Within approximately 12 seconds, two highly educated brothers allegedly stole $25 million by tampering with the ethereum blockchain in a never-before-seen cryptocurrency scheme, according to an indictment that the US Department of Justice unsealed Wednesday.
In a DOJ press release, US Attorney Damian Williams said the scheme was so sophisticated that it “calls the very integrity of the blockchain into question.”
[…]
The indictment goes into detail explaining that the scheme allegedly worked by exploiting the ethereum blockchain in the moments after a transaction was conducted but before the transaction was added to the blockchain.
These pending transactions, the DOJ explained, must be structured into a proposed block and then validated by a validator before it can be added to the blockchain, which acts as a decentralized ledger keeping track of crypto holdings. It appeared that the brothers tampered with this process by “establishing a series of ethereum validators” through shell companies and foreign exchanges that concealed their identities and masked their efforts to manipulate the blocks and seize ethereum.
To do this, they allegedly deployed “bait transactions” designed to catch the attention of specialized bots often used to help buyers and sellers find lucrative prospects in the ethereum network. When bots snatched up the bait, their validators seemingly exploited a vulnerability in the process commonly used to structure blocks to alter the transaction by reordering the block to their advantage before adding the block to the blockchain.
When victims detected the theft, they tried to request the funds be returned, but the DOJ alleged that the brothers rejected those requests and hid the money instead.
The brothers’ online search history showed that they studied up and “took numerous steps to hide their ill-gotten gains,” the DOJ alleged. These steps included “setting up shell companies and using multiple private cryptocurrency addresses and foreign cryptocurrency exchanges” that specifically did not rely on detailed “know your customer” (KYC) procedures.
[…]
Source: MIT students stole $25M in seconds by exploiting ETH blockchain bug, DOJ says | Ars Technica
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft