Brothers Indicted for Stealing $25 Million of Ethereum in 12 Seconds
It took two brothers who went to MIT months to plan how they were going to steal, launder and hide millions of dollars in cryptocurrency — and only 12 seconds to actually pull off the heist.
The brothers, Anton Peraire-Bueno and James Pepaire-Bueno, were indicted by federal prosecutors this week for the sophisticated and novel scheme that took advantage of weaknesses in the Ethereum blockchain processes to steal $25 million in Ethereum crypto. They then spent more months after the April 2023 theft to conceal the stolen digital assets through such actions as transferring some of them to other privately held crypto addresses and converting them to other a stablecoin.
The two men manipulated processes and protocols that are used to validate transactions and add them to the Ethereum blockchain, according to the indictment.
“In doing so, they fraudulently gained access to pending private transactions and used that access alter certain transactions and obtain their victims’ cryptocurrency,” the prosecutors wrote in the indictment. It added that both men used their “specialized skills developed during their education, as well as their expertise in cryptocurrency trading [to exploit] the very integrity of the Ethereum blockchain.”
Anton, 24 and a Boston resident, and James Peraire-Bueno (28, New York), face wire fraud and money laundering charges for the scheme, which they planned in the months leading up to the theft. During that time, they allegedly shared an online document laying out the exploit, established shell companies, used intermediary crypto addresses, foreign exchanges, and a privacy network layer, and searched online for ways to launder cryptocurrency and crypto exchanges with limited “know your customer” as a way of concealing their identities.
Crypto Lost by the Numbers
The amount of crypto lost to cybercrime continues to grow. In a January report, Blockchain analysis firm Chainalysis said that in 2023, $24.2 billion in cryptocurrency was received by illicit addresses through everything from scams and stolen funds to ransomware and fraud, accounting for .34% of all on-chain transaction volume.
That’s a significant drop from the $39.6 billion lost in 2022, but the researchers noted that the higher total included previously unknown and highly active addresses hosted on sanctioned services and the $8.7 billion creditors are claiming in the NTX case. And the 2023 numbers could still grow as more theft is uncovered.
Life on the Ethereum Blockchain
The indictment uses the brothers’ action as a guide of sorts through the world of cryptocurrency and blockchains, or at least Ethereum and its blockchain, which is used by millions of people worldwide and in 2023 averaged more than 1 million transactions a day, the prosecutors wrote.
Validators determine that new blocks of recorded transaction information are valid before they’re added to the blockchain – a process that ensures the integrity and security of the blockchain – and validators are paid a portion of the maximum extractable value (MEV) of the transactions that make up the block. When a transaction is made, it’s not immediately put on the blockchain. It’s in a memory pool – or mempool – with other transactions, and it’s visible to the public.
The MEV is maximum value available when publishing a new block to the blockchain and, with a lack of block-building protocols, validators compete for MEV opportunities, which causes instability on the network. MEV-Boost is open source software that was created to bring more order to the process through protocols dictating how transactions are organized into blocks, according to the indictment. About 90% of Ethereum validators use MEV-Boost.
Then there are searchers, builders, and relays, to whom validators give the job of building the blocks, per protocols. Searchers scan the mempool using automated MEV bots looking for profitable opportunities and then sends builders proposed bundles of transactions, who compiles the bundles from various searchers into a block and proposes it to the relay, who submits the blockheader to the validators containing information like the payment coming to the validator for validating the proposed block.
All this, done automatically in software, takes fractions of a second, according to the indictment.
According to prosecutors, the relay is like an escrow account at a bank, holding the private information about the block as proposed by the builder until the validator commits to putting it on the blockchain.
Zeroing in on MEV-Boost
The Pepaire-Buenos saw the weakness in the MEV-Boost software. They created targeted three MEV bots that didn’t have particular checks, created 16 validators, and ran “bait” test transactions to entice the bots.
“In doing so, the defendants learned the trading behaviors of the Victim Traders’ MEV Bots,” the indictment reads.
On April 2, they learned that one of their validators were picked to validate a new block. They lured the victims’ MEV bots by proposing at least eight specific transactions they knew the bots would include in a proposed bot. Through this, they were able to alter the transactions and grab the traders’ crypto, worth about $25 million. The entire process took 12 seconds.
“These brothers allegedly committed a first-of-its-kind manipulation of the Ethereum blockchain by fraudulently gaining access to pending transactions, altering the movement of the electronic currency, and ultimately stealing $25 million in cryptocurrency from their victims,” Thomas Fattorusso, special agent in charge of the IRS Criminal Investigation New York field office, said in a statement.
In the months after the heist, the brothers ignored demands by one of the victims, the victim’s lawyer, and an Ethereum representative to return the stolen digital assets and worked to launder the crypto. They searched on line for crypto exchanges that could be used to wash the ill-gotten gains as well as such terms as “money laundering” and “exploit” and information about U.S. extradition practices.