MIT students exploit ETH blockchain vulnerability to steal $25m in 12 seconds

May 17, 2024  15:08

Two MIT students stole $25 million in 12 seconds by exploiting a vulnerability in the Ethereum blockchain. They face up to 60 years in prison.

According to the U.S. Department of Justice, MIT student brothers Anton and James Paar-Bueno devised a sophisticated scheme in which they gained access to pending transactions, intercepted them, and redirected the funds to their own accounts. The scheme worked by exploiting a vulnerability in the Ethereum blockchain in the initial moments after a transaction was made.

Transactions conducted in Ethereum are structured into blocks, verified by a validator, and then added to the blockchain, which acts as a decentralized ledger tracking crypto assets. The brothers interfered in this process by creating a series of fake Ethereum validators.

To do this, they allegedly used "bait transactions" to attract trading bots, which are commonly used for automated trading. When the bots took the "bait," the fake validators altered the transactions, reordering the block in favor of the perpetrators before the block was added to the blockchain. In a press release from the Department of Justice, U.S. Attorney Damian Williams stated that the scheme is so complex that it "calls into question the very integrity of the blockchain."

The brothers' online search history showed that they meticulously planned their scheme and "took numerous steps to conceal their illicit proceeds." These steps included "creating shell companies, using multiple private cryptocurrency addresses, and foreign cryptocurrency exchanges."

The brothers are charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. They face up to 20 years in prison for each count.

  • Archive