Canadian Man Stole $65 Million in Crypto in Two Platform Hacks, DOJ Says – Source: securityboulevard.com

A 22-year-old Canadian man is accused of stealing almost $65 million in cryptocurrency by exploiting security flaws in two popular crypto platforms and then laundering the stolen digital assets through crypto mixers and other means.

Federal prosecutors this week indicted Andean Medjedovic on charges of wire fraud, computing hacking, and attempted extortion for running sophisticated scams that abused smart contracts in the KyberSwap and Indexed Finance decentralized finance (DeFi) platforms between 2021 and 2023.

Medjedovic has not been arrested and is at large, according to the U.S. Justice Department (DOJ).

“Hackers can at times be painted in a flattering light by pop culture, some admiring their skills and acumen,” FBI Assistant Director in Charge Dennehy said in a statement. “They’re stealing money that isn’t theirs, and they’re breaking the laws of this country. We allege Andean Medjedovic violated several of those laws.”

DeFi platforms and supporting crypto structures continue to be targets of cybercriminals. Researchers with Barracuda Networks said in a report last month that in 2024, bad actors stole $2.2 billion from these components.

Months in the Planning

According to the indictment handed up in Federal District Court in Brooklyn, Medjedovic planned the attack on the KyberSwap platform for months before executing it in November 2023, stealing about $48.4 million in crypto. That came two years after a similar scheme run against the Indexed Finance platform in October 2021, in which about $16.5 million was taken.

The indictment also lists an unnamed co-conspirator whose name is know to the grand jury that handed up the indictment and is a relative of Medjedovic’s who has lived in Canada and Cambridge, Massachusetts, among other places.

In both operations, Medjedovic borrowed hundreds of millions of dollars in cryptocurrency and used fraudulent trading schemes to manipulate the prices in liquidity pools for both KyberSwap and Indexed Finance. Both platforms are found on crypto blockchains and created liquidity pools, which are used to create markets by allowing users to swap crypto tokens with each other.

“The liquidity pools were managed by computer code called ‘smart contracts’ and relied on investor contributions of cryptocurrency,” the DOJ wrote. “As alleged, Medjedovic used manipulative trading to exploit vulnerabilities in the KyberSwap and Indexed Finance smart contracts.”

KyberSwap Scam

In the case involving KyperSwap, the platform was on several public blockchains, including the Ethereum and Arbitrum networks and the liquidity pools were managed by smart contracts called automated market makers, or AMMs.

These set the prices in the KyberSwap liquidity pools.

Medjedovic used the borrowed digital coins the create artificial prices in the liquidity pools and then calculated precise combinations of trades that would allow him to steal the crypto from the pools. He allegedly stole the more the $48.8 million from investors 77 liquidity pools on six blockchains.

“Medjedovic executed dozens of swaps that were intended to deceive the KyberSwap Elastic AMM by misrepresenting supply and demand in the KyberSwap Elastic liquidity pools and to fraudulently induce the KyberSwap Elastic AMM to miscalculate available liquidity at the artificial prices” he set, the indictment reads.

Extortion and Laundering

Hours after stealing the crypto, Medjedovic allegedly tried to extort the developers of the KyberSwap protocol, KyberSwap investors, and members of the decentralized autonomous organization (DAO) that ran the protocol, saying he wanted control of the protocol and DAO in exchange for about half of the crypto he’d stolen.

He also tried to launder the stolen crypto through bridge protocols used to transfer digital coins from one blockchain to another and through a crypto mixer, in which crypto from multiple sources are run to conceal their source.

“After one bridge protocol froze several of his transactions, Medjedovic agreed to pay an undercover law enforcement agent posing as a software developer approximately $80,000 to circumvent the bridge protocol’s restrictions and release approximately $500,000 in stolen cryptocurrency,” the DOJ wrote.

Indexed Finance Scheme

There was similar action in the attack on the Indexed Finance platform two years earlier. Medjedovic used borrowed crypto to distort a process in the platform called “re-indexing” used by smart contracts to add a new token to the liquidity pools. Through manipulative trading, was able to get the smart contracts to set artificial prices during the process and then stole the crypto from the liquidity pools, prosecutors allege.

He then conspired with another person to launder the money through crypto exchange accounts created using false information and via crypto mixers.

After the Indexed Finance scheme – but before the one launched against KyberSwap – Medjedovic allegedly discussed his actions in private messages on multiple communications services, including once telling another person, “I did something very cool but accidently doxxed myself in the process. I may be on the run forever now. … Need some advice about becoming a pirate.”