Ethereum
Two MIT students accused of exploiting an Ethereum blockchain bug and stole $25 million in crypto
Just when you thought you’d seen it all when it came to cryptocurrency theft, two brothers studying at MIT discovered a whole new way to steal millions.
According to a US Department of Justice (DOJ) announcement On Wednesday, Anton Peraire-Bueno and James Peraire-Bueno were both charged with conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering. The brothers allegedly found a way to mine the Ethereum blockchain and stole $25 million in cryptocurrency in the process.
“As we allege, defendants’ scheme calls into question the very integrity of blockchain,” U.S. Attorney Damian Williams of the Southern District of New York said in a statement. “The brothers, who studied computer science and mathematics at one of the world’s most prestigious universities, allegedly used their specialized skills and training to alter and manipulate the protocols that millions of data users rely on. ‘Ethereum across the world.
“Once they put their plan into action, their heist only took 12 seconds,” Williams continued. “This alleged scheme was new and has never been charged before.”
How two MIT students mined the Ethereum blockchain
Even though part of the brothers’ plan may have only lasted 12 seconds, the DOJ indictment clearly shows that they have meticulously planned and prepared for months in order to successfully operate the Ethereum blockchain.
On the Ethereum blockchain, transactions are not verified in chronological order, but by “maximum extractable value” or MEV, essentially the value that validators can earn from the transaction. Validators verify transactions and, in turn, add new blocks to the blockchain.
Crushable speed of light
According to the DOJ, the two MIT students exploited a flaw in MEV-Boost, an open source software used by 90% of Ethereum validators. After discovering the exploit, Anton and James Peraire-Bueno set up a series of validators using shell companies to conceal their identities. The DOJ says it took “several months” for the two men to prepare their project.
The Peraire-Bueno brothers set their plot in motion by creating “bait transactions” to entice “victim traders” to reveal their trading behavior.
In April 2023, the two men pulled off their $25 million cryptocurrency heist by “luring” victim traders’ MEV bots with eight transactions containing “illiquid cryptocurrencies” to execute and then transfer to stablecoins and other liquid cryptocurrencies. These brothers’ bundled “decoy transactions” were scheduled to be verified by one of their own validators.
From there, the brothers exploited the system by forging signatures to fool the blockchain relay into disclosing transaction information, which they then manipulated. As a result, Anton and James Peraire-Bueno walked away with $25 million and took further steps to cover up their alleged crime.
“These brothers allegedly committed the first manipulation of the Ethereum blockchain by fraudulently accessing ongoing transactions, altering the movement of electronic money, and ultimately stealing $25 million in cryptocurrency from their victims,” the agent said special in Indict Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office in a news release. “In this case, the IRS-CI New York Cyber Unit simply followed the money.”
According to the DOJ, the two men left a trail of incriminating evidence, including a document describing the exploit in detail, dividing their plan into “four stages”: bait, unblocking, research, and propagation.
Additionally, in the weeks and months following the exploit, the brothers’ search history revealed queries for terms like “top crypto lawyers,” “statute of limitations for wire fraud,” money laundering”, “Ethereum fraud address database” and searches. regarding countries with which the United States has extradition agreements.
Both men face up to twenty years in prison on each charge.
The subjects
Cyber security
Cryptocurrency