Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bitcoin

MIT Students Stole $25 Million In Seconds By Exploiting ETH Blockchain Bug, DOJ Says (arstechnica.com) 112

An anonymous reader quotes a report from Ars Technica: Within approximately 12 seconds, two highly educated brothers allegedly stole $25 million by tampering with the ethereum blockchain in a never-before-seen cryptocurrency scheme, according to an indictment that the US Department of Justice unsealed Wednesday. In a DOJ press release, US Attorney Damian Williams said the scheme was so sophisticated that it "calls the very integrity of the blockchain into question."

"The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education to tamper with and manipulate the protocols relied upon by millions of ethereum users across the globe," Williams said. "And once they put their plan into action, their heist only took 12 seconds to complete." Anton, 24, and James Peraire-Bueno, 28, were arrested Tuesday, charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. Each brother faces "a maximum penalty of 20 years in prison for each count," the DOJ said. The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain.
To uncover the scheme, the special agent in charge, Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office, said that investigators "simply followed the money."

"Regardless of the complexity of the case, we continue to lead the effort in financial criminal investigations with cutting-edge technology and good-ol'-fashioned investigative work, on and off the blockchain," Fattorusso said.
This discussion has been archived. No new comments can be posted.

MIT Students Stole $25 Million In Seconds By Exploiting ETH Blockchain Bug, DOJ Says

Comments Filter:
  • Code is law (Score:5, Insightful)

    by rsilvergun ( 571051 ) on Wednesday May 15, 2024 @11:33PM (#64475877)
    except when it's inconvenient to whoever has the most money. Then we run crying to Uncle Sam for protection.
    • $25M is too little for government protection. But there's good news - we appear to be approaching a territory where $25B will not do the job.

      Will the raising prices kill corruption, what do you think :)

    • Re:Code is law (Score:5, Insightful)

      by vbdasc ( 146051 ) on Thursday May 16, 2024 @02:48AM (#64476043)

      except when it's inconvenient to whoever has the most money. Then we run crying to Uncle Sam for protection.

      Therefore, "code is law" is a big fat lie, peddled by the crypto-bros to scam the gullible. In a nation, the land of the law is the law, period. The only other laws in force are the laws of nature, arbitrary computer code not included.

    • Re: Code is law (Score:5, Informative)

      by NagrothAgain ( 4130865 ) on Thursday May 16, 2024 @10:52AM (#64476757)
      From what I can tell, messing with the blockchain itself did not result in any charges. It was how they went about creating fake shell companies used in the attack, and then their attempts to launder the "coin" afterwards, which got them in trouble.
    • by Asgard ( 60200 )

      Code is law for the coin -- no outside entity can coerce the blockchain. They can _definitely_ coerce *you* though.

    • "code is law" is just a simple contract. contracts can be revoked/broken/violated/changed on how its enforced (hence we all run to gov't)....

      The interesting thing about this story is that while it took 12 secs to do, it took a few minutes with full details (that it took 12 secs) to find the perps. This again, follows my intel gathering mantra: "if you can see me...I can see you."

  • Well... (Score:5, Funny)

    by Mr. Dollar Ton ( 5495648 ) on Wednesday May 15, 2024 @11:39PM (#64475887)

    If they had done it in 12 parsecs instead, they'd still be fine.

  • Motive (Score:2, Interesting)

    What's the motive? Not of the fraudsters, that's easy. But of the US government. Do they intend to return that $25M? Something tells me this is just one money-grab benefiting from the other. The brothers weren't the biggest predatory fish in the sea.

    Somehow integrity of the ETH network doesn't seem like something the US federal government would be interested in protecting.

    • Re:Motive (Score:5, Insightful)

      by Can'tNot ( 5553824 ) on Wednesday May 15, 2024 @11:54PM (#64475903)
      Unfortunately, the government needs to protect anything that people are sufficiently invested in. No matter how stupid it is. If it represents a sufficiently large portion of the economy then it's too big to just ignore.

      Remember that at least two of those bank failures from last year were crypto related.
      • by vbdasc ( 146051 )

        Yes, exactly this. For quite the same reason, government restricts gambling. To protect people. Most real world governments, including USA, are not libertarian dystopias where the people of lower will and/or intelligence can be subjected to unlimited exploitation. Thankfully.

        • by Anonymous Coward
          America does come closer than most western countries though.
        • Are we overlooking the jobs that 90% of the people hold
        • by GlennC ( 96879 )

          Most real world governments, including USA, are not libertarian dystopias where the people of lower will and/or intelligence can be subjected to unlimited exploitation. Thankfully.

          I agree that they're not.....yet.

          Give it a little time.

    • The IRS led the investigation.

      There's the motive.

    • by jonwil ( 467024 )

      If someone found a flaw in the systems belonging to a bank (for example) that allowed that person to take millions of dollars that they weren't entitled to, the authorities would come after them for that with the full force of the law. Why should this be any different?

      • If a bunch of bits were transposed in a computer somewhere that did not result in actual goods/services/real money being impacted, no one would blink an eye.
    • What's the motive? Not of the fraudsters, that's easy. But of the US government.

      Seems easy enough to me. First, cops get to arrest someone. That's what they live for. Second, given the US government's antipathy to blockchain, I'm sure they love headlines highlighting Cyber Crime Lords as a way to create cybercurrency FUD.

  • Well done! (Score:3, Insightful)

    by Vranitzky ( 5222955 ) on Wednesday May 15, 2024 @11:53PM (#64475901)
    Scammers getting scammed? Well done, brothers!
  • by Barny ( 103770 ) on Thursday May 16, 2024 @12:16AM (#64475931) Journal

    Line goes up fast !

    I thought crypto wasn't meant to be governed by the state? I thought it was meant to be "whoever has the bits, owns the bits"?

    • by vbdasc ( 146051 )

      Line goes up fast !

      I thought crypto wasn't meant to be governed by the state? I thought it was meant to be "whoever has the bits, owns the bits"?

      Did any government make any promises regarding that? And did anybody bother to ask the governments about that, for that matter? No? I thought so. Then don't make a Pikachu face when the state does its thing.

      • by Barny ( 103770 )

        I would never make an electric rat face, especially not when I was being sarcastic. It was always the catch call of cryptobros that the currencies were free from regulation and that the ledger was the final decider of who owned anything.

        Then the scams started. Then the same asshats cried to the police that "they stole my apes!"

        This just appears to be a couple of people (who literally google searched how to do crimes) who scammed a bunch of folks running cons.

    • Line goes up fast !

      I thought crypto wasn't meant to be governed by the state? I thought it was meant to be "whoever has the bits, owns the bits"?

      This isn't about regulation. It's about crime. These two stole something owned/held by someone else. It's that simple.

      • by Anonymous Coward
        Did they though?
        Seems they tricked other people who were trying to scam money using bots. Little sympathy from most people.
      • CODE IS LAW!!!

        We are the crypto bros and we are here to create a system outside your evil fiat currency, beyond the control of governments and banks!

    • They chose to use a non-private coin, so no fungibility.

      It's been standard econ for hundreds of years that fungibility is a requirement of any successful current money.

  • by Joe_Dragon ( 2206452 ) on Thursday May 16, 2024 @12:27AM (#64475935)

    can someone do an 51% attract under the law?

  • The write up doesnâ(TM)t really explain anything . Is this because itâ(TM)s a security issue to deter potential actors or the reporters just do not understand the ETH protocol ?
    • by Canberra1 ( 3475749 ) on Thursday May 16, 2024 @02:00AM (#64476007)
      Mod up. Yes completely meatless. I can tell you the transaction protocol on ATM transactions and Airline Tickets is rock solid. It is called a Journal. And there may be MQ ensuring reliable writes the whole way. These blockchain claims - is really saying just another journal with a few tweaks like mainframes. I speculate there is not an MQ, but some que and encrypt function, where some clever person had a go at buffer pointers because it was before 'commit'. In all cases this is negligent programming. Nearly all modern protocols are flawed, because the age of state testing is a lost art, and programmers too lazy to code for ALL exceptions ended with an otherwise 'Panic' exception. These students should get an award for actually being able to read code and identify the uncaptured exceptions.
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Did you like, try reading the article?

        These pending transactions, the DOJ explained, must be structured into a proposed block and then validated by a validator before it can be added to the blockchain, which acts as a decentralized ledger keeping track of crypto holdings. It appeared that the brothers tampered with this process by "establishing a series of ethereum validators" through shell companies and foreign exchanges that concealed their identities and masked their efforts to manipulate the blocks and seize ethereum.

        To do this, they allegedly deployed "bait transactions" designed to catch the attention of specialized bots often used to help buyers and sellers find lucrative prospects in the ethereum network. When bots snatched up the bait, their validators seemingly exploited a vulnerability in the process commonly used to structure blocks to alter the transaction by reordering the block to their advantage before adding the block to the blockchain.

        If you wanted even more details

        The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain.

        You could look at the indictment itself.

        • The article was meatless. OK, more was in the indictment, but the exploit sill lacked detail. The HOW part. BTW in computing 101, a transaction is not finished until the journal record has been written - otherwise no rollback would be possible. I dismissed an SQL like injection attack, because that would be too simple - money transactions should have belt and braces parsing. IANAL but these guys had a lousy defense team homing in on the words transaction. You would not believe the **it pulled on ATM's, but
      • The difference, of course, with airline tickets and ATM transactions is that the person making the transaction is known. If you were to exploit a timing bug in an ATM transaction and get extra money, your account would just be debited for the extra amount. You wouldn't actually achieve anything profitable. Block Chain transactions are potentially anonymous and so if you can exploit a race condition and leave with the money, you might be successful.
    • Re:Meatless article (Score:4, Informative)

      by necro81 ( 917438 ) on Thursday May 16, 2024 @08:31AM (#64476411) Journal
      There are multiple paragraphs in the article explaining the scheme.

      The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain.

      These pending transactions, the DOJ explained, must be structured into a proposed block and then validated by a validator before it can be added to the blockchain, which acts as a decentralized ledger keeping track of crypto holdings. It appeared that the brothers tampered with this process by "establishing a series of ethereum validators" through shell companies and foreign exchanges that concealed their identities and masked their efforts to manipulate the blocks and seize ethereum.

      To do this, they allegedly deployed "bait transactions" designed to catch the attention of specialized bots often used to help buyers and sellers find lucrative prospects in the ethereum network. When bots snatched up the bait, their validators seemingly exploited a vulnerability in the process commonly used to structure blocks to alter the transaction by reordering the block to their advantage before adding the block to the blockchain.

      When victims detected the theft, they tried to request the funds be returned, but the DOJ alleged that the brothers rejected those requests and hid the money instead.

      That is not enough content for you? You can also read the indictment itself [arstechnica.net]. It's only 19 pages - hardly War and Peace. After glazing over the legal gobbledygook, there remains several pages of "meaty" content describing the mechanics.

  • by khchung ( 462899 ) on Thursday May 16, 2024 @01:39AM (#64475987) Journal

    It would be just business as usual.

    For all their smarts, they are too dumb to wait a few years before they can do the same thing on a much larger scale and get very well paid doing it.

    • My thoughts too. Smart enough to break eth, but not smart enough to withdraw the money safely . And 25m is a nice amount but not enough risking 20 years in prison.

      But I think they will be out in year or two and then be govt's bitches for the rest of the term stealing money from bad guys.

  • by Admiral Krunch ( 6177530 ) on Thursday May 16, 2024 @02:24AM (#64476025)

    The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education

    So "specialized skills" and "expertise in crypto trading", but not very much common sense.

    The brothers' online search history showed that they studied up and "took numerous steps to hide their ill-gotten gains," the DOJ alleged. These steps included "setting up shell companies and using multiple private cryptocurrency addresses and foreign cryptocurrency exchanges" that specifically did not rely on detailed "know your customer" (KYC) procedures.

    They also researched the "very crimes charged in the indictment," the DOJ said. Among search terms found in the brothers' history during the planning phase of the alleged scheme were phrases like "how to wash crypto" and "exchanges with no KYC." Later, seemingly attempting to prepare for any legal consequences from the scheme, the brothers allegedly searched for things like "top crypto lawyers," and "money laundering statute of limitations," and "does the United States extradite to [foreign country]."

    • by xous ( 1009057 )

      Yet not intelligent or specialized enough to clean their computers and/or conduct all operations from a tails (or similar) box.

    • So "specialized skills" and "expertise in crypto trading", but not very much common sense.

      That tracks. Expertise in crypto trading pretty much demands a lack of common sense.

    • Is KYC a recommendation, a law, what ? if the exchanges are not following proper procedure then the authorities should crack done on them, apparently all they need do to find them is a google search.
  • more background (Score:5, Interesting)

    by bramez ( 190835 ) on Thursday May 16, 2024 @02:27AM (#64476031)

    I read on reddit that the heist was about "tricing MEV bots into buying shit coins"

    So I asked chatgpt what that means:

    Q: in ethereum what is a MEV bot?

    A: MEV stands for "Miner Extractable Value." MEV bots are automated scripts or algorithms that exploit opportunities to extract additional value from the transaction ordering process in Ethereum and other blockchains. They aim to maximize profits by front-running, back-running, or sandwiching transactions to capitalize on price discrepancies or manipulate transaction outcomes for financial gain.

    Q: elaborate. what is front and backrunning and sandwich

    A: Front-running: This occurs when a MEV bot sees a pending transaction on the Ethereum mempool that will likely affect the price of a token or asset. The bot then quickly submits its own transaction, which typically trades the same asset but benefits from the price movement caused by the initial transaction. Essentially, it "front-runs" the original transaction to profit from the anticipated price change.

            Back-running: Similar to front-running, back-running involves observing pending transactions in the mempool. However, instead of trying to profit from anticipated price movements, a MEV bot may try to execute transactions that capitalize on predictable actions or behaviors, such as liquidations or arbitrage opportunities, initiated by other transactions.

            Sandwiching: This strategy involves placing a transaction between two other transactions to manipulate the market or exploit price discrepancies. For example, if a trader submits a large buy order, a MEV bot may quickly submit a sell order before the buy order is executed, then follow up with another buy order at a slightly higher price. This "sandwiches" the trader's order and allows the bot to profit from the price movement caused by the trader's transaction.

    In all cases, MEV bots aim to exploit the order in which transactions are included in a block to maximize profits, often at the expense of other users.

    Q: how can you use this to trick this bots to buy shit coins

    A: Tricking MEV bots into buying "shit coins" (low-value or low-quality cryptocurrencies) can be challenging, but there are a few strategies you might consider:

            Flash Loans: Flash loans allow users to borrow funds without collateral as long as they repay the loan within the same transaction. By borrowing a large amount of a shit coin and then executing a series of transactions that appear favorable to MEV bots, you may be able to create artificial demand for the coin, causing the bots to buy it at inflated prices. However, this strategy requires careful execution and understanding of market dynamics.

            Spoofing: Spoofing involves placing large buy orders for a shit coin with no intention of actually executing them. By creating the illusion of demand, you may attract MEV bots to buy the coin at higher prices. However, spoofing is unethical and may be illegal in some jurisdictions.

            Pump and Dump: This strategy involves artificially inflating the price of a shit coin by spreading positive rumors or using other manipulative tactics to attract buyers. Once the price has risen sufficiently, you and other participants sell off your holdings, causing the price to crash. MEV bots may be susceptible to buying into the pump phase, but this approach is highly risky and may result in significant losses for all involved.

    It's important to note that attempting to manipulate markets or deceive MEV bots carries ethical and potentially legal implications.

  • then pack it up boys because the blockchain is flawed to the roots. Totally not yet another layer-2, bridge or MITM exploit.
  • The punishment should be that they each get whipped 25 million times!
  • by Required Snark ( 1702878 ) on Thursday May 16, 2024 @06:27AM (#64476245)
    These people are former MIT students, not currently enrolled students. It's absolutely misleading click-bate.

    This is an obvious example of the the ongoing culture war attack on higher education in the US. If there is any way to drag well known educational institutions through the mud then someone will take the cheep shot. In 2023 alone Harvard had nearly 25,000 undergrads. Using that rough figure two people is only .008%, so it's not exactly a crime wave. It's a whole lot better then the general population, which is exactly to be expected.

    • by Anonymous Coward
      Well if you're using those figures.
      2 people out of 25,000 did this versus 0 out of everyone else.
      So they're infinitely worse.
      Just what is MIT teaching them?
    • They started in 2022. From their ages they very well could have been students at the time.

      Anyway, so what? You think there is a journalism industry conspiracy to tear down top end schools? Really?

      • Just keep ignoring the .008% value and your explicit claim that Harvard, a often target for being "woke", completely fails teaching ethical behavior.

        Your ethical standards are clearly based on innuendo and ignoring objective information. You personally are an example of the deliberate mudslinging that I pointed out in the first place. Your response proves my point exactly.

        • Lol, wtf are you talking about?

          I never said a word about Harvard and these two are MIT.

          Stop with your copy paste crap or at least edit the school to match the topic.

          You are a clown.

      • Comment removed based on user account deletion
    • These people are former MIT students, not currently enrolled students. It's absolutely misleading click-bate.
      This is an obvious example of the the ongoing culture war attack on higher education in the US.

      Did they drop out because they were so bad at "The brothers, who studied computer science"
      Just what is MIT teaching them about computer science such that they didn't learn about search history?

      The brothers' online search history showed that they studied up and "took numerous steps to hide their ill-gotten gains," the DOJ alleged. These steps included "setting up shell companies and using multiple private cryptocurrency addresses and foreign cryptocurrency exchanges" that specifically did not rely on detai

      • interested...
      • Comment removed based on user account deletion
      • I happened across a youtube playlist of MIT lectures on parallel processing. At least 30, IIRC. I didn't watch much as a cursory peruse showed me it was just droning and slides and I'd be able to get the same information and faster just by finding the book they were copied from. I swear to god one of them was just a set of overhead projected copy/pastes from the gdb man page while the lecturer read from them. How much did this course cost? A room with 15 people that I could see taking notes from man gdb...

        I

    • Three corrections: 1) click-bait 2) cheap 3) Harvard had nearly 25,000 total students, but only 7,755 undergraduates (7,063 Harvard College plus 692 Extension) https://oira.harvard.edu/factb... [harvard.edu] But what does Harvard have to do with this story about MIT students, anyway?
  • Is it really “money”

    • by jonadab ( 583620 )
      There's money involved.

      The ethereum itself isn't currency; but it's an asset that people purchase as an investment, which puts it into the same _general_ category as currencies, stocks, bonds, futures contracts, and so on and so forth. Cryptocurrency in general (not just ethereum specifically but also bitcoin and others) is a bit unusual as such assets go, in that it A) has no tangible value except "whatever people will pay for it", like a fiat currency, but B) is not backed by any of the usual sorts of tr
  • Comment removed based on user account deletion
  • The saddest part of this is that means the government is defining beanie babies as actual currency now.

    • by jonadab ( 583620 )
      Cryptocurrency essentially *is* fiat. It's just... decentralized fiat. The reasons people believe it's worth something are different than with a traditional fiat currency, and rhetoric notwithstanding it's more of an investment asset than a currency, but fundamentally, it's only worth whatever people believe it's worth. It's not backed by any kind of tangible specie. That's pretty much the definition of fiat (in the context of financial assets).

"Hello again, Peabody here..." -- Mister Peabody

Working...