Suspects in $9M DeFi platform Platypus attack arrested in France

Getting your Trinity Audio player ready...

French police have arrested suspects alleged to have stolen over $8 million from the decentralized finance (DeFi) platform Platypus Finance.

The hackers attacked Platypus on February 17, exploiting a flaw in a key pricing mechanism of the DeFi platform. They took off with $8.5 million in the first attack, $380,000 in the second, and $287,000 in the third. Inadvertently, the hacker sent the proceeds of the second attack to Aave, a lending protocol.

The two hackers have now been arrested in France, authorities confirmed.

[#Cybercriminalité]La #PoliceNationale met fin à une escroquerie d'ampleur pour un préjudice de 9,5 millions💰sur une société américaine d’échange de cryptomonnaies.
Interpellation et convocation en justice de 2 individus
👉saisie de 210 000 € en cryptomonnaies#PoliceJudiciaire pic.twitter.com/rKKuG95cWh

— Police nationale (@PoliceNationale) February 24, 2023

Following the attack, the price of USP, the Platypus network’s “over-collateralized” stablecoin, depegged, shedding half its value in hours. At press time, USP is trading at 32 cents.

The attack on Platypus was based on an exploitation of a flaw in the platform’s USP solvency check mechanism. The hackers tricked the platform’s smart contracts to indicate that their USP was fully collateralized.

As blockchain analysis revealed, the hackers relied on a flash loan to execute the attack. This is a loan advanced without collateral that must be paid within the same transaction. While they aren’t inherently bad, they have been exploited by several hackers to manipulate prices on DeFi platforms and steal millions of dollars.

In the Platypus case, the attackers borrowed $44 million in a flash loan from Aave. They then supplied liquidity to one of the Platypus liquidity pools, minted 41 million USP, and initiated an emergency withdrawal of $44 million. The Platypus smart contracts could not detect the error and retract the 41 million USP. The hackers then exchanged the USP for $8.5 million in USDC, DAI, USDT, and Binance USD.

Since the hack, Platypus has recovered $2.4 million worth of USDC. Tether also froze $1.5 million of the stolen USDT. Some assets were unrecoverable as they were channeled through Tornado Cash, the infamous Ethereum-based digital assets mixer.

Blockchain sleuths were able to track the stolen assets and pinned down the hacker.

Hi @retlqw since you deactivated your account after I messaged you.

I've traced addresses back to your account from the @Platypusdefi exploit and I am in touch with their team and exchanges.

We’d like to negotiate returning of the funds before we engage with law enforcement. pic.twitter.com/oJdAc9IIkD

— ZachXBT (@zachxbt) February 17, 2023

Watch: Law & Order Regulatory Compliance for Blockchain & Digital Assets