US accuses Canadian math prodigy of $65M crypto scheme
Suspect, still at large, said to back concept that 'code is law'
New York feds today unsealed a five-count criminal indictment charging a 22-year-old Canadian math prodigy with exploiting vulnerabilities in two decentralized finance protocols, allegedly using them to fraudulently siphon around $65 million from investors in the platforms.
Prosecutors allege Andean Medjedovic abused automated smart contracts used by the KyberSwap and Indexed Finance protocols to enrich himself. In the case of KyberSwap, where $48.4 million was drained from KyberSwap Elastic liquidity pools in November 2023, it is claimed that Medjedovic borrowed hundreds of millions of dollars in digital tokens, then ran several "deceptive trades" that he "knew would cause the protocols' smart contracts to falsely calculate key variables" before transferring them to a wallet under his control.
Medjedovic allegedly called the exploit a "glitch" and "fake" liquidity. The feds also claim Medjedovic stole $16.5 million from two liquidity pools operated by the Indexed Finance protocol on the Ethereum blockchain platform in October 2021.
Medjedovic is additionally accused of trying to extort victims of the 2023 vulnerability exploit at KyberSwap, and of laundering the alleged assets through a series of transactions transferring them between more than one blockchain network, a process known as "bridging." The indictment alleges that he "attempted to use several Layer 2 bridges to move approximately $42 million in fraudulently obtained crypto assets to the Ethereum blockchain."
But prosecutors say that these funds could be traced to the KyberSwap exploit, and that "several of the bridges" then attempted to block the transactions. The indictment claims that while messaging "support channels" for those bridges seeking help in moving the transactions forward, Medjedovic offered the support channel for one bridge protocol "$50k in order to get my $100k unfrozen," allegedly adding: "If not, I have no other options but to alert authorities."
According to the indictment:
The protocol support service replied, "You want to alert the authorities that you hacked Kyber and stole users' funds..??" Medjedovic replied, "Yes, I am willing to alert the authorities. Committing a crime against someone who may or may not be a criminal is still a crime."
The indictment also claims Medjedovic prepared a "post-exploitation" plan for himself, which included, among other things, notes saying "KEEP the configs," "Burn the evidence, including the histfile" and "*Book flight to: *Pack Bags," as well as another file labeled "Decisions and Mistakes," in which he allegedly wrote, "Going On the run / Yes / Chance of getting caught<Payoff for not getting caught /(NA) /Risk is typically underpriced in modern world."
Medjedovic, then a 19-year-old prodigy who had already completed his master's in mathematics at Canada's University of Waterloo before hitting 20, was previously sued in Canada by Cicada 137 LLC, a company representing some of the investors in Indexed Finance, in a 2021 case in the Ontario Superior Court of Justice.
He appeared via videoconferencing software at a hearing in the Canadian case in December that year. The judge later issued an arrest warrant after the teen failed to appear at subsequent hearings, saying authorities were "still searching for his whereabouts to find the passwords and other necessary information to freeze the disputed cryptocurrency."
According to those court documents, he is still "in hiding." His parents told the court their son had moved out, "taken his computers and phone, and that they did not know where he was."
In interviews with journalists since that time, Medjedovic has reportedly claimed he had moved to "whitehat work" and had been living in Europe and South America.
- North Koreans clone open source projects to plant backdoors, steal credentials
- You probably have more CIO experience than the incoming White House CIO
- DARPA asking for ideas on automating money laundering detection
- Trump's freshly minted meme coin passes $10B market cap
Ontario Superior Court's Fred Myers, presiding, said at the time: "Refusing to participate does not indicate a good faith belief in the justice of one's cause. If Andean Medjedovic wants to assert that the code speaks or the code is law, he has to participate in the lawful process pending the outcome of the debate." Medjedovic allegedly used the "code is law" defense in exchanges with victims.
Medjedovic is charged by US prosecutors with wire fraud, unauthorized damage to a protected computer, attempted Hobbs Act extortion, and two money laundering charges. Information about Medjedovic's lawyers was not immediately available. If he were convicted, he would face a maximum penalty of ten years in prison for one count of unauthorized damage to a protected computer and 20 years on each of the other counts.
As always in these cases, none of the allegations in the indictment have been tested in court and suspects are innocent until proven guilty. ®