Two brothers have been arrested by the U.S. Department of Justice for attacking the Ethereum blockchain and stealing $25 million of cryptocurrency during a 12-second exploit, according to an indictment unsealed on Wednesday.
The indictment charges Anton Peraire-Bueno, 24, of Boston, and James Pepaire-Bueno, 28, of New York, with conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering.
The charges are significant because they represent a first-of-its-kind criminal action from the U.S. government related to the controversial practice of MEV, or maximal extractable value, whereby the operators of Ethereum (and similar blockchains) preview upcoming transactions from users to earn an extra profit for themselves. The government suggests in the indictment that the very existence of MEV illustrates how Ethereum itself is a vulnerable system.
“[T]he defendants’ scheme calls the very integrity of the blockchain into question,” Damian Williams, U.S. Attorney for the Southern District of New York, said in a press release.
According to Wednesday’s indictment, the Pepaire-Bueno brothers exploited MEV-boost, an MEV software used by most of the validators that run the Ethereum blockchain.
The indictment walks through how Ethereum works, highlighting its staking consensus mechanism and the role of validators as participants who secure the network.
Read more: What Is MEV, aka Maximal Extractable Value?
When users submit transactions to Ethereum, those transactions are not immediately written to the blockchain’s ledger. Instead, they’re added to a “mempool” – a waiting area for other yet-to-be-processed transactions.
MEV-boost lets “block builders” assemble those mempool transactions into official blocks. MEV bots called “searchers” scour the mempool for profitable trading opportunities and will sometimes “bribe” builders to insert or re-order transactions in a manner that would net them an extra profit. (These “MEV strategies” can sometimes eat into the profits of end users.)
Validators, the operators that ultimately add blocks to the Ethereum blockchain, take the pre-built blocks from MEV-boost and then write them to the chain, where they’re cemented permanently.
The Pepaire-Bueno brothers exploited a bug in MEV-boost’s code that allowed them to preview the content of blocks before they were officially delivered to validators, according to the indictment.
The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. They used bait transactions to figure out how those bots traded, lured the bots to one of their validators which was validating a new block and basically tricked these bots into proposing certain transactions. The brothers allegedly frontran the bots on certain trades and also used their validator to “tamper with” the new block by sending a false digital signature that gave them access to the block’s full contents and replaced “lure transactions” with “tampered transactions.” In those tampered transactions, the brothers allegedly sold illiquid cryptocurrencies they had tricked the victims’ trading bots into placing buy orders for.
“In effect, the Victim Traders sold approximately $25 million of various stablecoins or other more liquid cryptocurrencies to purchase particularly illiquid cryptocurrencies,” the document said. “In effect, the Tampered Transactions drained the particular liquidity pools of all the cryptocurrency that the Victim Traders had deposited based on their frontrun trades.”
This meant the traders couldn’t sell their new illiquid cryptos, which were “rendered effectively worthless,” while the defendants made off with the $25 million in stablecoins and other “more liquid cryptocurrencies,” the DOJ alleged.
The defendants then allegedly laundered the funds through various addresses and sets of transactions, including converting the stolen funds into DAI and then USDC.
“These brothers allegedly committed a first-of-its-kind manipulation of the Ethereum blockchain by fraudulently gaining access to pending transactions, altering the movement of the electronic currency, and ultimately stealing $25 million in cryptocurrency from their victims,” Special Agent in Charge Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office said in the statement.
The indictment walks through some of what investigators found, including “a document setting forth their plans,” the launch of shell companies, test transactions to identify best practices for attracting MEV bots and internet search histories.
UPDATE (May 15, 17:19 UTC): Adds details throughout.