criminal in handcuffs for interview

2 arrested for $25 million exploit of Ethereum’s proof-of-stake validators

Ethereum’s already wobbly foundation looks even shakier following the arrest of two brothers who exploited the network’s vulnerabilities to steal $25 million from transaction validators.

On May 15, the United States Department of Justice (DOJ) announced the arrest of two brothers—Anton and James Peraire-Bueno—on charges of conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering. If convicted on all counts, the brothers face up to 20 years in prison.

The MIT-educated pair are accused of netting around $25 million worth of tokens in a 12-second span—the duration of a block validation ‘slot’ on Ethereum—by manipulating vulnerabilities in the process by which Ethereum verifies transactions. Damian Williams, U.S. Attorney for the Southern District of New York, said the “novel” scheme “calls the very integrity of the blockchain into question.”

The scheme involved Ethereum’s so-called ‘maximal extractable value’ (MEV), the process by which Ethereum’s transaction validators can preview and reorder pending transactions. MEV allows validators to personally profit from this advance knowledge by front-running significant or large transactions. European regulators recently flagged MEV for its potential for market abuse.

The DOJ says the Peraire-Bueno brothers stole funds that would otherwise have gone to a group of Ethereum validators using MEV-Boost. This open-source software outsources the creation of new Ethereum blocks to a network of ‘searchers,’ ‘builders,’ and ‘relays.’

Searchers utilize automated bots to scan the Ethereum mempool for profitable arbitrage opportunities, then forward a bundle of preferred transactions to the builder. This bundle prioritizes the searcher’s ‘frontrun’ transaction, aka buying a token on the expectation that the transactions that follow will boost the value of said token. The searcher also includes a ‘sell’ transaction further back in the bundle to cash out this expected spike in token value.

Builders sent these bundles to a relay, which initially submits only the blockheader to a validator. Only after the validator accepts the block for publishing to the chain does the validator see the complete ordered transaction list.

Taking the bait

As detailed in the indictment, the brothers began plotting their heist around December 2022, just months after Ethereum made its transition from a consensus mechanism based around proof-of-work (PoW) to one based on proof-of-stake (PoS).

The brothers established 16 validators, then engaged in a series of ‘bait transactions’ to figure out what motivated MEV bots to propose bundles containing these transactions. The brothers thus identified three ‘victim traders’ that specialized in crypto arbitrage trades.

The brothers then initiated “at least eight” transactions (the ‘Lure transactions’) they knew would cause the victim traders’ MEV bots to propose bundles containing these transactions. The bundles also included the victim traders’ own ‘buy’ transactions in which they paid $25 million in stablecoins and other tokens to acquire “substantial amounts of particularly illiquid cryptocurrencies” (aka shitcoins of little or no utility).

The victim traders also included their ‘sell’ transactions after the Lure transactions, but with coded conditions that the frontrun transactions couldn’t be executed unless the Lure transactions “took place immediately after the frontrun trades” and the sell transactions occurred immediately after the Lure transactions.

But the brothers had identified a vulnerability in the MEV-Boost relay code that prematurely exposed the full content of proposed blocks. This allowed the brothers to tamper with the victim traders’ proposed blocks when one of the brothers’ 16 validators was selected to approve the next block.

Once the victim traders’ $25 million buy transactions had gone through, the brothers “replaced the Lure transactions with Tampered transactions. In the Tampered transactions, the defendants sold the same illiquid cryptocurrencies that the victim traders had recently purchased as a result of the Lure transactions and, for which the defendants already held as a result of information gathered through the bait transactions. In effect, the Tampered Transactions drained the particular liquidity pools of all the cryptocurrency that the Victim Traders had deposited based on their frontrun trades.”

The net result was that the victim traders’ sell orders couldn’t go through, leaving them with worthless shitcoins while the brothers collected around $25 million in stablecoins and more liquid tokens. The brothers then published the re-ordered block to the Ethereum network.

The victim traders eventually caught on to what had occurred and reached out to the brothers, as did “a representative from Ethereum.” The brothers ignored these pleas and set about laundering their stolen loot through exchanges with minimal ‘know your customer’ controls as well as some decentralized finance (DeFi) protocols.

While the brothers may have graduated from MIT, they failed OpSec 101 by googling phrases such as ‘money laundering’ and ‘does the United States extradite to [insert country here]’ ahead of their heist.

Deputy Attorney General Lisa Monaco said the brothers’ high-tech antics “were no match for DOJ prosecutors and Internal Revenue Service (IRS) agents, who unraveled this first-of-its-kind wire fraud and money laundering scheme.” IRS Criminal Investigation unit special agent Thomas Fattorusso added that his office had “simply followed the money” using “cutting-edge technology and good-ole-fashioned investigative work, on and off the blockchain.”

While the company behind MEV-Boost released an update to prevent future exploits of this kind, the reputational hit that Ethereum has taken since its shift to PoS shows no sign of ending. In fact, PoS is considered one of the primary reasons why the U.S. Securities and Exchange Commission (SEC) is (allegedly) preparing to designate ETH as an unregistered security.

A significant chunk of ETH was already concentrated in relatively few hands, most of them belonging to Ethereum insiders who were the primary beneficiaries of 2014’s controversial crowdsale. PoS was guaranteed to further concentrate control of the network, trigging more planks of the Howey test. Regulatory blowback was/is inevitable.

‘Compromised and partially drained’

Still more ‘crypto’ bro-on-bro violence made the news this week courtesy of a hack of the BlockTower blockchain-focused institutional investment firm.

On May 14, Bloomberg reported that BlockTower’s main hedge fund had been “compromised and partially drained by fraudsters,” citing sources familiar with the situation who didn’t want to be identified. The total amount of the stolen assets, as well as the nature of the hack went unspecified, but BlockTower has reportedly hired blockchain forensics experts to get to the bottom of this mess.

As a private company beholden only to its well-heeled investors, BlockTower has so far offered no official statement about the report. The company’s main fund held around $1.7 billion worth of assets under management prior to the hack.

This isn’t the first time BlockTower has suffered losses via exploits, having lost $1.5 million worth of TRU tokens after hackers targeted its wallet on the Dexibel decentralized exchange in 2023.

BlockTower describes its Flagship fund’s M.O. as “focused on liquid crypto assets via a multi-strategy approach analyzing both top-down market regimes and bottom-up asset selection (beta augmented with alpha), and incorporating market neutral strategies where appropriate to the opportunity set.”

In 2022, BlockTower launched a dedicated venture capital fund that has taken stakes in numerous ‘crypto’ entities, including memecoin-factory Solana, struggling NFT-focused Dapper Labs, Sky Mavis (parent of the Axie Infinity game, which suffered a nine-figure hack of its Ronin Bridge network in 2022) and fraudulent ‘algorithmic stablecoin’ issuer Terraform Labs.

Honestly, given that stellar track record, we’re a little surprised there was anything left to steal.

Make it stop

BlockTower wasn’t the end of this week’s hackery. The Sonne Finance ‘decentralized non-custodial lending protocol’ was taken for $20 million worth of ‘wrapped’ ETH and USDC tokens. Sonne Finance said it’s prepared to offer the hacker a ‘bug bounty’ that would allow him/her/they to keep 10% of their loot as payment for pointing out the gaping security flaws if they return the other 90%.

But the hacker has reportedly already swapped some of their ill-gotten gains for nearly 1,200 ETH and 183,000 DAI (an Ethereum-based stablecoin maintained by the MakerDAO decentralized autonomous organization). From there, the ETH will almost certainly tread the well-trodden path to Tornado Cash, the ETH-based coin mixer that helps obfuscate a digital asset’s digital trail.

We say that with some confidence because on May 14, Reuters revealed a United Nations Security Council (UNSC) sanctions committee report that found Tornado Cash helped launder $147.5 million worth of ETH that was stolen from Justin Sun’s HTX (formerly Huobi) exchange last year by North Korea’s hackers.

That nine-figure sum was funneled through Tornado Cash in the month of March alone. A further $66.3 million worth of ETH that was stolen from the Sun-linked Poloniex exchange has been similarly washed. With apologies to ancient Rome, when it comes to stolen tokens, all roads lead to Tornado Cash.

The UN report, based on data provided by PeckShield and Elliptic analysts, also found that North Korea was the likely culprit behind 97 suspected attacks on ‘crypto’ firms that netted the Hermit Kingdom some $3.6 billion between 2017 and 2024. The same report indicates that North Korea may have been responsible for 11 ‘crypto’ heists so far this year that netted nearly $55 million.

Ironically, many of the victims of these heists were likely among the legions of ‘crypto bros’ loudly denouncing this week’s sentencing of Tornado Cash co-founder Alexey Pertsev to 64 months in a Dutch prison for money laundering. Code is law, after all… that is, until it’s your bits of code that have been stolen and laundered. Still, man up and take one for the team, right?

One imagines that, within crypto crook circles, it’s hard to get angry when they get caught thieving from each other. After all, it’s the dominant ethos of this game, in which the much-ballyhooed notion of ‘building’ doesn’t so much take a backseat to ‘grifting,’ it gets relegated to a rickety trailer haphazardly hitched to the back of this out-of-control 18-wheeler.

For those of you who crave a more productive, utilitarian and (ta-da!) legally- and regulatory-compliant worldview, there’s a little shindig going on in London next week that might be just what you’re looking for.

Watch: Teranode & the Web3 world with edge-to-edge electronic value system

YouTube video

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.