back to article How two brothers allegedly swiped $25M in a 12-second Ethereum heist

The US Department of Justice has booked two brothers on allegations that they exploited open source software used in the Ethereum blockchain world to bag $25 million (£20 million). The pair – computer scientists Anton, 24, of Boston, and James Pepaire-Bueno, 28, of New York – are accused of carrying out what deputy attorney …

  1. Catkin Silver badge

    Search history

    I'm astonished that what seems like a rather sophisticated bit of work would occur in conjunction with such an incriminating search history. Either, I'm naive about the security a good VPN and a self sanitising distro can offer or they really did a crummy job of maintaining deniability.

    1. Michael Wojcik Silver badge

      Re: Search history

      I'm not surprised, to be honest. This is a pretty typical pattern: the brothers were skilled in one area (they understood the validation process, investigated the MEV-Boost source, found a vulnerability, and devised an exploit. Either they assumed their skill in that one area meant they were skilled in all the other areas they'd need to cash out safely; or they were so caught up in the excitement they didn't plan ahead.

      And criminals often have lousy OPSEC. I think it's a cognitive-load thing: criminals have to devise some sort of operation and deal with the stress of being on the wrong side of the law, and thinking about, say, money laundering becomes just one thing too many.

  2. Dinanziame Silver badge
    Windows

    Thanks for the complete explanation

    It's rare these days to get an insight into the workings of crypto stuff that is still understandable, though I suppose this particular story is technically not really about cryptography.

    To be honest, I'm not even sure that what they did is illegal, though they apparently exploited the system to get more information than they were supposed to. It reminds me of the high frequency trading algorithms which apparently offer the same trade at multiple prices and cancel them after getting confirmation, just to find the maximum price that the trade can happen.

    Apart from that, it seems they were able to briefly corner the market for some particularly illiquid cryptocurrencies, which again is not particularly illegal.

    I don't think this really seems a threat to cryptocurrencies in general either. Not only did they immediately get found out, the problem of laundering the money is always going to be a problem.

    1. MachDiamond Silver badge

      Re: Thanks for the complete explanation

      "Apart from that, it seems they were able to briefly corner the market for some particularly illiquid cryptocurrencies, which again is not particularly illegal."

      It IS illegal. Just the attempt to steal something is illegal whether it's worth real money or just a few bonus packs of Monopoly money and the coins under the sofa cushions. Toss in some counts of illicit manipulation of a computer, blah, blah.

      1. DS999 Silver badge

        Re: Thanks for the complete explanation

        Did they really steal something? Sounds like people are using greedy algorithms to maximize their take, and those people got played. If the parties that "lost" in that transaction had treated validation as just that, validation, and not as an opportunity to profit they would have been fine.

        If what the brothers are doing is illegal, why isn't what the counterparties are doing with "MEV-Boost" also illegal? I suppose the answer is same as it always is - crypto is a fraud, all the way down. Even its design is fraudulent with built in ways for people to skim off the top that I guess are supposed to be OK because it is documented somewhere.

        1. Michael Wojcik Silver badge

          Re: Thanks for the complete explanation

          They exploited a vulnerability in MEV-Boost to break the protocol, which is a CFAA violation. MEV bots have to play within the protocol or their deployers are committing fraud. The brothers also ran validators which were deliberately malicious, though that might be a civil matter.

          But as I noted in another post, it's enough for them to have demonstrated a conspiracy to avoid KYC/AML and disguise the source of income, and violated the CFAA. That's plenty to get them on. There may have been tax avoidance as well (I don't think that was stated in the article and I haven't looked).

          Just running a MEV bot is (probably) not illegal if the income (if any) is properly reported. There are lots of MEV bots running (see frequent discussion by White, for example). Running a malicious validator on the Ethereum network is at least a violation of contract and might be fraud. Exploiting a software bug is a CFAA offense, and doing so to make money is aggravating. Conspiracy to avoid KYC/AML is definitely criminal. Attempting to launder income is definitely criminal. Tax avoidance... well, you get the idea.

          I'm not sure why so many people get hung up on whether MEV itself is a crime. That doesn't matter here. Not a bit.

      2. Anonymous Coward
        Anonymous Coward

        Re: Thanks for the complete explanation

        It IS illegal. Just the attempt to steal something is illegal

        Cornering the market is not stealing. It means for instance buying so much of something that the prices shoot up, then quickly selling before the prices have trying to go down. As far as I understand, this is more or less what they have done here.

        1. DryBones

          Re: Thanks for the complete explanation

          So, "Pump and Dump", then.

        2. Michael Wojcik Silver badge

          Re: Thanks for the complete explanation

          I'm afraid you understand incorrectly. Try reading the explanation in the article again.

    2. Flocke Kroes Silver badge

      Re: Thanks for the complete explanation

      IANAL: The computer fraud and abuse act is pretty broad and probably covers tricking the relay into revealing the full contents of its proposed block early. If that sticks then the other charges follow.

      1. Michael Wojcik Silver badge

        Re: Thanks for the complete explanation

        CFAA almost certainly applies here. They exploited a bug in MEV-Boost, for financial gain. They compounded that with several other illegalities, but that's a felony right there.

    3. heyrick Silver badge

      Re: Thanks for the complete explanation

      "an insight into the workings of crypto stuff"

      I read that lot twice, and it just seems to me like every bot is just in it for the money. It's like a bank commission gone horribly wrong.

      1. steviesteveo

        Re: Thanks for the complete explanation

        It's incredible stuff, really. The idea that your transaction potentially won't even get recorded if some random middleman doesn't front run it and that's just how it goes amazes me

      2. Michael Wojcik Silver badge

        Re: Thanks for the complete explanation

        Uh, yeah. Why else? Are the bundlers and validators going to do it out of the goodness of their hearts?

        Banks are mostly in it for the money, too. (Non-profit banks like credit unions are a bit different, but the people who work for them still draw a salary.)

        I am not at all a fan of cryptocurrencies, but I don't expect them to be altruistic.

    4. Jon 37

      Re: Thanks for the complete explanation

      The problem they will have is the money laundering charge.

      Any bank transfer with ill-gotten money is money laundering. You might think that the prosecutors should have to prove that the money was illegally acquired. But there have been cases where people were found not guilty of illegally acquiring the money, but guilty of money laundering.

      And the sentence for money laundering can be many years imprisonment - for each bank transfer. Far higher than the fraud charges.

      They will likely plead guilty to the fraud charges in exchange for the prosecutors dropping the money laundering charges.

      It really doesn't matter if what they did was actually illegal or not. It looks bad for them, and that's enough for a jury to convict. And the fear of that will make them plead guilty to some of the charges.

    5. Michael Wojcik Silver badge

      Re: Thanks for the complete explanation

      They deliberately avoided KYC and AML, which is sufficient for some significant Federal charges. (And we know it was deliberate thanks to all that incriminating evidence they allegedly left behind.) By the same token, prosecutors can show conspiracy to defraud the Federal government; they looked for information on money-laundering and so forth.

      No doubt there will be people touting the "code is law" meme — but that's a canard; as far as the government is concerned, code is very much not law, and since the government makes and enforces the law they get to decide.

      By exploiting a vulnerability in MEV-Boost, they violated the Computer Fraud and Abuse Act. So they're potentially in the dock for that, too.

      I haven't looked at any of the court paperwork to see what the specific charges are, but these two most definitely broke the law in a number of ways. (More like Pepaire-No-Bueno, am I not right? No doubt someone else has made this pun below.)

    6. Blazde Silver badge

      Re: Thanks for the complete explanation

      It reminds me of the high frequency trading algorithms which apparently offer the same trade at multiple prices and cancel them after getting confirmation, just to find the maximum price that the trade can happen.

      This is spoofing and is explicitly illegal in the US as part of the post-financial crisis financial regulation. Before that... I guess the perspective should just be that financial traders are not good role models if you want to be sure of staying on the right side of the law.

      But as others have said the money laundering charges are probably a slam dunk anyway. Which may well mean a plea bargain and wire fraud charges won't reach court.

  3. JamesTGrant

    So they understood how to create a node, and exploit the blockchain voting system. They set up a couple of LLCs and planned this over many months. They invested 100s thousands of dollars into setting themselves up using the mechanics of the system they were attacking. But at no point did they test an exit strategy, they didn’t learn how to transfer to a brokerage account or cash out? Seems unlikely..

    More likely - caught before doing the next thing then feign ignorance.

    ‘Your Honour - it wasn’t me. I never learned to read’

    1. Sorry that handle is already taken. Silver badge

      "Code is law" and "not your keys, not your coins" have been memes in the cryptocurrency sphere since the beginning. Perhaps these two really believed it.

    2. Flocke Kroes Silver badge

      Re: exit strategy

      Transferring money to an unauthorised account is tricky. Withdrawing cash from that account without getting caught is much more difficult hence the need for money mules. Lack of a well though out exit makes me consider the possibility that someone else set up a couple of patsies and will wait for a conviction before cashing out. Anyone capable of pointing this much evidence at the accused doesn't need to put in all the work required to exploit the Etherium network.

      1. Tom Chiverton 1

        Re: exit strategy

        Probably who ever loaned them the starter funds. Mob?

    3. Michael Wojcik Silver badge

      Unlikely? This is what we see in most of the cases where someone is caught. If they're better at it, they don't get caught.

      But plenty are not better, and are caught.

  4. W.S.Gosset Silver badge

    Good example of "novel" risks for tyro/blinkered coders

    All the current CDBC implementations are built on Etherium.

    1. Catkin Silver badge

      Re: Good example of "novel" risks for tyro/blinkered coders

      I'm not sure the exact same risks exist for CBDCs because it's centrally validated. There's certainly room for other vulnerabilities but, iny view, the most dangerous outcome for the individual is them functioning as intended.

      The granularity and auditability they grant to governments means that a despotic government at the helm of a country wholly or largely using CBDCs as currency would be able to silently unperson any opposition for orders less manpower than is required for other forms of currency. I'd even go so far as to propose that a single suitably empowered individual (given appropriately poor oversight) could steer the algorithms needed to target their chosen deplorables.

    2. Len

      Re: Good example of "novel" risks for tyro/blinkered coders

      As far as I'm aware one of the furthest advanced CBDC projects has not even decided whether it will use a Blockchain, so the (unlikely if you ask me, they'd probably opt for a, more modern, 3rd generation Blockchain) choice for Ethereum has definitely not been made yet.

      I wouldn't be surprised if the Digital Euro project wouldn't choose to use a Blockchain at all. Using a Blockchain has some benefits that wouldn't apply in a CBDC while doing it without a Blockchain would make it faster, cheaper and better to handle the scale of transactions we'd be talking about.

    3. MachDiamond Silver badge

      Re: Good example of "novel" risks for tyro/blinkered coders

      "All the current CDBC implementations are built on Etherium."

      It really doesn't matter at all what the details are, the whole concept is fraught with badness, dare I say evil. If The Man can shut off the access to your money, you get no food, the utilities shortly go off for non-payment, you can't get to work so are sacked and other stories. This can happen if somebody fat-fingers an entry somewhere transposing your citizen number with somebody else's and before you have the time to sort out what happened and get it fixed, you are starving on the streets alone and cold. The "Office of Sorting Things Out" will be chronically short-staffed and have limited funds and little authority. All they'll be allowed to do is consider your case and, if they like you, stamp "approved" so the paperwork gets added to the pile on some desk at the "Doing Something About It Administration".

      1. Catkin Silver badge

        Re: Good example of "novel" risks for tyro/blinkered coders

        Thanks, I was worrying about despotic (or worse, despotic for the 'greater good') government when it came to CBDCs, now I can worry about Buttle and Tuttle as well.

      2. Missing Semicolon Silver badge

        Re: Good example of "novel" risks for tyro/blinkered coders

        Not worried? Ask the truckers that protested in Canada.

  5. SVD_NL Silver badge

    I can't help but be impressed...

    ...by criminals exploiting systems in such a huge and sophisticated way.

    It's not like no one in this multi-billion dollar industry has tried, be it white or black hat.

    Don't get me wrong, i still think they're arseholes, just very impressive arseholes.

    1. Michael Wojcik Silver badge

      Re: I can't help but be impressed...

      By cryptocurrency standards, this was not particularly huge, and only moderately sophisticated. Just look at the past year or so of Molly White's archive.

  6. Natalie Gritpants Jr

    Not sure who the criminals are, or if there are any. Mev boost is open source, so the exploit is a publicly documented way of using it. Seems like the accused are just better at manipulating the block chain than the victims (who are also trying to rip off genuine users by using mev boost}

    1. doublelayer Silver badge

      "Mev boost is open source, so the exploit is a publicly documented way of using it."

      That's not how open source works. It is a discoverable way of breaking it, but there is a reason why it's considered a bug. Heartbleed was also a publicly discoverable flaw in open source software, but using it to steal data wouldn't be legal. Your argument appears to say that if it's with open source software, then you are legally allowed to do anything you are able to do. The law doesn't think so. They could try arguing whether this manipulation is an illegal kind or not, but just because open source software was involved won't change it.

      1. Michael Wojcik Silver badge

        And more importantly, it is very much not how the CFAA works. The government decides whether how you (ab)use code is a crime, and it's not a question of whether it's open source.

  7. James Anderson

    How was this illegal?

    They exploited a flaw in the system, but, as far as I can see they just did completely valid transactions.

    Doesn’t seem much different from my bank taking five days to process a foreign currency transaction, when the SWIFT system takes a maximum of two minutes to process a transaction and usually completes in about two seconds the rest of the for days 23 hours and 59 minutes the banks use my money to play the market.

    1. Anonymous Coward
      Anonymous Coward

      Re: How was this illegal?

      That would only be a problem if the transaction rate was chosen from the disadvantaged to you among those 5 days, rather than the rate on the day you initiated the transaction. In general though, they already take a big enough cut in initial transaction rate anyway.

  8. Howard Sway Silver badge

    The statue of limitations

    This story is really great : it's like a bunch of bank robbers painstakingly tunnelled their way into a bank vault, grabbed loads of cash, then got caught after walking into a shop and asking if they could buy lots of bags with a big "$" sign and the word "LOOT" on them.

    Storage box big enough for a laptop? Did they not even know that that would raise red flags, and that you can take the hard drive out of a laptop anyway? Sounds as if they were so clever at the technical details of the plan, that they had no brainpower left over for any of the actual mechanics of the real world they would have to deal with afterwards if it succeeded.

    1. Snowy Silver badge
      Coat

      Re: The statue of limitations

      A cyber version of the Hatton Garden heist , the robbery was well planned and executed but the disposal of the loot afterward was laughably bad. They where all caught within a few days.

      https://en.wikipedia.org/wiki/Hatton_Garden_safe_deposit_burglary

      https://www.youtube.com/watch?v=dpuHrZRS4rY

    2. Anonymous Coward
      Anonymous Coward

      Re: The statue of limitations

      Deep but narrow thinking - like the hole they fell into.

  9. newspuppy

    A bug you say?

    A software bug allowed the whole blockchain/coin to be taken advantage of?

    Wow.. I had a prof who told the class, that the only software with no bug was a Reset instruction that executes at reset... and then one has to deal with hardware faults....

    In a bank, when something odd is happening.. humans pause the protocol. In software it is a branch that happens that was not accounted for in the billions/hundred millions of branches that occur every second.

    And a branch later, the 'crypto' goes the wrong way.

    Until we have software without bugs... we will have cryptocurrencies with faults...

    1. MachDiamond Silver badge

      Re: A bug you say?

      "Until we have software without bugs... we will have cryptocurrencies with faults..."

      Some crypto currencies have more "value" than a handful of large banks so they make juicy targets. A single bank failing isn't an insurmountable problem as insurance will cover much of it. 4-5 big banks going Tango Uniform at the same time would not be covered by insurance and the crash afterwards would be felt across wide swathes of personal and business finances. What if something bad happen to Bitcoin?

      1. Michael Wojcik Silver badge

        Re: A bug you say?

        What if something bad happen to Bitcoin?

        Yeah, what if something bad happened to Bitcoin?

        Probably there would be no lasting consequences, because most of the people using Bitcoin are either true believers who ignore problems or criminals who consider it acceptable risk and cost of doing business.

  10. Anonymous Coward
    Anonymous Coward

    Kids eh?

    They never seem to have enough pocket money these days.

  11. Claptrap314 Silver badge

    Etherium was a train wreck from the first day...

    A few years ago, I was looking for work, wondered about crypto. I've never trusted the idea, mostly because nation states go to war over currency controls, but I needed a job. I read the whitepaper--and yelled at the air for half an hour. There was no check for integer overflow AND the cheapest instruction was one gas. (I immediately knew that the hack that lead to the etherium fork would happen.) That's arrogant & naive at best.

    THEN they've moved to this ridiculous proof-of-stake model, whereby the entire concept of distributed trust is thrown out in the name of being "green".

    Turns out they had to introduce multiple layers of complexity to do it as well.

    Not at all clear to me that there is any crime other than releasing this idea on an uneducated public.

    1. Michael Wojcik Silver badge

      Re: Etherium was a train wreck from the first day...

      And you didn't even mention "smart contracts", which was the original reason for Ethereum.

      And Ethereum is in some ways less daft than many of the other cryptocurrencies.

  12. John69

    I could be missing something here, but could not the crypto woo be stripped out of this story leaving "The brothers made an order for $25m of things, the traders bought the things for $25m from the brothers and they never honored the original order". This does not on the face of it seem the most novel model of financial fraud, and it would seem that procedures to prevent have developed over the millenia. Have the crypto traders of today forgotten what the Phoenicians knew of commerce?

    1. david 12 Silver badge

      The Brother changed the orders put in by some scammy front-runners in a completely dodgy 3-card-monte market, so that the scam artists got left with 25m of things that the scam artists has bought as part of their scam. Only the things aren't worth 25m anymore, the scam artists got scammed.

      It appears that crypto front-running using inside information is legal at one level of the market, and insiders pay to play in that market, it's supposed to balance out in a free-market kind of way, so it's not actually a scam, it's a user-pays market

      But in this particularly illiquid market, that free-market balance doesn't work, it's a total scam, and when the market is subverted, the legal scam artists suddenly loose instead of the Brothers.

      The Brothers are being prosecuted for wire fraud, not for stealing.

  13. VicMortimer Silver badge
    Trollface

    Shouldn't be illegal

    The fix for all of this crypto nonsense is to simply let anybody do anything like this. Let the risk increase to the point that the fake 'currency' is too dangerous for anybody to put any actual money into it.

    "Oh, they changed something so they got more funny money? Yeah, that's not a crime. Go away."

  14. CrackedNoggin Bronze badge

    One day late, 25 million dollars short

    If only they had it on April first, they would have sent all the funny money (including the 100K deposit) to the FBI and announced it as big April Fool's joke - the Fool being Ethereum Blockchain.

    Even if the 100K weren't returned by the fool, the reputation bonus for their escapade would be worth much more in the long run. They would be receiving Priceless Respect and a lot opportunities.

    Instead the showed they were merely very clever, but woefully common sense short, as well as not giving a damn about the disrespect they brought on themselves, their university, and anybody in the computer technology field.

    That said, they are presumably young, and therefore possibly capable of self reform. It they admit wrong and sincerely vow to go on the right track, then I wish them the best, but they have severely harmed their trustworthiness and made there lives much harder.

    1. Michael Wojcik Silver badge

      Re: One day late, 25 million dollars short

      they are presumably young

      24 and 28. It's in the article.

      Also, I don't think "we sent the money to the FBI" is an explicit defense to violations of the CFAA, KYC/AML regulations, etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like