First Criminal Case Involving Attack on a Smart Contract Operated by DeX

[zasad@]

https://www.justice.gov/usao-sdny/pr/former-security-engineer-international-technology-company-arrested-defrauding
"Damian Williams, the United States Attorney for the Southern District of New York, Chad Plantz, the Special Agent in Charge of the San Diego Field Office of Homeland Security Investigations (“HSI”), and Tyler Hatcher, the Special Agent in Charge of the Los Angeles Field Office of the Internal Revenue Service - Criminal Investigation (“IRS-CI”), announced the unsealing of an Indictment charging SHAKEEB AHMED with wire fraud and money laundering in connection with his attack on a decentralized cryptocurrency exchange (the “Crypto Exchange”).  AHMED was arrested this morning in New York, New York, and will be presented this afternoon before U.S. Magistrate Judge Robert W. Lehrburger. "

__
To combat fraud on DeX, it turns out that no new legislation is needed.

[1714530959]

1714530959

[1714530959]

1714530959

[1714530959]

1714530959

[hugeblack]

It seems that we are talking about a hacker, and if my memory does not fail me, I think that the intended bridge here is polygon bridge because during the past year it was hacked and then part of the money was returned, and therefore we are talking about an information crime related to penetration and money laundering more than a case related to cryptocurrencies.

After he stole the fees he never legitimately earned, AHMED had communications with the Crypto Exchange in which he decided to return all of the stolen funds except for $1.5 million if the Crypto Exchange agreed not to refer the attack to law enforcement.  

At the time of the attack, AHMED was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills AHMED used to execute the attack.  

Unfortunately, it seems that the search engines are the government's back door in this case, and here I am expecting cooperation from Apple and Google, as they were able to know the words that he searched for.

after the attack, AHMED conducted an internet search for the term “defi hack,” read several news articles about the hack of the Crypto Exchange, and visited several pages on the Crypto Exchange’s website.  As another example, AHMED conducted internet searches or visited websites related to the charges in the indictment, including by searching for the term “wire fraud” and for the term “evidence laundering.”

To combat fraud on DeX, it turns out that no new legislation is needed.

All anti-money laundering laws contain loose sentences that enable governments to prosecute individuals with them, even if new technology appears, such as saying that trading any asset that is not supported by the Central Bank is considered an aid in money laundering.

[ololajulo]

While I do not condone illegal activities, I believe the criminal's actions are driven by excessive greed. They seem to believe their vast knowledge in the field makes them invincible, as they plan to steal and hoard the money solely for themselves. However, their plans may be foiled when they encounter a team of highly organized government technologists.

[bbc.reporter]

To combat fraud on DeX, it turns out that no new legislation is needed.

We cannot be quite certain if there should be. If someone stole assets that belong to the people who use the DEX and provide liquidity for the DEX, this is still called theft hehe.

This case also sets a good precedent because this might discourage flash loan attacks. However, developement teams should also encourage whitehat hacking and give security engineers generous bounties to find security vulnerabilities.

[yhiaali3]

I wonder in such an incident will the money stolen by the hacker be returned to the "Crypto Exchange" or will it be confiscated by the US government?

I do not know if this hacked exchange is licensed in the United States or not, so if the stolen money is returned, will it be returned to the exchange, or will the affected users be compensated?

But most likely I think the US government will confiscate this money due to money laundering charges and no one will be compensated.

[hugeblack]

This case also sets a good precedent because this might discourage flash loan attacks. However, developement teams should also encourage whitehat hacking and give security engineers generous bounties to find security vulnerabilities.

No matter how generous the rewards are, in the end the amount that can be hacked is very large. We are talking about millions of dollars. The good side is that these bridges are not easy to find loopholes in, so it is likely that most of bugs are discovered by the developer team, cooperation with the security authorities or making the code open. The source is the solution. In the end, a hacker will not risk his life for millions of dollars and will prefer a reward.

I wonder in such an incident will the money stolen by the hacker be returned to the "Crypto Exchange" or will it be confiscated by the US government?

According to the cases open on the judge. If it was money laundering, it will be confiscated, and if it is related to hackers or money stolen, then it will be returned.

[Who is John Galt?]

To combat fraud on DeX, it turns out that no new legislation is needed.

When it comes to a single case, existing legislation and precedents can often help, but when it comes to a significant number of the same type of violations, it will be necessary to more clearly and directly prescribe the relevant concepts in the laws so as not to complicate the proceedings of each specific case.

Of course, most crimes can be described one way or another in the laws of past centuries, but it is still necessary to keep the system of laws up to date.

[bbc.reporter]

This case also sets a good precedent because this might discourage flash loan attacks. However, developement teams should also encourage whitehat hacking and give security engineers generous bounties to find security vulnerabilities.

No matter how generous the rewards are, in the end the amount that can be hacked is very large. We are talking about millions of dollars. The good side is that these bridges are not easy to find loopholes in, so it is likely that most of bugs are discovered by the developer team, cooperation with the security authorities or making the code open. The source is the solution. In the end, a hacker will not risk his life for millions of dollars and will prefer a reward.

However, if the hacker is not a real criminal or a member of the Lazarus Group, it would be better and less risky to take the bounty instead of having your wallet constantly followed and scanned by blockchain analytics. It would be a very similar situation as this Argentinian hacker where he had no choice but to return the most of the stolen coins because he cannot send them anywhere without exposing himself.



Jaime confirmed he gave most of the money back, but said on March 17 that he unwittingly sent $200,000 in Ether to Lazarus Group — a state-sponsored North Korean crime syndicate sanctioned by the US Treasury.

Source https://www.dlnews.com/articles/defi/argentinian-euler-hacker-explains-exploit-from-a-paris-jail/

[LoyceV]

AHMED carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange’s smart contracts and inserting fake pricing data to fraudulently cause that smart contract to generate approximately $9 million dollars’ worth of inflated fees

This has been the problem with "smart" contracts ever since Ethereum's DAO "hack": the contract isn't as smart as they want you to believe, and the users don't even understand how it works.

AHMED was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills AHMED used to execute the attack.

With normal contracts, you have to be a lawyer to fully understand what's in there. With smart contracts, you need to be a security engineer to understand it.
That's ironic: the sole purpose of a smart contract was be to make it trustless. If it's trustless, fraud wouldn't be possible.

As a user, I stay away from "smart" contracts. Don't send your money into something you don't fully understand!

[Fiatless]

He then allegedly tried to hide the stolen funds, but his skills were no match for IRS Criminal Investigation's Cyber Crimes Unit.

It gladdens my heart to know that government investigators are now more skillful in tracking stolen hackers. This is a sign of hope that people who lose funds in these exchanges can get their funds back. This could also serve as a deterrent to others because they have nowhere to hide. To avoid being a victim, it is better not to patronize CEX.

After the attack, AHMED searched online for information about the attack, his own criminal liability, criminal defense attorneys with expertise in similar cases, law enforcement’s ability to successfully investigate the attack, and fleeing the United States to avoid criminal charges.

I have seen several cases where investigators derive substantial evidence from the web search conducted by the suspect. Scammers and hackers will have to stay clear from search engines.

[zasad@]

AHMED carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange’s smart contracts and inserting fake pricing data to fraudulently cause that smart contract to generate approximately $9 million dollars’ worth of inflated fees

This has been the problem with "smart" contracts ever since Ethereum's DAO "hack": the contract isn't as smart as they want you to believe, and the users don't even understand how it works.

AHMED was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills AHMED used to execute the attack.

With normal contracts, you have to be a lawyer to fully understand what's in there. With smart contracts, you need to be a security engineer to understand it.
That's ironic: the sole purpose of a smart contract was be to make it trustless. If it's trustless, fraud wouldn't be possible.

As a user, I stay away from "smart" contracts. Don't send your money into something you don't fully understand!

https://twitter.com/PeckShieldAlert/status/1680897837947813894/photo/1

https://twitter.com/PeckShieldAlert/status/1680897837947813894
"#PeckShieldAlert In H1 2023, there are 395+ major hacks (386 DeFi related) in Web3 space, leading to ~$479.4m loss."

The number of scams and hacks in the DeFi ecosystem is decreasing and we are seeing a decrease of almost 5 times compared to the same period in 2022.
https://forklog.com/news/analitiki-podschitali-chislo-hakerskih-atak-na-kriptoproekty-za-polgoda

I am also afraid of smart contracts, and therefore I do not store coins on addresses that I use for exchanges through smart contracts.

[LoyceV]

"#PeckShieldAlert In H1 2023, there are 395+ major hacks (386 DeFi related) in Web3 space, leading to ~$479.4m loss."

"The future of finance". And people keep falling for it.

[bbc.reporter]

AHMED carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange’s smart contracts and inserting fake pricing data to fraudulently cause that smart contract to generate approximately $9 million dollars’ worth of inflated fees

This has been the problem with "smart" contracts ever since Ethereum's DAO "hack": the contract isn't as smart as they want you to believe, and the users don't even understand how it works.

AHMED was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills AHMED used to execute the attack.

With normal contracts, you have to be a lawyer to fully understand what's in there. With smart contracts, you need to be a security engineer to understand it.
That's ironic: the sole purpose of a smart contract was be to make it trustless. If it's trustless, fraud wouldn't be possible.

As a user, I stay away from "smart" contracts. Don't send your money into something you don't fully understand!

In reality smart contracts is nothing similar to legal contracts. It was only a storyline created by the developers and cryptonews media irresponsibly spread the wrong idea among the naive people in the cryptospace which much of us were on 2015.

Presently the smart contracts that were hacked have vulnerabilities because of lack audit, the lack of skill by the auditor and also lack of skill by the developers. However, there might be a fix. I reckon users can be given the ability to audit the code by themselves through AI. If AI can generate code, it can be made to audit code. The next step might also be to audit these audtitors and investigate who might be scammers hehehe.

[LoyceV]

Presently the smart contracts that were hacked have vulnerabilities because of lack audit, the lack of skill by the auditor and also lack of skill by the developers.

It would be better to just call them "dumb contracts".

However, there might be a fix. I reckon users can be given the ability to audit the code by themselves through AI.

So there's an unknown problem and a future black box might be a solution? That makes no sense. Let's face it: smart contracts were nothing more than a hype used to earn money from gullible people. I've seen that countless times in crypto, and it will keep happening hype after hype.

[Heisenberg_Hunter]

In reality smart contracts is nothing similar to legal contracts. It was only a storyline created by the developers and cryptonews media irresponsibly spread the wrong idea among the naive people in the cryptospace which much of us were on 2015.

Presently the smart contracts that were hacked have vulnerabilities because of lack audit, the lack of skill by the auditor and also lack of skill by the developers. However, there might be a fix. I reckon users can be given the ability to audit the code by themselves through AI. If AI can generate code, it can be made to audit code. The next step might also be to audit these audtitors and investigate who might be scammers hehehe.

On top of various hacks happening because of the poor smart contract programming, some of them have been relatively centralized with the keys of bridges being held by one single entity where in a such a case when the entity dies or disappears under mysterious circumstances the whole chain or the bridge comes down taking with them the millions being locked onto the chains and bridges. One such incident happened where more than $100m were transferred out of the Multichain Bridge in FTM chain and funnily the CEO held the keys and he was probably running a rug pull all the time since the beginning scamming the users of the bridge  .

The incident unfolded back in May when the CEO was arrested under some some circumstances by Chinese officials and his servers were locked out. Eventually till July, the Multichain team was hiding this information and they were running the bridge as usual and on July, user assets (primarily native stablecoins) which were bridged were transferred to unknown anonymous addresses thereby making the USDC & DAI to depeg on the FTM chain. As majority of us know that, Circle issues USDC only on a handful of L1 chains natively and in the rest of the chains such as BSC or FTM in this particular case are bridged with equivalent amounts. Shockingly, Multichain bridge was a major issuer of Bridged_USDC on the FTM chain and their rug pull has squeezed the volume on FTM altogether to new lows.

Hence, in such a case even if the code of the smart contract is good and un-hackable the company or entity behind the contract should be trusted which brings down the whole vision of cryptocurrencies. Additionally, we can never be sure of BSC bridged assets as well since Binance being a centralized company can go down anytime taking down the BSC assets along with them. Instant settlement features such as Swaps can always be a good option rather than holding money onto third party bridges in my opinion.

P.S : Full scam announcement from Multichain can be viewed in this Twitter Thread

[zasad@]

Presently the smart contracts that were hacked have vulnerabilities because of lack audit, the lack of skill by the auditor and also lack of skill by the developers.

It would be better to just call them "dumb contracts".

However, there might be a fix. I reckon users can be given the ability to audit the code by themselves through AI.

So there's an unknown problem and a future black box might be a solution? That makes no sense. Let's face it: smart contracts were nothing more than a hype used to earn money from gullible people. I've seen that countless times in crypto, and it will keep happening hype after hype.

The audit of smart contracts does not provide any guarantees. In my collection there are projects that have passed several audits of large firms and then were hacked.
https://bitcointalk.org/index.php?topic=5267124
You need to learn how to work with smart contracts and try not to block coins in them. I use them for trading.

[bbc.reporter]

Presently the smart contracts that were hacked have vulnerabilities because of lack audit, the lack of skill by the auditor and also lack of skill by the developers.

It would be better to just call them "dumb contracts".

However, there might be a fix. I reckon users can be given the ability to audit the code by themselves through AI.

So there's an unknown problem and a future black box might be a solution? That makes no sense. Let's face it: smart contracts were nothing more than a hype used to earn money from gullible people. I've seen that countless times in crypto, and it will keep happening hype after hype.

You can call them anything but they really are not contracts. They are computer code programmed to do whatever they are instructed to do.

In any case, I disagree that smart contracts are only hype. Many of these projects might presently be existing only because of hype, however, I reckon Nick Szabo had a different vision when he invented the term. We might witness a good development team create something we can consider a good smart contract platform in the future.

Also, on AI, I am not quite certain. I was shocked to see that it can generate code. I am only speculating that it can be used to audit code.

[dansus021]

To combat fraud on DeX, it turns out that no new legislation is needed.

All anti-money laundering laws contain loose sentences that enable governments to prosecute individuals with them, even if new technology appears, such as saying that trading any asset that is not supported by the Central Bank is considered an aid in money laundering.
[/quote]

I think we need a set of new rules for the crypto industry.

If not I think there will be more and more lawsuits in the coming future and not gonna end in Binance.US or Coinbase. maybe cases like XRP will showed up again.
On the other hand, DeX is highly unregulated so yeah it offers us more privacy and control but in some cases US dont like it at all

[zasad@]

I think we need a set of new rules for the crypto industry.

If not I think there will be more and more lawsuits in the coming future and not gonna end in Binance.US or Coinbase. maybe cases like XRP will showed up again.
On the other hand, DeX is highly unregulated so yeah it offers us more privacy and control but in some cases US dont like it at all

DeX is more transparent in terms of transaction control, and there is no need to come up with new legislation for these exchanges. Only whitelists and KYC for each wallet are enough.
DeX provides no privacy when used across many ecosystems, and most trading takes place within the Ethereum ecosystem and its L2 layers.

[bbc.reporter]

I think we need a set of new rules for the crypto industry.

If not I think there will be more and more lawsuits in the coming future and not gonna end in Binance.US or Coinbase. maybe cases like XRP will showed up again.
On the other hand, DeX is highly unregulated so yeah it offers us more privacy and control but in some cases US dont like it at all

DeX is more transparent in terms of transaction control, and there is no need to come up with new legislation for these exchanges. Only whitelists and KYC for each wallet are enough.
DeX provides no privacy when used across many ecosystems, and most trading takes place within the Ethereum ecosystem and its L2 layers.

I shake my head if you of all the people in the forum support the whitelisting and the imposing of KYC on self custodied wallets. What are we supporting decentrlzation for if we accept this? This is where I begin to appreciate the bitcoin maximalists' argument on anonymity and the fight against censorship. We should be very cautious on this issue, I reckon. We might be tricked into accepting something that might make the cryptospace function like a duplicate of traditional finance.