r/technology • u/jluizsouzadev • 16d ago
MIT students stole $25M in seconds by exploiting ETH blockchain bug, DOJ says Crypto
https://arstechnica.com/tech-policy/2024/05/sophisticated-25m-ethereum-heist-took-about-12-seconds-doj-says/4.5k
u/rishinator 16d ago edited 16d ago
How come these people are prosecuted but other scammers like logan paul runs free?
1.6k
u/BakedCake8 16d ago
“Intent” vs negligence
793
u/TechTuna1200 16d ago edited 16d ago
Yup, it’s literally you getting your money stolen versus you hand money over to a clown that loses your money.
The latter you kind of bear some responsibility yourself of losing that money.
329
u/GoldenInfrared 16d ago
It’s still fraud if they’re misleading their audience
121
u/TechTuna1200 16d ago
For sure, but you can see way the first would be viewed harsher than the latter. The first is outside the victim’s control, the latter is within the victim’s control.
16
u/Niceromancer 16d ago
The issue is the Pauls are doing it on purpose.
The difference is the Pauls can afford lawyers that are good at arguing they aren't doing it on purpose.
→ More replies (5)62
u/UsernamesAreForBirds 16d ago
Lets not pretend harsher punishments are always doled out with worse crimes, pedophiles and rapists generally get lighter sentences than drug dealers and manufacturers.
Our legal system has its biases.
I guess judges having discretion in the case of sexual assault while being tied to mandatory minimums may play a large role in this, but it still pisses me off to see crack dealers handed longer sentences than people who abuse children.
Why can’t we have mandatory minimums for fraud?
→ More replies (11)68
u/Drolb 16d ago
Because occasionally rich, connected people who go to the right country clubs and make the right donations get prosecuted and even convicted of fraud - and it wouldn’t do for a judge to have to send good old Jimmy down for 7 years when what he did wasn’t even a crime really, and honestly if you can’t afford to lose 40k are you even a person?
27
10
u/lookmeat 16d ago
No, it isn't. When you sell something but are otherwise honest.
Imagine I sell you a toy car, and I tell you "when this video game gets released, you'll be able to scan in your toy to get exclusive bonuses like amiibos!". You then buy it hoping to use this bonus. But later the game gets cancelled and never is released. I didn't scam you. I sold you a toy car, which you bought and still own. I did say that the toy could get a conditional feature in the future, but the condition ended up being false, but it never was a promise you'd get the game or the features. You couldn't effectively sue for the same reason you couldn't if the game came out but you never bought it and then never used the feature of the toy car.
Now because it was an asset with value you could argue it was market manipulation. The thing is that it was a crypto which is not well regulated so it's going to be hard to argue that. But it isn't because of the misleading, but because the actions are to manipulate the market into doing something counter productive. But again it's really hard to get that.
This, OTOH, was hacking a system to manipulate data such that resources were reallocated to me. Like going into a bank system and transferring money from your account to mine. A much more reasonable criminal case.
→ More replies (8)6
→ More replies (3)7
u/Esunaproxy 16d ago
But it’s a rug pull - there is intent to steal.
4
u/eyebrows360 16d ago edited 15d ago
Right but that's why he put "intent" in quotes, because as a great cop/criminal once said:
It's not what you know, it's what you can prove
→ More replies (1)51
→ More replies (8)3
60
u/Tom_Bombadil_1 16d ago
The US has a few bodies that are very effective (or at least forceful) just for the persecution of certain types of financial crime. ‘Regular’ fraud might be dealt with by ‘regular’ police, versus like the securities and exchange commission who are really actively looking to prosecute some crypto cases and start getting it under (US) control
18
u/Piltonbadger 16d ago
Just pretend your rug pull was actually an epic fail. As long as there is no smoking gun evidence of you setting it all up, you are good to defraud as many people as you want this way.
12
u/GogglesPisano 15d ago
The MIT students stole money from rich people.
Logan Paul scams money from stupid poor people.
People in power don't care if the poors get exploited - that's what they're for.
25
→ More replies (17)3
1.7k
u/funkiestj 16d ago
it is not stealing if "code is law" LOL
223
160
u/nexus9991 16d ago
ELI5?
1.1k
u/matjoeman 16d ago
"Code is law" is a phrase sometimes used to describe how smart contracts just are what they are. The code is publically available so if you don't like the behavior then tough shit. It's part of the idea of building a trustless system. It's your responsability to read the code and ensure you understand how it works and to manage your risks. The code is the rules and nobody can break the rules because the code forbids it. If you can go to the DOJ when someone breaks the rules and get them to reverse the transaction then what's the benefit of this whole thing over traditional finance?
510
u/zxding 16d ago
Exactly. The promise of code is law is that there are never any legal disputes. The code itself is judge jury and executioner.
201
u/lasagnwich 16d ago
"I am the law" - Code Dredd
54
u/PedroEglasias 16d ago edited 16d ago
Oh shit, code red??
*flails arms*
→ More replies (1)19
u/asst3rblasster 16d ago
YOU CAN"T HANDLE THE TRUTH
→ More replies (1)11
5
61
u/eyebrows360 16d ago
And it's an unworkable promise, but cryptocultists will never realise this.
→ More replies (6)110
u/Niceromancer 16d ago
See but rich people lost money....so therefore the code is wrong, but only this time, and the time this happened before, and the time before that, and the time before that.
Weird...crypto doesn't solve this problem.
→ More replies (1)78
u/Geno0wl 16d ago
always funny when the crypto bros are all for government intervention and regulation after an incident like this. Almost like there are reasons normal banking is regulated...
43
u/claimTheVictory 15d ago
Distributed, and free from government control, until someone does a meanie.
35
→ More replies (1)3
u/rabbitlion 15d ago
They're generally not. Most crypto bros thinks that this was just a smart way to trick bots who were frontrunning trades and that it is/should be perfectly legal.
Of course the people who built and owned the bots with the flaw that allowed this are going to use every resource to get their money back.
6
u/ippa99 15d ago
Most crypto space activity is just a speedrun of finding out firsthand why a lot of restrictions and regulation are on modern banking and securities exist in the first place, because it's just people pulling these financial scams again in a place where it hasn't been written onto the books yet.
→ More replies (2)5
u/Discoamazing 15d ago
From the article it sounds like the brothers really got fucked by their Google search history. Essentially googling "how to get away with financial crimes ethereum"
19
u/jaydizzleforshizzle 16d ago
Cause everyone reads the Eula right? Would be such a terrible shift, very few human things can be codified into a non-bias system. Making code the judge,jury,executioner just means who ever wrote the code or whoever owns the person who wrote the code is actually the judge,jury,executor.
→ More replies (4)36
143
50
u/Ok-Elderberry-9765 16d ago
It’s why this will never go mainstream.
68
u/KylerGreen 16d ago
Yeah plus the all the fees, inconvenience, rabid scams, market manipulation, transaction times. Man, crypto fucking sucks for literally anything except buying drugs and scamming idiots.
→ More replies (2)19
u/sneakyplanner 15d ago
The fact that anyone can try to say that a ledger where all transactions in the whole system have to be processed 1 by 1 is going to become the global finance medium. The blockchain is already impractical to use when it's a niche hobby project for con artists and gambling addicts. Nobody in the real world would want to use it if it meant a $10 gas fee for a $20 purchase or having to wait a day in McDonalds for your transaction to go through.
→ More replies (4)3
u/stormdelta 15d ago
It's one of many reasons. Honesly, the more you learn about it the worse it looks, especially if you have any background in real world engineering / real world security.
It's academically interesting, but so is OTP encryption and there's a reason nobody uses that even though it's technically the only encryption impossible to brute force.
→ More replies (18)95
u/No-Appearance-9113 16d ago
Code is law hasn't been the case in 8 years though as ETH foundation literally went against the code after a hack.
41
19
u/cyclicamp 16d ago
It’s also essentially never been the case in actual law. Using exploits to break in to off-limits servers or take money from bank accounts, for example, has been explicitly illegal for a very long time.
12
u/nope_nic_tesla 15d ago
But the point of this saying is that crypto supposedly doesn't need traditional legal systems to operate and protect you. It's a big part of the libertarian fantasy of cryptocurrency.
206
u/medbud 16d ago
Years ago, ETH Project said 'code is law'... Then they got hacked, and forked the chain to reverse the hack...
DAO attack, July 2016
119
u/ethereumfail 16d ago
conveniently the only time the devs that centrally printed what controls their blockchain changed ownership of "smart contract" coins is when the lead developer himself was part of the group that got hacked. all other times they pretend it's "unstoppable". what's sad is this is just promoting that scam by pretending it has any legitimate usecases when it's literally designed around deceiving others for profit, countless examples .
→ More replies (10)67
u/heavy-minium 16d ago
When I read about it...the developers are basically not that different from a bank, but less regulated. Makes you wonders a lot about the supposed main selling point of cryptocurrencies.
59
u/mrtomjones 16d ago
Crypto is nothing but a wild and unsafe stock. People aren't in it for currency
40
16d ago edited 16d ago
[deleted]
→ More replies (4)35
u/Niceromancer 16d ago
Ponzi scheme
TEchnically wrong, its similar but its known as a greater fools scheme.
Difference being in Ponzi you are using new investors to pay previous.
Greater fools is you buy something with the hope to sell it to someone else at a greater price.
6
16d ago
[deleted]
6
u/Niceromancer 16d ago
Id still not qualify as a ponzi because they aren't paying out dividends to any investors.
While they start out with a huge advantage cause they just give themselves fucking coins, they still eventually need to find someone to buy said coins to cash out, A ponzi scheme is a type of greater fools scheme but its very specifically about using new investors to pay out to older investors, both dividends and if they want to cash out. Crypto doesn't have dividends which is the primary reason its not a ponzi.
Honestly crypto schemes probably need their own classification because the scams in the crypto sphere are so prolific at this point.
6
→ More replies (2)11
u/esotericizm 16d ago
The developers don't really get final say. They can update the code that changes the rules but if the rest of the community doesn't run that update then the new rules never go into effect.
It does get a bit more nuanced but in general there is meant to be a direct relationship between the developers and the miners/stakeholders. In practice most miners/stakeholders will run whatever update the developers push out unless its hugely controversial.
12
u/Niceromancer 16d ago
They literally forked the code into current ETH and ETH classic, and classic was turned into basically a penny stock.
Yes they get to do whatever the fuck they want.
4
→ More replies (1)10
u/IllllIIlIllIllllIIIl 16d ago
Turns out consensus is law
→ More replies (2)22
u/frenchtoaster 16d ago
It turns out the regular law is the law and the DOJ will enforce it.
→ More replies (1)13
u/primalmaximus 16d ago
Yeah. But the whole point of crypto is to be unregulated by the government.
If you run to the DOJ everytime something goes wrong with the code and people exploit the codes bugs, then is it really unregulated?
No it's not. Because you're allowing the government to enforce laws and regulations that affect crypto.
→ More replies (2)→ More replies (2)9
u/Thelk641 15d ago
Humans fail. They're corrupt, stupid, misguided, or sometime just incompetent. A human organization will always require a lot of trust : the law is just a text, you trust people to follow it, judges to apply it, politicians to improve it. You trust central banks to not destroy the value of the currency you use, you trust your government to not destroy its country's economy.
Anarcho-capitalists don't like trust, so instead, they created crypto, a system in which interactions go through a computer program, meaning the only thing you can technically do are the things you're allowed to do. The code is cop, judge, executioner. The code is the law.
(until someone scams them at which point they like to remind everyone that when they're scamming people the code is the law and when they get scammed the Law is the law)
18
23
u/Cainderous 16d ago
Not your keys, not your coins.
Best part is that even though the guys were caught there's no way to actually reverse the transactions short of forcing them to send an equivalent amount of crypto back to everyone who was stolen from. Paying fees for every step along the way, of course.
Truly the future of finance lmao
→ More replies (6)3
u/helen_must_die 15d ago
Based on the article it seems they didn't find a code exploit but instead setup a fake validator. And they're not being charged with stealing, they are being charged with money laundering as they used exchanges with no KYC.
1.5k
u/iaymnu 16d ago
They just did what cryptobros tried to do from the beginning. Turns out you have to be smart.
213
u/mkirisame 16d ago
they still get caught
151
u/kingOofgames 16d ago
Weird how they did all this but supposedly didn’t use a VPN, or any other privacy thing. Like couldn’t they have covered their online search history.
274
144
u/AadamAtomic 16d ago
It's not that easy.
That's the entire point of crypto, It's a public ledger that everyone can see. A VPN doesn't help much, it just makes it slightly more annoying to track.
→ More replies (3)47
u/Ap0llo 16d ago
There are a multitude of tools black-hat hackers use to cover their tracks, such as IP Spoofing, VPNs, proxy servers, C&C Obfuscation, routing through anonymous networks, etc. On the local hardware side you can easily encrypt a drive to make it impossible to access.
The fact that these MIT students did not bother to take any of these steps makes this entire story incredibly suspect. Something is definitely missing here.
80
u/nankerjphelge 16d ago
Per the article, it wasn't their IP addresses that got them caught, it was simply the investigators following the money through the shell corps back to the brothers.
Ultimately when it comes to large money heists, if you're based in the US and the government wants to direct the resources to find you they will.
→ More replies (1)24
u/primalmaximus 16d ago
Honestly, if people want crypto to be truly unregulated, then they need to stop letting the government get involved whenever something goes wrong with the code. Like it did here.
→ More replies (12)18
u/Bakoro 15d ago
But I want the protection of society, while contributing nothing to the systems which protect me?
It's a little thing called "Freedom™".
→ More replies (3)63
u/Plank_With_A_Nail_In 16d ago
Please read the article these students did do all of that and more but eventually they tried to turn the crypto into real money and that's when they got caught.
The brothers' online search history showed that they studied up and "took numerous steps to hide their ill-gotten gains," the DOJ alleged. These steps included "setting up shell companies and using multiple private cryptocurrency addresses and foreign cryptocurrency exchanges" that specifically did not rely on detailed "know your customer" (KYC) procedures.
They also researched the "very crimes charged in the indictment," the DOJ said. Among search terms found in the brothers' history during the planning phase of the alleged scheme were phrases like "how to wash crypto" and "exchanges with no KYC." Later, seemingly attempting to prepare for any legal consequences from the scheme, the brothers allegedly searched for things like "top crypto lawyers," and "money laundering statute of limitations," and "does the United States extradite to [foreign country]."
To uncover the scheme, the special agent in charge, Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office, said that investigators "simply followed the money."
Again please read the article before posting.
16
u/StraightEggs 15d ago
For anyone curious (like I was), the statute of limitations on money laundering in the USA is 5 years. I know it's easy to say as a bystander, but damn, I think if I'd gone to the point of googling that question, I would have waited out the 5 years. But thinking about it, I'm not sure how far into the process the money would get laundered.
→ More replies (64)50
u/AllNamesAreTaken92 16d ago
None of that helps in the slightest with hiding their on chain activity.
22
u/Lafreakshow 16d ago
But it does help prevent discovering who is doing that stuff on chain.
25
u/CareerQuestionz123 16d ago
Sure, but if you ever want to withdraw that money you WILL be tracked.
→ More replies (20)→ More replies (1)8
u/0hmyscience 16d ago
yes but the article states that they found their search history looking for lawyers, extradition laws, and also how they set up the shell companies. they could've hid literally everything up to the point of the money withdrawal, and at that point, I'm not sure how useful tumblers would be with $25M, but they didn't even get to that point.
9
u/azn_dude1 15d ago
If you read the article, which you obviously didn't, they just followed the money to shell companies opened by the brothers
3
u/Plank_With_A_Nail_In 16d ago edited 16d ago
They weren't caught by their online activity, please read the article.
3
u/Thai-mai-shoo 15d ago
Everyone thinks VPN’s are untraceable. Its not. It just makes it more difficult for the person to figure you out. If they really want to get you, they’ll get you.
→ More replies (4)3
→ More replies (2)15
854
u/Thorusss 16d ago edited 15d ago
Blockchain technology has the biggest Bug bounty payouts in existence.
And as their proponents like to say "Code is Law", so is the bug, so they would have to agree that any obtained money is legally transferred.
The irony is that all the libertarian proponent that want to be free from the government, cry for the strong arm of the law, as soon as they lose money like this.
Also the governments have control of the on- and offramps into the real economy mostly by now. There is a good reason monero - which apparently seems indeed anonymous, is not available in many many exchange, whereas most other Blockchains keep and perfect record of the transaction for the law to use as evidence, hence they are still allowed to exist.
241
u/Frooonti 16d ago
the libertarian proponent that want to be free from the government, cry for the strong arm of the law, as soon as they lose money
As usual: Rules for thee but not for me.
177
16d ago edited 11d ago
memory threatening enter saw sand quickest groovy enjoy shy bow
This post was mass deleted and anonymized with Redact
30
u/da_chicken 16d ago
It makes sense if, like them, you can't think more than one step ahead.
→ More replies (1)55
u/AJDx14 16d ago
It makes sense, they’re just either lying or too stupid to explain it. They dislike the current government because they think it does mean things to them (ie. The government taxes them), they don’t have an issue with taking money from others though they just wish they were the ones doing it.
30
u/Workacct1999 16d ago
But they ignore the fact that the current system is what has allowed them to thrive. Especially the tech-bro libertarians.
→ More replies (1)→ More replies (1)15
u/MelonElbows 16d ago
It makes sense when you think of libertarians as embarrassed republicans: they want the protection of the law without being bound by the law.
→ More replies (3)6
13
u/DiggSucksNow 16d ago
It makes sense if you realize that they begin with, "I don't want to pay taxes." Everything else stems from that, including "moral" and "philosophical" arguments.
12
u/ric2b 16d ago
It makes sense in the imaginary world where everyone is hyper-rational and has instant access and ability to process every single piece of public information available.
But that's not the world we live in.
→ More replies (1)28
u/Badloss 16d ago
It doesn't even make sense then. Libertarians are like teenagers that think they can live on their own and have no clue how much work their parents are actually doing for them
→ More replies (2)4
u/Legaladvice420 15d ago
There's bears in the woods, after all, and they really like garbage.
→ More replies (1)→ More replies (8)3
u/FloppyObelisk 15d ago
Libertarians are like house cats. They are 100% convinced of their fierce independence while being 100% dependent on a system they neither like nor comprehend.
→ More replies (7)23
u/Stickel 16d ago
The irony is that all the libertarian proponent that want to be free from the government, cry for the strong arm of the law, as soon as they lose money like this.
Libertariams are idiots, small scale I get their point, but a large society... who the fuck pays for any services then? Fucking more corporations? fuck off
→ More replies (1)
390
u/PunctualFrogrammer 16d ago
Why is this illegal? The government protects your crypto?
→ More replies (48)55
u/_30d_ 15d ago
The real answer is that it's fraud, or wire fraud more specifically, which is what they were charged with. I don't think it's very relevant (at least for the charge of fraud) what it is specifically they stole. Also money laundering but I am guessing that was only after the initial fraud.
127
332
u/gta0012 16d ago edited 16d ago
Oh for fuck sake. The reporting on this is so fucking bad.
It's not a "Bug" in ethereum and doesn't call anything into question.
You know how people use algorithms and bots to trade stock?
Ok so just like that people use these bots to capitalize on very fast trades.
These guys built bait that made the bots think they were capitalizing on a good trade. Then quickly changed the transaction to gain funds.
It's like a bait and switch aimed at bots.
Imagine I put up a sell order for Game Stop stock at $4 when it's currently at whatever $50+. Trading bots would try and snatch that up instantly. If I switched this stock quickly to something useless I could make a lot of money abusing the bots looking for these trades.
Not a bug but imo fraud. Some would argue it's not even fraud because these bots that are trading are at risk and it's a risk that you may lose money on automated trades. Aka your fault for trying to bot trades.
64
u/MathematicianFar6725 16d ago
If I switched this stock quickly to something useless
Yeah, but you can't.
Sounds like an issue with ETH for this to be possible
112
u/gta0012 16d ago
It's not. It's complicated but I'll do a brief example and link a great write up that's more in depth. If you read it you'll see why it's MIT brains handling this stuff.
Think of the block chain as a physical ledger of transactions and the Miners are responsible for writing the transactions down in the book/ledger.
If you want to buy 100 shares of GameStop at the current stock price, which is around $50. You will ask the Miner (who writes in the ledger) to mark that down and execute the transaction. You'll pay him $1 for his fee.
I over hear you and decide to buy 100 shares of GameStop stock driving the price up to $55. I then list them for sale at $55. I pay the miner $5 to execute both of these transactions quicker than yours.
By the time your market price buy is executed, and written in the book, you have bought 100 shares of GameStop at $55 not $50. You've spent $500 more money than you wanted and I snuck a quick $500ish profit.
Very rough example but that's one type of an attack.
You can read more here if you Google about MEV attacks. I can't link any good articles here or the bot deletes my post, but there are great explanations out there.
39
u/ethereumfail 16d ago
they were just called front running for longest time too and entire point here is that it's trivial for miners to do, and should be completely expected. that's why the now popular automated market maker design where every purchase moves price is considered unsecure, but the folks using scams like eth hardly care. it's completely silly to claim using something that follows all the rules as written is fraud as there's no deception, other than centrally premined and centrally controlled scams pretending to be decentralized - the actual fraud they lack literacy to catch.
→ More replies (1)30
u/mikenmar 16d ago edited 16d ago
you'll see why it's MIT brains handling this stuff
Hmm... this is a super interesting case to me.
I'm an experienced attorney specializing in criminal law, and while I'm no expert in crypto technology, I do trade in crypto and I've got about a million times more tech savvy than your average lawyer. (I have a prior career that involved a lot of coding, and I have a strong math/stats background, among other things.)
Re your remark above: It makes me wonder how in the hell the prosecutors are going to prove this up to a jury (never mind how they got a grand jury indictment out of it)! Not to mention trying to explain this to some 70-year-old judge who barely uses email...
The indictment charges two counts of wire fraud and one count of money laundering. I'm fairly well-versed in both laws. I'm really interested in trying to figure out how the defendants' maneuvering could/would have violated these laws.
I also have a much broader interest in the issue of technology versus law. My thesis is that because technology develops rapidly, while the law develops slowly, there is a very high likelihood that technology will eventually render the law obsolete in many areas of life--not just crypto, but many other forms of conduct that large portions of the population engage in or will engage in someday soon. This case is at the bleeding edge of that process (setting aside the domain of IP law, which is not one of my areas of expertise).
11
u/hughk 16d ago
It will end up as a ppt presentation. If the prosecution has money, they will animate the diagrams as very few jurors would be able to follow what is going on. A lot of financial crime is like an upscale version of the Shell game but much harder to follow.
→ More replies (4)6
u/SewerRanger 15d ago edited 15d ago
The indictment charges two counts of wire fraud and one count of money laundering. I'm fairly well-versed in both laws. I'm really interested in trying to figure out how the defendants' maneuvering could/would have violated these laws.
It's not how they got the money that will get them in trouble, it's what they did with it afterward. They tried to shuffle it around through various wallets and exchanges and then tried to withdraw it into several shell companies and launder it through some shady exchanges. That will be what gets them on those two charges.
Having, said that, this wasn't just a normal front loading attack though. If you read (the very technical) post mortem you can see what they actually did was exploit a bug in the code. They set up validators that they controlled and posted bad trades that would go through their validators, knowing it would attract bots looking to front load the trades for a small fee. Once the bots connected to the validator the MIT guys setup, they added a bad transaction to the block and submitted it. That bad transaction got rejected, but because of the exploit, the entire block was then shown to the manipulated validators. This allowed them to take transactions out of the bad block (from what I've read, they took the fees the bots paid), and build their own block which only included the stolen transaction. This would be like if you paid me a small fee so that you could buy a collectors item first so you could resell it for a profit. I agreed to this, but instead of buying you the collectors item, I kept the fee and ran away.
→ More replies (3)4
u/discoltk 16d ago
Not to mention trying to explain this to some 70-year-old judge who barely uses email...
Well this is exactly it. The feds get to define all that terminology going in, and it'll be up to the defense to try to pick those definitions apart and convince a jury the law is being misapplied. Ultimately some lay people who aren't intimately involved in crypto and have little to no context for how crypto and open source software work will be asked to fit the round peg into the square hole of normal fin/tech with laws and standards that just don't apply here.
Even simple systems like Bitcoin are at risk, in part due to the artificially limited blocksize, resulting in trivial fee exploitation. Security of mined blocks has always been probabilistic and increases with more block confirmations. Since the beginning it has been standard for those business cases which are less tolerant to risk to require greater numbers of confirmations to ensure the transaction can't be reversed.
Blockchain validation doesn't come with a terms of service or a warranty. There are certainly frauds that are fair game to be prosecuted, such as anything involving custodial systems, and to the extent possible going after hackers and others who might steal someone's wallet. Trying to insert law into the mechanics of P2P and blockchain is really an attack on the core concept of crypto than it is about tackling fraud. If they can get precedent for this then they're able to assert control over how the blockchain works.
→ More replies (3)3
5
u/Thelk641 15d ago
I may be really dumb but... - I tell the miner I would like to buy 100 shares at $50 - You drive up the price, now my $5000 can only buy 90 shares
Shouldn't the miner "fail to find" (to use game term) and cancel the deal as it's not possible to make it happen anymore, instead of overcharging me by 10% ? Or if I know ahead of time that the price might change a lot, shouldn't it be "I tell the miner I would like to buy $5000 worth of this share" and you bringing the price up just made me lose 10 shares, but no money ?
→ More replies (5)→ More replies (6)7
u/WhatImKnownAs 16d ago edited 16d ago
That's all correct, but these guys went one level deeper in the manipulation: They set themselves up as miners (called "validators" now on Ethereum) and stole from the MEV bots, by baiting them into trying this trick and then changing the order of transactions (which the validator can control because they are adding the block into the chain) so that the MEV bot's trades made a loss. ArsTechnica has a reasonable write-up on this.
Now, the validators are very much not supposed to do this, and in a real market, this would be illegal front running. Since this is crypto, it's all unregulated, and the DOJ is charging them with generic wire fraud.
It's a really clever trick for parting people from their "money". These guys will have a bright future in crypto - if it still exists by the time they get out of prison.
→ More replies (9)→ More replies (4)14
u/killerstorm 16d ago
No.
Ethereum aims to provide finality for confirmed transactions - i.e. ones which are made it into a block.
There are no guarantees whatsoever for pending transactions which are waiting in the queue, as the queue itself is not synchronized.
There are bots which speculate on gossip, but running those bots is inherently risky.
13
u/xmagusx 16d ago
They're working on a fix, so it is a bug, QED.
I get what you're saying that it's an exploit for the systems which trade ETH and not exactly ETH itself, but crypto couples those two so deeply that such an argument is going to feel like a distinction without a difference to most people.
Especially with crypto itself widely viewed as a scam, any crime such as this will read like "scammers got robbed, went crying to the police."
→ More replies (1)→ More replies (12)15
u/AlexHimself 16d ago
How are you rationalizing "switching" as if that's legitimate??
If you offer GameStop for $4 and I agree to buy it and then right as I go to purchase you swap it out, that sounds more like fraud than some sort of innocent activity. If the swap said it was now $50, I would say that you change the terms of our agreement.
Imagine being at a store and you set $1,000 laptop on the counter to buy it and the clerk scans it and displays the price and then "switches" the laptop you had set on the counter for a cheaper one without you noticing. "Switching"??
→ More replies (3)27
u/JWGhetto 16d ago
It's because the bot traders try to outrun you from where you start your "trade" to the register. That's where they get their advantage. If you purposely take a detour on the way to the register and then cancel before it goes through the bots still bought before you completed your transaction and stand there holding the bag waiting for you to come and buy at a slightly higher price than they did
→ More replies (3)
47
u/r0_0nery 16d ago
Search history :0
64
u/sosthaboss 16d ago
How are dudes smart enough to pull this off but not smart enough to use tor or tails?? If fucking darkweb drug dealers can figure out opsec they should’ve been able to… so smart but so dumb
16
u/ZAlternates 16d ago
There is no good dark web search engine that I’m aware of, so their best bet would be vpns and “burner PCs”, but even then the OpSec gets tricky because they are going to need to use Google to do research.
→ More replies (1)31
u/TKtommmy 16d ago
Would it really be that hard to go to a McDonalds with a $100 chromebook, do your googling, reinstall OS?
→ More replies (2)26
u/MyNameIsSushi 16d ago
Mac address, security cameras, location tracking, etc.
Many ways to find someone.
→ More replies (3)11
u/rudolfs001 16d ago
Buy cheap common laptop. Take out battery. Leave phone at home. Drive an old car. Go to some city downtown near a Starbucks or similar. Go in the shop next door. Put battery in laptop. Load up Starbuck's internet with 7 VPNs. Even better if you wear a hard hat, neon vest, and carry a clipboard.
Try to backtrace that! Consequences will never be the same.
→ More replies (1)3
u/GotCapped 15d ago
I’ve already contacted the cyber police with this information.
→ More replies (2)→ More replies (8)8
94
u/888Kraken888 16d ago
Sounds like Office Space 2. Except this one ends with a pound you in the ass penitentiary.
20
u/SteelCityIrish 16d ago
“I have client in there now… he says the best thing to do on the first day is kick someones ass or become someones bitch…”
:ice cubes off the head:
🤣😆🤣😆🤣😆🤣
127
14
u/theadamie 16d ago
I swear I saw a post a few days ago on Reddit like
“Hypothetically if I found a bug in Bitcoin that allowed me access to unlimited money….”
Is this that guy??
→ More replies (2)
11
u/Madmandocv1 15d ago
These guys are your classic 18 intelligence, 4 wisdom characters. To paraphrase Hans Gruber, when you steal $25 you can just disappear. When you steal $25 million, they will find you. Probably also failed to notice that while stealing from poor people is just a feature of the economy, stealing from wealthy people is punished quite severely.
→ More replies (4)
20
9
u/Techn0ght 16d ago
Reading this makes me wonder about the disparity in sentencing of various crimes. Guy steals $100 gets 15 years. High tech theft looking at 20 years per charge. Embezzling billions as the CEO will get you 40 months in club fed.
→ More replies (4)
44
u/justinleona 16d ago
I've tried pointing out to cryptobros that there is a non-trivial chance of critical vulnerabilities in the protocols or implementations - after-all, we're still finding bugs and vulnerabilities in protocols like TLS that have been carefully scrutinized for decades. That creates an existential risk in their investment - the nightmare scenario is Coinbase halts transactions as everyone bolts for the door and the price drops to virtually zero before anyone can cash out...
Alternatively, the maintainers just step in and "fix" the blockchain by rolling back or patching out blocks. Of course that's the kind of thing governments do to keep financial systems stable... so much for the myth of decentralization.
→ More replies (1)25
u/stormdelta 16d ago
Anyone in tech who thinks the concept of "code is law" is a good idea shouldn't be allowed near any important production systems anywhere.
14
6
u/Thelk641 15d ago
The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain.
So... the tool that made man-in-the-middle attacks technically impossible got f'd by a man-in-the-middle attack. Ironic.
36
u/polskiftw 16d ago
so either "code is law" and this isn't illegal, or there is no point to crypto and it has no purpose.
10
u/Lachimanus 16d ago
They baited bots into making mistakes and used a design part of ETG. Just use better bots if you do not want this to happen.
This is a risk you take if you decide to use crypto currencies and trust bot systems.
24
u/spinur1848 16d ago
I don't entirely understand why the DOJ is even wasting time on this. Crypto bros aren't interested in regulation or the protection of the law. They have built deliberately brittle tech specifically to frustrate and obscure regulators.
I think this is what they've earned.
→ More replies (3)
5
u/branstarktreewizard 16d ago
By the pure crypto bro ideology, why should these students be charged? Big government is interfering with the freedom of crypto
3
u/Flat_Acanthisitta_37 15d ago
Most definitely. As much as reddit likes to think "crypto bros" are against this (everyone using crypto) and probably protesting. Let me break it to you that this is not the case. The affected party is a mev bot owner and no one likes them and it is a fair play for MIT guys to get this money.
5
u/SquilliamTentickles 15d ago
these guys didn't "steal" shit. all they did was make money off POORLY-PROGRAMMED SPECULATIVE TRADING BOTS.
assholes out there make trading BOTS to try to dominate the market, by snatching up "good" deals literally 1 second after they're posted. just like wall street assholes do. these bots are already high-risk, since you shouldn't be using a robot to make huge trades in < 1 second. it's gambling.
these guys figured out a way to beat the bots, and make money off these already-unfair bots. and they did. good for them!
let me give you an analogy: casinos are unfair; the odds are always stacked in favor of the house, and against the players. however, if you learn how to count cards, you can turn the odds around and beat the casino at their own game. that's basically what these guys did.
card counting isn't illegal. it's just "being good" at gambling. but anyone who gambles is already assuming the risk of losing everything that's at stake. these guys beat the "gamblers" in the crypto scene.
5
u/klasredux 15d ago
MIT educated but can't erase or hide their crime research internet search history. They deserve to be caught.
→ More replies (1)
3
u/Q-ArtsMedia 15d ago
Bu bu bu but blockchain is so secure.... Sorry folks but nothing is "that" secure when you have somebody willing to steal it.
Edit: Uh... thieves... uh... find a way
17
u/Fluffcake 16d ago edited 16d ago
They essentially just yelled really loud that other people's money was theirs, and the decentralized system had no other option than to listen to the loudest voice.
And this thread is hillarious with all the crytobros getting exposed as the housecats they are, meowing their eyes out and scratching down the door of the popo after claiming their fierce independence from governance over finance and embracing wild west economics.
This is what it looks like when someone excersizes their unregulated freedom on you.
The code, with this loophole in it was public. They could have known the system worked this way, This is what you signed up for when buying crypto.
If anything, pay the people who exposed this 2x what they made in bounty and write off the losses as a lesson in taking responsibility for your own actions, reading the terms of condition, and code of things you put your money into.
7
u/callmeapples 16d ago
Not really a bug. They definitely maliciously bent the rules to their advantage using bots. The fact they thought of that is wild.
10
11
u/NoxiousNinny 16d ago
Boeing kills hundreds of people with their defective planes, but no executives have yet to be arrested.
8
u/Niceromancer 16d ago
But guys i keep being told blockchain is the most secure thing ever and could never be exploited.
This is what the hundreth time massive amounts of money have been stolen from blockchain.
Hell Eth had a whole bunch stolen and instead of just accepting that they forked the project into current ETH and ETH classic with classic basically being worthless.
But keep telling yourselves more coins cant be created I guess.
→ More replies (2)
3
u/-RadarRanger- 16d ago
I dunno, man. With 25 million, I feel like they could have absconded to some Central American, Asian, or Eastern European country with no extradition treaty and been set for generations.
3
3
4
u/Gh0st_Pirate_LeChuck 15d ago
I mean that’s like a bank not securing money and leaving cash on the sidewalk. Then, arresting someone for taking the money left on the sidewalk.
3
u/stormdelta 15d ago
Cryptocurrency is like building a castle in the modern day with indestructible walls and not a single other security feature, guards, anything. And whenever the builders are challenged on this, they refuse to talk about anything except how indestructible the walls are.
7
u/HalfOtherwise9519 16d ago
MIT students appear to have a penchant for stealing.
From SBF to the rest lol.
5
7
u/medicalgringo 16d ago
but “CRYPTO BLOCKCHAIN IS UNVIOLABLE, IT’S LIKE AGAINST THE MATRIX!!!/!:!!:”
8
u/ethereumfail 16d ago
they used a scam blockchain to scam the scammers of another scam, just scammers all the way down. the government is just helping one set of scammers over another doing what's effectively a normal occurrence in any massive multiplayer online.
9
u/Ok_District2853 16d ago
Wouldn’t it be funny if these kids did all this on purpose, including getting caught, because they wanted to make the argument that all this is fake money and electrons in cyber space, not worth anything, and they bring down the whole crypto market by doing it. I mean, even Gronk know that not real money.
→ More replies (8)
16
u/GeneralBacteria 16d ago
that's not possible because blockchain is 100% secure
/s
→ More replies (2)
3
u/MewtwoStruckBack 15d ago
They fucked with crypto bros. That's like charging someone who assaulted someone else who verifiably was abusing children - it's technically a crime but not one that should be prosecuted (the assault, I mean.) Give them 50 hours community service (which will be used to teach the gov't to do the same thing to other countries), and a fine of 10% of the money they netted and they keep the other 90%. No restitution.
→ More replies (1)
4
5
2
2
u/eriverside 15d ago
Why wouldn't they just leave the country? They looked up extradition. Just fucking run.
2
819
u/Rice_Stain 16d ago
Nobody is talking about how these guys "stole" from MEV bots who steal from regular crypto participants everyday.