Article Details

US accuses Canadian math prodigy of $65M crypto scheme. Suspect, still at large, said to back concept that 'code is law'. New York feds today unsealed a five-count criminal indictment charging a 22-year-old Canadian math prodigy with exploiting vulnerabilities in two decentralized finance protocols, allegedly using them to fraudulently siphon around $65 million from investors in the platforms. Prosecutors allege Andean Medjedovic abused automated smart contracts used by the KyberSwap and Indexed Finance protocols to enrich himself. In the case of KyberSwap, where $48.4 million was drained from KyberSwap Elastic liquidity pools in November 2023, it is claimed that Medjedovic borrowed hundreds of millions of dollars in digital tokens, then ran several "deceptive trades" that he "knew would cause the protocols' smart contracts to falsely calculate key variables" before transferring them to a wallet under his control. Medjedovic allegedly called the exploit a "glitch" and "fake" liquidity. The feds also claim Medjedovic stole $16.5 million from two liquidity pools operated by the Indexed Finance protocol on the Ethereum blockchain platform in October 2021. Medjedovic is additionally accused of trying to extort victims of the 2023 vulnerability exploit at KyberSwap, and of laundering the alleged assets through a series of transactions transferring them between more than one blockchain network, a process known as "bridging." The indictment alleges that he "attempted to use several Layer 2 bridges to move approximately $42 million in fraudulently obtained crypto assets to the Ethereum blockchain." But prosecutors say that these funds could be traced to the KyberSwap exploit, and that "several of the bridges" then attempted to block the transactions. The indictment claims that while messaging "support channels" for those bridges seeking help in moving the transactions forward, Medjedovic offered the support channel for one bridge protocol "$50k in order to get my $100k unfrozen," allegedly adding: "If not, I have no other options but to alert authorities." According to the indictment: The protocol support service replied, "You want to alert the authorities that you hacked Kyber and stole users' funds..??" Medjedovic replied, "Yes, I am willing to alert the authorities. Committing a crime against someone who may or may not be a criminal is still a crime." The indictment also claims Medjedovic prepared a "post-exploitation" plan for himself, which included, among other things, notes saying "KEEP the configs," "Burn the evidence, including the histfile" and "*Book flight to: *Pack Bags," as well as another file labeled "Decisions and Mistakes," in which he allegedly wrote, "Going On the run / Yes / Chance of getting caught<Payoff for not getting caught /(NA) /Risk is typically underpriced in modern world." Code is law Code is law is the idea most closely associated with constitutional lawyer, internet activist, and massively unsuccessful one-time US presidential candidate Lawrence Lessig, who wrote about the concept in "Code and Other Laws of Cyberspace" 25 years ago (technically, the phrase was coined by MIT professor William J. Mitchell). The idea is that rules conceived of while programming networks, software, etc. wield quasi-legislative power because they decide who is allowed where, and what is permitted and not permitted. Put another way, "If you've written flawed rules for your system and I can crack it, or my malware can exploit it, it's fair game." Lessig advocated for open source software to make decision-making transparent and, later, and more controversially – in Code version 2.0 – that the state should get involved where private corporations made this impossible. Postulating specifically about the legal theory in the Canadian case, litigation law firm Carbert Waite LLP commented it was "unlikely that our courts would adopt the principle that code is law as this would create an arms race where parties would work to develop better and better programming code for the sole purpose of taking assets from other parties. Certainly, the courts would not condone such conduct." Medjedovic, then a 19-year-old prodigy who had already completed his master's in mathematics at Canada's University of Waterloo before hitting 20, was previously sued in Canada by Cicada 137 LLC, a company representing some of the investors in Indexed Finance, in a 2021 case in the Ontario Superior Court of Justice. He appeared via videoconferencing software at a hearing in the Canadian case in December that year. The judge later issued an arrest warrant after the teen failed to appear at subsequent hearings, saying authorities were "still searching for his whereabouts to find the passwords and other necessary information to freeze the disputed cryptocurrency." According to those court documents, he is still "in hiding." His parents told the court their son had moved out, "taken his computers and phone, and that they did not know where he was." In interviews with journalists since that time, Medjedovic has reportedly claimed he had moved to "whitehat work" and had been living in Europe and South America. Ontario Superior Court's Fred Myers, presiding, said at the time: "Refusing to participate does not indicate a good faith belief in the justice of one's cause. If Andean Medjedovic wants to assert that the code speaks or the code is law, he has to participate in the lawful process pending the outcome of the debate." Medjedovic allegedly used the "code is law" defense in exchanges with victims. Medjedovic is charged by US prosecutors with wire fraud, unauthorized damage to a protected computer, attempted Hobbs Act extortion, and two money laundering charges. Information about Medjedovic's lawyers was not immediately available. If he were convicted, he would face a maximum penalty of ten years in prison for one count of unauthorized damage to a protected computer and 20 years on each of the other counts. As always in these cases, none of the allegations in the indictment have been tested in court and suspects are innocent until proven guilty.