:2)
If someone found a flaw in the systems belonging to a bank (for example) that allowed that person to take millions of dollars that they weren't entitled to, the authorities would come after them for that with the full force of the law. Why should this be any different?
Re: Motive (Score:5, Insightful)
If I have a front door lock that a highly skilled burglar can pick then the cops shouldn't bother to show up when I call.
It's my fault for not having better home security.
Right?
Re: (Score:2)
The problem with AC isn't the cowardliness per se but that it allows cowards to say dumb shit like you with zero accountability.
Re: (Score:2)
Yes. Your home is your castle; defend it as such
Re: (Score:2)
So instead of calling the police, I should shoot the burglar? In many places, such as the entire state of California if you shoot a burglar you're going to prison for a long time.
Instead of these guys getting arrested, the people they ripped off should find them and kill them? And go to prison for a long time.
Okey dokey.
Re: (Score:1)
In the US, you have the second and various other amendments to protect you from such legal action, even in California in the case of burglary. The fact California tries and frequently gets smacked down on these issues is just a matter of either voting or moving as you can see the long-term results from these policies.
These people found a legitimate loophole however, basically it's the same as the bank giving you a loan and forgetting to put down any schedule for repayment or interest payments (which is pret
Re: (Score:2)
2a is a nice theory but good luck relying on it in places like California or New York.
NY just last week convicted a guy for assembling his own guns built with legally acquired parts. Judge literally told the defense they can not use the 2a as a defense because "this is NY and the 2a doesn't exist here".
Re: (Score:1)
And again, unless you stand up to the tyranny, nothing will change. That case won't even get to SCOTUS before it gets reversed, what that judge said should be cause for immediate removal from the bench.
Re: (Score:2)
It should be and I hope so but in the meantime he is going to prison.
My answer was to leave California and go to a place that values freedom. At least now when I shop I don't have to limit myself to the "California specials".
Re: (Score:2)
CA is both stand-your-ground & castle doctrine.
You *might* get in trouble IF you fire on fleeing burglars after they're off your property
Re: (Score:2)
https://www.shouselaw.com/ca/d... [shouselaw.com].
Yet, my friend told me he got 1 wrong on his gun exam last week on a stand your ground question when he said you can blast a burglar. And if you look at how the law is actually applied vs written, they set the standards for 1,2,3 such that you almost never are allowed to apply deadly force in a self defense situation without serious risk of a long jail term.
As opposed to where I am now where the sheriff offers fire arms safety courses to everyone and says an armed citizen
Re: (Score:2)
"And if you look at how the law is actually applied vs written,"
Haven't found anything recent that's relevant, not even on the CAguns subreddit
Re: (Score:2)
Since we're talking about California, you should be well aware that the property owner doesn't have nearly the same amount of rights as the criminal. Heck, we are busy talking about closing more prisons down, aka releasing more criminals, because we can't afford to house them AND give our non-citizens free healthcare.
You are suppose to invite the thieves in, give them whatever they ask for and do it with a smile. Don't defend your property, that's WRONG. Them stealing it, not wrong. Just ask any DA in Calif
Re: (Score:2)
the property owner doesn't have nearly the same amount of rights as the criminal
Then become a criminal and watch your rights flow in like candy!
Problem solved.
Re: (Score:2)
Eh, I have this pesky moral issue with causing intentional harm to other people. Even if the state doesn't want to enforce laws and punish deviant behavior, I don't feel like that's a green light for me to become deviant. I don't even believe in karma but I do like the idea of it and the golden rule "Treat others as you want to be treated."
Yes, I'm a sucker but my conscience is clear.
Re: (Score:2)
Really? Care to give examples?
I'd say because ETH is just bits (Score:2)
Re: (Score:2)
What's the motive? Not of the fraudsters, that's easy. But of the US government.
Seems easy enough to me. First, cops get to arrest someone. That's what they live for. Second, given the US government's antipathy to blockchain, I'm sure they love headlines highlighting Cyber Crime Lords as a way to create cybercurrency FUD.
What happened to "code is law"? (Score:2)
I guess not.
Re: (Score:2)
Fascism, dude.
Gotta use a privacy coin if you want code - us - law.
Well done! (Score:3, Insightful)
Line (Score:3)
Line goes up fast !
I thought crypto wasn't meant to be governed by the state? I thought it was meant to be "whoever has the bits, owns the bits"?
Re: (Score:3)
Line goes up fast !
I thought crypto wasn't meant to be governed by the state? I thought it was meant to be "whoever has the bits, owns the bits"?
Did any government make any promises regarding that? And did anybody bother to ask the governments about that, for that matter? No? I thought so. Then don't make a Pikachu face when the state does its thing.
Re: (Score:2)
I would never make an electric rat face, especially not when I was being sarcastic. It was always the catch call of cryptobros that the currencies were free from regulation and that the ledger was the final decider of who owned anything.
Then the scams started. Then the same asshats cried to the police that "they stole my apes!"
This just appears to be a couple of people (who literally google searched how to do crimes) who scammed a bunch of folks running cons.
Re: (Score:2)
Line goes up fast !
I thought crypto wasn't meant to be governed by the state? I thought it was meant to be "whoever has the bits, owns the bits"?
This isn't about regulation. It's about crime. These two stole something owned/held by someone else. It's that simple.
Re: (Score:1)
Seems they tricked other people who were trying to scam money using bots. Little sympathy from most people.
Re: (Score:2)
CODE IS LAW!!!
We are the crypto bros and we are here to create a system outside your evil fiat currency, beyond the control of governments and banks!
Re: (Score:2)
They chose to use a non-private coin, so no fungibility.
It's been standard econ for hundreds of years that fungibility is a requirement of any successful current money.
can someone do an 51% attract under the law? (Score:3)
can someone do an 51% attract under the law?
Meatless article (Score:2)
Re:Meatless article (Score:4, Insightful)
Re: (Score:2, Insightful)
These pending transactions, the DOJ explained, must be structured into a proposed block and then validated by a validator before it can be added to the blockchain, which acts as a decentralized ledger keeping track of crypto holdings. It appeared that the brothers tampered with this process by "establishing a series of ethereum validators" through shell companies and foreign exchanges that concealed their identities and masked their efforts to manipulate the blocks and seize ethereum.
To do this, they allegedly deployed "bait transactions" designed to catch the attention of specialized bots often used to help buyers and sellers find lucrative prospects in the ethereum network. When bots snatched up the bait, their validators seemingly exploited a vulnerability in the process commonly used to structure blocks to alter the transaction by reordering the block to their advantage before adding the block to the blockchain.
If you wanted even more details
The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain.
You could look at the indictment itself.
Re: (Score:2)
Re: (Score:2)
Re:Meatless article (Score:4, Informative)
That is not enough content for you? You can also read the indictment itself [arstechnica.net]. It's only 19 pages - hardly War and Peace. After glazing over the legal gobbledygook, there remains several pages of "meaty" content describing the mechanics.
Re: (Score:2)
This was really important work. Almost as important as some girl's lost diary being found in her old apartment and sold.
If they had done it in Wall Street (Score:4, Insightful)
It would be just business as usual.
For all their smarts, they are too dumb to wait a few years before they can do the same thing on a much larger scale and get very well paid doing it.
Re: If they had done it in Wall Street (Score:1)
My thoughts too. Smart enough to break eth, but not smart enough to withdraw the money safely . And 25m is a nice amount but not enough risking 20 years in prison.
But I think they will be out in year or two and then be govt's bitches for the rest of the term stealing money from bad guys.
Specialized skills, but not very much common sense (Score:5, Informative)
The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education
So "specialized skills" and "expertise in crypto trading", but not very much common sense.
The brothers' online search history showed that they studied up and "took numerous steps to hide their ill-gotten gains," the DOJ alleged. These steps included "setting up shell companies and using multiple private cryptocurrency addresses and foreign cryptocurrency exchanges" that specifically did not rely on detailed "know your customer" (KYC) procedures.
They also researched the "very crimes charged in the indictment," the DOJ said. Among search terms found in the brothers' history during the planning phase of the alleged scheme were phrases like "how to wash crypto" and "exchanges with no KYC." Later, seemingly attempting to prepare for any legal consequences from the scheme, the brothers allegedly searched for things like "top crypto lawyers," and "money laundering statute of limitations," and "does the United States extradite to [foreign country]."
Re: (Score:2)
Yet not intelligent or specialized enough to clean their computers and/or conduct all operations from a tails (or similar) box.
Re: (Score:3)
That tracks. Expertise in crypto trading pretty much demands a lack of common sense.
Re: (Score:2)
Re: (Score:2)
more background (Score:5, Interesting)
I read on reddit that the heist was about "tricing MEV bots into buying shit coins"
So I asked chatgpt what that means:
Q: in ethereum what is a MEV bot?
A: MEV stands for "Miner Extractable Value." MEV bots are automated scripts or algorithms that exploit opportunities to extract additional value from the transaction ordering process in Ethereum and other blockchains. They aim to maximize profits by front-running, back-running, or sandwiching transactions to capitalize on price discrepancies or manipulate transaction outcomes for financial gain.
Q: elaborate. what is front and backrunning and sandwich
A: Front-running: This occurs when a MEV bot sees a pending transaction on the Ethereum mempool that will likely affect the price of a token or asset. The bot then quickly submits its own transaction, which typically trades the same asset but benefits from the price movement caused by the initial transaction. Essentially, it "front-runs" the original transaction to profit from the anticipated price change.
Back-running: Similar to front-running, back-running involves observing pending transactions in the mempool. However, instead of trying to profit from anticipated price movements, a MEV bot may try to execute transactions that capitalize on predictable actions or behaviors, such as liquidations or arbitrage opportunities, initiated by other transactions.
Sandwiching: This strategy involves placing a transaction between two other transactions to manipulate the market or exploit price discrepancies. For example, if a trader submits a large buy order, a MEV bot may quickly submit a sell order before the buy order is executed, then follow up with another buy order at a slightly higher price. This "sandwiches" the trader's order and allows the bot to profit from the price movement caused by the trader's transaction.
In all cases, MEV bots aim to exploit the order in which transactions are included in a block to maximize profits, often at the expense of other users.
Q: how can you use this to trick this bots to buy shit coins
A: Tricking MEV bots into buying "shit coins" (low-value or low-quality cryptocurrencies) can be challenging, but there are a few strategies you might consider:
Flash Loans: Flash loans allow users to borrow funds without collateral as long as they repay the loan within the same transaction. By borrowing a large amount of a shit coin and then executing a series of transactions that appear favorable to MEV bots, you may be able to create artificial demand for the coin, causing the bots to buy it at inflated prices. However, this strategy requires careful execution and understanding of market dynamics.
Spoofing: Spoofing involves placing large buy orders for a shit coin with no intention of actually executing them. By creating the illusion of demand, you may attract MEV bots to buy the coin at higher prices. However, spoofing is unethical and may be illegal in some jurisdictions.
Pump and Dump: This strategy involves artificially inflating the price of a shit coin by spreading positive rumors or using other manipulative tactics to attract buyers. Once the price has risen sufficiently, you and other participants sell off your holdings, causing the price to crash. MEV bots may be susceptible to buying into the pump phase, but this approach is highly risky and may result in significant losses for all involved.
It's important to note that attempting to manipulate markets or deceive MEV bots carries ethical and potentially legal implications.
Re: (Score:2)
Re: (Score:2)
If Attorney Damian Williams said so (Score:1)
They exploited MEV bots (Score:2)
https://www.halborn.com/blog/p... [halborn.com]
Clearly they failed Ethics 101 (Score:2)
Deliberately misleading headline (Score:3, Insightful)
This is an obvious example of the the ongoing culture war attack on higher education in the US. If there is any way to drag well known educational institutions through the mud then someone will take the cheep shot. In 2023 alone Harvard had nearly 25,000 undergrads. Using that rough figure two people is only .008%, so it's not exactly a crime wave. It's a whole lot better then the general population, which is exactly to be expected.
Re: (Score:1)
2 people out of 25,000 did this versus 0 out of everyone else.
So they're infinitely worse.
Just what is MIT teaching them?
Re: (Score:2)
They started in 2022. From their ages they very well could have been students at the time.
Anyway, so what? You think there is a journalism industry conspiracy to tear down top end schools? Really?
Re: (Score:2)
Your ethical standards are clearly based on innuendo and ignoring objective information. You personally are an example of the deliberate mudslinging that I pointed out in the first place. Your response proves my point exactly.
Re: (Score:2)
Lol, wtf are you talking about?
I never said a word about Harvard and these two are MIT.
Stop with your copy paste crap or at least edit the school to match the topic.
You are a clown.
Re: (Score:1)
Re: (Score:2)
Did 2 guys from grange hill hack $25m out of the blockchain in 12 seconds and not get reported by journalists?
is it though? (Score:2)
These people are former MIT students, not currently enrolled students. It's absolutely misleading click-bate.
This is an obvious example of the the ongoing culture war attack on higher education in the US.
Did they drop out because they were so bad at "The brothers, who studied computer science"
Just what is MIT teaching them about computer science such that they didn't learn about search history?
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I cant imagine MIT teach you how to cover your tracks when committing wire fraud.
Can you imagine someone interested enough in IT to study computer science at MIT. And not have a basic understanding of things like this?
From TFA, they did a substantial amount of trail covering and no, that's not something in the formal curricula.
What really surprises me is why they were still in the US. If you have $25 million in your pockets, you're set for life. Move to the Bahamas or some other Eden without an extradition treaty, gradually unload the crypto for gold, and live like kings. They had to know that while crypto transactions are anonymous in principle, they're likely not in practice, so they'd eventually be tracked down. I kno
Re: (Score:2)
I happened across a youtube playlist of MIT lectures on parallel processing. At least 30, IIRC. I didn't watch much as a cursory peruse showed me it was just droning and slides and I'd be able to get the same information and faster just by finding the book they were copied from. I swear to god one of them was just a set of overhead projected copy/pastes from the gdb man page while the lecturer read from them. How much did this course cost? A room with 15 people that I could see taking notes from man gdb...
I
Re: (Score:1)
Money laundering? (Score:1)
Is it really “money”
Re: (Score:1)
The ethereum itself isn't currency; but it's an asset that people purchase as an investment, which puts it into the same _general_ category as currencies, stocks, bonds, futures contracts, and so on and so forth. Cryptocurrency in general (not just ethereum specifically but also bitcoin and others) is a bit unusual as such assets go, in that it A) has no tangible value except "whatever people will pay for it", like a fiat currency, but B) is not backed by any of the usual sorts of tr
Re: (Score:1)
Re: (Score:1)
Federal Beanie Baby Insurance Coverage (Score:2)
The saddest part of this is that means the government is defining beanie babies as actual currency now.
Crypto's better than fiat (right) (Score:2)
And safer, and...
Re: (Score:1)