Two brothers who attended the prestigious Massachusetts Institute of Technology (MIT) were arrested this week and accused of fraud and money laundering after allegedly stealing $25 million worth of ETH coins within a mere 12 seconds.
Federal prosecutors say that the brothers, 24-years Anton Peraire-Bueno and 28-years James Peraire-Bueno, used their knowledge in mathematics and computer programming to perform a “cutting-edge scheme” that exploited vulnerabilities in the protocol that powers the well-known Ethereum blockchain.
The US Department of Justice (DOJ) announced the charges in an indictment published on Wednesday, marking what authorities describe as the first-ever prosecution involving the manipulation of blockchain transaction validation processes.
If convicted, the Peraire-Bueno brothers are facing up to 20 years in prison for each count. With three charges being brought against each of them, the two individuals face up to 60 years behind bars if a judge finds that they are guilty of all counts.
Breach of the Ethereum Blockchain’s Integrity is a Concern to Authorities
“The defendants’ scheme calls the very integrity of the blockchain into question,” asserted U.S. Attorney Damian Williams in a statement.
“The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education to tamper with and manipulate the protocols relied upon by millions of Ethereum users across the globe.”
Williams added: “And once they put their plan into action, their heist only took 12 seconds to complete. This alleged scheme was novel and has never before been charged.”
According to the indictment, the Peraire-Bueno brothers meticulously plotted their attack for several months before executing the digital heist.
Leveraging their in-depth knowledge of the Ethereum blockchain’s inner workings, they allegedly found a way to fraudulently gain control over the validation process involving pending transactions.
Prosecutors claim that the duo exploited vulnerabilities in the “MEV-boost” software used by most Ethereum validators – the entities responsible for checking the legitimacy of new transactions before they are added to the immutable blockchain ledger.
After they unlawfully gained control of this process, the brothers were able to manipulate the ordering and inclusion of specific pending cryptocurrency transfers to their benefit, siphoning a staggering total of $25 million worth of ETH tokens into wallets that were under their control in roughly the time that it takes to read this sentence.
As part of their plan, the brothers set up multiple Ethereum validators by creating shell companies to conceal their identities. By doing so, they gained access to a privileged position that allowed them to exploit the vulnerabilities mentioned earlier.
The heist was the result of a meticulous and sophisticated plan that challenges the conception that blockchain technology is infallible to this type of hacks, which involve tampering with the records stored in the network’s immutable ledger.
The Peraire-Bueno Brothers Planned for Nearly Five Months
The DOJ alleges that the scheme kicked off in December 2022 when the brothers began setting up a web of shell companies and opening accounts at foreign cryptocurrency exchanges with lax identity verification standards.
Over the following months, they researched and studied the behaviors of their intended targets – traders operating on the Ethereum network.
After months of planning and preparation, prosecutors claim that the brothers unleashed their attack in April 2023.
Their search histories reveal that they browsed the web to obtain information about how to conceal ownership of cryptocurrency, the crimes they were allegedly committing, top crypto defense lawyers, extradition policies for certain countries, and the statutes of limitations for money laundering charges.
To execute the heist, the Peraire-Buenos established their own validator nodes, which are software programs tasked with validating pending Ethereum transactions and bundling them into new blocks for addition to the blockchain. Validators are the key to Ethereum’s security as each one is tasked with checking the work of the thousands of other validators out there, but a single validator usually has very little power.
At a key moment, the indictment alleges that they deployed a series of “bait” transactions designed to attract bot programs that searched the pending transaction pool to expedite the validation process. When these bots identified the bait transactions as lawful, the brothers’ malicious validators were able to seize control of the pre-validation process.
They then managed to reorganize the queued transactions into a custom block that drained funds from legitimate transfers and reallocated a total of $25 million worth of Ethereum into crypto wallets under their control. It seems like the mostly tricked the infrastructure around the Ethereum blockchain (validator bots specifically) but not the chain itself.
The laundering process began within seconds as the funds were rapidly distributed to other wallets and foreign crypto exchanges with minimal identity requirements.
How Did Authorities Uncover the Peraire-Bueno Brothers’ Identities?
Despite the anonymous nature of blockchain transactions and the Peraire brothers’ efforts to hide behind the corporate veil, authorities managed to follow the money trail until they got to them.
“Regardless of the complexity of the case, we continue to lead the effort in financial criminal investigations with cutting-edge technology and good-ol’-fashioned investigative work, on and off the blockchain,” commented Thomas Fattorusso from the IRS Criminal Investigation (IRS-CI) New York Field Office.
It is unclear how authorities are managing to bypass so many layers of obscurity but the fact that they were able to ultimately uncover the identity of the brothers shows that efforts to enforce the law in the blockchain space have been progressively ramped up and strengthened.
Can the Vulnerabilities Exploited by the Brothers Be Used as Basis to Deny a Spot ETF Application?
Deputy Attorney General Lisa Monaco categorized the case as a major warning about the emerging threats that can still jeopardize the credibility of the still-nascent world of digital assets.
“As cryptocurrency markets continue to evolve, the Department [of Justice] will continue to root out fraud, support victims, and restore confidence to these markets,” she stated.
The case could also fuel skepticism among regulators who are actively evaluating the approval of new crypto investment products. For example, the Securities and Exchange Commission is expected to soon rule on whether to approve an exchange-traded fund (ETF) tied to Ethereum, the second-largest cryptocurrency after Bitcoin (BTC).
This high-profile criminal case, which calls into question some of the core procedures that make the Ethereum protocol safe, may result in the rejection of the ETF application amid concerns about investor protections in what remains a largely unregulated sector.
The Peraire brothers were reportedly contacted by the victims of their theft and asked to return the money. Who these victims were and how they managed to reach out to them, considering the anonymous nature of blockchain technology, is unclear.
Implications of the Peraire-Bueno Heist to the Crypto Industry
The price of the Ether (ETH) token was not notably affected by the Peraire brothers’ incident, meaning that investors are not concerned – at least not until now – about the implications that the case could have on the perceived immutability of the smart contracts blockchain.
With a market cap exceeding $300 billion, any major cracks in the ceiling that put into question the security or integrity of the Ethereum network could have devastating effects on both the project founded by Vitalik Buterin and the entire crypto space, considering that the smart contracts blockchain is the most widely used to deploy innovative solutions within the gaming and decentralized finance (DeFi) space.
It remains to be seen if there will be changes or modifications to the protocol that aim to address this kind of vulnerability to prevent other bad actors from taking advantage of this mechanism to perform similar schemes.