December 20, 2024

Gone in 12 seconds — MIT students stole $25M in seconds by exploiting ETH blockchain bug, DOJ says Brothers charged in novel crypto scheme potentially face decades in prison.

Ashley Belanger – May 15, 2024 8:21 pm UTC EnlargeOleksandr Shatyrov | iStock Editorial / Getty Images Plus reader comments 149

Within approximately 12 seconds, two highly educated brothers allegedly stole $25 million by tampering with the ethereum blockchain in a never-before-seen cryptocurrency scheme, according to an indictment that the US Department of Justice unsealed Wednesday.

In a DOJ press release, US Attorney Damian Williams said the scheme was so sophisticated that it “calls the very integrity of the blockchain into question.”

“The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education to tamper with and manipulate the protocols relied upon by millions of ethereum users across the globe,” Williams said. “And once they put their plan into action, their heist only took 12 seconds to complete.”

Anton, 24, and James Peraire-Bueno, 28, were arrested Tuesday, charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. Each brother faces “a maximum penalty of 20 years in prison for each count,” the DOJ said.

The alleged scheme was launched in December 2022 by the brothers, who studied at MIT, after months of planning, the indictment said. The pair seemingly relied on their “specialized skills” and expertise in crypto trading to fraudulently gain access to “pending private transactions” on the blockchain, then “used that access to alter certain transactions and obtain their victims cryptocurrency,” the DOJ said.

The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain.

These pending transactions, the DOJ explained, must be structured into a proposed block and then validated by a validator before it can be added to the blockchain, which acts as a decentralized ledger keeping track of crypto holdings. It appeared that the brothers tampered with this process by “establishing a series of ethereum validators” through shell companies and foreign exchanges that concealed their identities and masked their efforts to manipulate the blocks and seize ethereum. Advertisement

To do this, they allegedly deployed “bait transactions” designed to catch the attention of specialized bots often used to help buyers and sellers find lucrative prospects in the ethereum network. When bots snatched up the bait, their validators seemingly exploited a vulnerability in the process commonly used to structure blocks to alter the transaction by reordering the block to their advantage before adding the block to the blockchain.

When victims detected the theft, they tried to request the funds be returned, but the DOJ alleged that the brothers rejected those requests and hid the money instead.

The brothers’ online search history showed that they studied up and “took numerous steps to hide their ill-gotten gains,” the DOJ alleged. These steps included “setting up shell companies and using multiple private cryptocurrency addresses and foreign cryptocurrency exchanges” that specifically did not rely on detailed “know your customer” (KYC) procedures.

They also researched the “very crimes charged in the indictment,” the DOJ said. Among search terms found in the brothers’ history during the planning phase of the alleged scheme were phrases like “how to wash crypto” and “exchanges with no KYC.” Later, seemingly attempting to prepare for any legal consequences from the scheme, the brothers allegedly searched for things like “top crypto lawyers,” and “money laundering statute of limitations,” and “does the United States extradite to [foreign country].”

To uncover the scheme, the special agent in charge, Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office, said that investigators “simply followed the money.”

“Regardless of the complexity of the case, we continue to lead the effort in financial criminal investigations with cutting-edge technology and good-ol’-fashioned investigative work, on and off the blockchain, Fattorusso said.

The indictment comes the same month that the Securities and Exchange Commission (SEC) is expected to decide whether to approve an ethereum exchange-traded fund (ETF). According to CNBC, the alleged fraud could fuel SEC skepticism as it reviews the ethereum ETF.

SEC Chair Gary Gensler, a noted crypto skeptic, wants to ensure investors are protected before approving any potentially dangerous listings, CNBC noted. reader comments 149 Ashley Belanger Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars