Just when you’ve thought you’ve seen everything when it comes to cryptocurrency theft, two brothers attending MIT have uncovered a brand new way to steal millions.
According to a U.S. Department of Justice (DOJ) announcement on Wednesday, Anton Peraire-Bueno and James Peraire-Bueno have both been charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. The brothers allegedly found a way to exploit the Ethereum blockchain and stole $25 million in cryptocurrency as a result.
“As we allege, the defendants’ scheme calls the very integrity of the blockchain into question,” U.S. Attorney Damian Williams for the Southern District of New York said in a statement. “The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education to tamper with and manipulate the protocols relied upon by millions of Ethereum users across the globe.”
“Once they put their plan into action, their heist only took 12 seconds to complete,” Williams continued. “This alleged scheme was novel and has never before been charged.”
How two MIT students exploited the Ethereum blockchain
While one part of the brothers’ scheme may have taken only 12 seconds, the DOJ indictment makes it clear that they meticulously planned and prepared for months in order to successfully exploit the Ethereum blockchain.
On the Ethereum blockchain, transactions aren’t verified in chronological order, but by “maximum extractable value” or MEV, essentially how much value can be earned by validators from the transaction. Validators verify transactions, and in turn, add new blocks to the blockchain.
Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable’s weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
According to the DOJ, the two MIT students exploited a flaw in MEV-Boost, an open-source software used by 90 percent of Ethereum validators. Upon discovering the exploit, Anton and James Peraire-Bueno set up a series of validators using shell companies in order to conceal their identities. The DOJ alleges it took “several months” for the two to prepare for their scheme.
The Peraire-Bueno brothers set their plot in motion by creating “bait transactions” in order to trick “victim traders” into revealing their trading behaviors.
In April 2023, the two pulled off their $25 million crypto heist by “luring” in the victim traders’ MEV bots with eight transactions containing “illiquid cryptocurrency” to frontrun and then transfer into stablecoins and other liquid cryptocurrencies. These bundled “Lure Transactions” from the brothers were timed to be verified by one of their own validators.
From there, the brothers further exploited the system by forging signatures to deceive the blockchain relay into releasing the transaction information, which they then manipulated. As a result, Anton and James Peraire-Bueno walked away with $25 million and proceeded to take further steps to conceal their alleged crime.
“These brothers allegedly committed a first-of-its-kind manipulation of the Ethereum blockchain by fraudulently gaining access to pending transactions, altering the movement of the electronic currency, and ultimately stealing $25 million in cryptocurrency from their victims,” said Special Agent in Charge Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office in a statement. “In this case, IRS-CI New York’s Cyber Unit simply followed the money.”
According to the DOJ, the two left a trail of incriminating evidence, including a document laying out the exploit in full detail, breaking their scheme into “four stages:” The Bait, Unblinding the Block, The Search, and The Propagation.
In addition, in the weeks and months following the exploit, the brothers search history unveiled queries for terms such as “top crypto lawyers,” “wire fraud statute of limitations,” “money laundering,” “fraudulent Ethereum addresses database,” and searches related to which countries the U.S. has extradition agreements with.
The two face up to twenty years in prison for each charge.