Brothers Accused of $25M Ethereum Exploit as U.S. Reveals Fraud Charges

The alleged 12-second attack related to the controversial practice known as MEV, or maximal extractable value.

AccessTimeIconMay 15, 2024 at 4:24 p.m. UTC
Updated May 15, 2024 at 5:19 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

Two brothers have been arrested by the U.S. Department of Justice for attacking the Ethereum blockchain and stealing $25 million of cryptocurrency during a 12-second exploit, according to an indictment unsealed on Wednesday.

The indictment charges Anton Peraire-Bueno, 24, of Boston, and James Pepaire-Bueno, 28, of New York, with conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering.

The charges are significant because they represent a first-of-its-kind criminal action from the U.S. government related to the controversial practice of MEV, or maximal extractable value, whereby the operators of Ethereum (and similar blockchains) preview upcoming transactions from users to earn an extra profit for themselves. The government suggests in the indictment that the very existence of MEV illustrates how Ethereum itself is a vulnerable system.

"[T]he defendants’ scheme calls the very integrity of the blockchain into question," Damian Williams, U.S. Attorney for the Southern District of New York, said in a press release.

What is MEV-Boost?

According to Wednesday's indictment, the Pepaire-Bueno brothers exploited MEV-boost, an MEV software used by most of the validators that run the Ethereum blockchain.

The indictment walks through how Ethereum works, highlighting its staking consensus mechanism and the role of validators as participants who secure the network.

When users submit transactions to Ethereum, those transactions are not immediately written to the blockchain's ledger. Instead, they're added to a "mempool" – a waiting area for other yet-to-be-processed transactions.

MEV-boost lets "block builders" assemble those mempool transactions into official blocks. MEV bots called "searchers" scour the mempool for profitable trading opportunities and will sometimes "bribe" builders to insert or re-order transactions in a manner that would net them an extra profit. (These "MEV strategies" can sometimes eat into the profits of end users.)

Validators, the operators that ultimately add blocks to the Ethereum blockchain, take the pre-built blocks from MEV-boost and then write them to the chain, where they're cemented permanently.

The exploit

The Pepaire-Bueno brothers exploited a bug in MEV-boost's code that allowed them to preview the content of blocks before they were officially delivered to validators, according to the indictment.

The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. They used bait transactions to figure out how those bots traded, lured the bots to one of their validators which was validating a new block and basically tricked these bots into proposing certain transactions. The brothers allegedly frontran the bots on certain trades and also used their validator to "tamper with" the new block by sending a false digital signature that gave them access to the block's full contents and replaced "lure transactions" with "tampered transactions." In those tampered transactions, the brothers allegedly sold illiquid cryptocurrencies they had tricked the victims' trading bots into placing buy orders for.

"In effect, the Victim Traders sold approximately $25 million of various stablecoins or other more liquid cryptocurrencies to purchase particularly illiquid cryptocurrencies," the document said. "In effect, the Tampered Transactions drained the particular liquidity pools of all the cryptocurrency that the Victim Traders had deposited based on their frontrun trades."

This meant the traders couldn't sell their new illiquid cryptos, which were "rendered effectively worthless," while the defendants made off with the $25 million in stablecoins and other "more liquid cryptocurrencies," the DOJ alleged.

The defendants then allegedly laundered the funds through various addresses and sets of transactions, including converting the stolen funds into DAI and then USDC.

“These brothers allegedly committed a first-of-its-kind manipulation of the Ethereum blockchain by fraudulently gaining access to pending transactions, altering the movement of the electronic currency, and ultimately stealing $25 million in cryptocurrency from their victims,” Special Agent in Charge Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office said in the statement.

The indictment walks through some of what investigators found, including "a document setting forth their plans," the launch of shell companies, test transactions to identify best practices for attracting MEV bots and internet search histories.

UPDATE (May 15, 17:19 UTC): Adds details throughout.

Edited by Nick Baker.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.

Nikhilesh De

Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.



Read more about