The NYU Law Program on Corporate Compliance and Enforcement (PCCE) is following the U.S. Attorney’s Office for the Southern District of New York’s recent indictment of two individuals for allegedly attacking and stealing $25 million from the Ethereum blockchain. The indictment in the case, United States v. Peraire-Bueno, 24 Cr. 293 (SDNY), is available here. Below, several crypto experts and former prosecutors provide their reactions to the case.
The Indictment of Anton and James Peraire-Bueno Demonstrates the Risks of Decentralized Cryptocurrency Exchanges and Highlights the Need for Strong and Comprehensive Regulation of Cryptocurrency Trading Including Anti-Money Laundering Controls
On May 15, 2024, the U.S. Attorney for the Southern District of New York unsealed an indictment and arrested two brothers, Anton and James Peraire-Bueno (“the brothers”), for wire fraud and money laundering in connection with a scheme through which they stole $25 million in cryptocurrency on the Ethereum Network (“Ethereum”).[1] The brothers used their mathematical and computer science knowledge to exploit technological vulnerabilities in Ethereum’s “validation” process. Apart from the technological fraud, the scheme set forth in the Indictment highlights the risks underlying decentralized crypto exchanges and blockchains. Because decentralized crypto exchanges lack a central actor or trusted intermediaries but instead rely on unregulated private parties, crypto trading, unlike U.S. banking and securities activities, lacks structural controls to prevent market manipulation, money laundering and other criminal conduct.
The details in the Indictment highlight the importance of U.S. regulation of the banking and securities industries. As the Indictment alleges, the brothers were able to steal $25 million in cryptocurrency by exploiting the decentralized Ethereum. Unlike the New York Stock Exchange, for example, Ethereum relies on unregulated private party intermediaries, including “validators” that (for a profit) “verify” private crypto transactions before the transactions are recorded on the public blockchain. This private “validation” feature permitted the brothers to exploit a technological vulnerability in the software used by 90% of validators so the brothers could re-order the transactions and steal $25 million worth of crypto.[2]
But fixing the now-exposed technological vulnerability will not fix the whole problem. For one, the brothers also exploited the ability of Ethereum participants to engage in frontrunning, a type of market manipulation that is illegal in the U.S. securities markets.[3] In brief, “frontrunning” is where market participants profit on advance knowledge of nonpublic customer trade information. With decentralized crypto trading markets, frontrunning can be quite prevalent as trade information lacks the transparency of the regulated securities markets, and individual participants are not regulated either. As described in the Indictment, the brothers engaged in frontrunning through mirror-trade type transactions: they purchased crypto whose value they expected to increase given their advance knowledge of customer trades effected by the victim traders.[4] The private layer network permitted such market manipulation, through which the brothers stole $25 million in cryptocurrency.
The Indictment’s allegations also reinforce the need for strong anti-money laundering laws applicable to cryptocurrency trading, including through decentralized exchanges. As the Indictment describes, crypto trading participants on a decentralized platform are able to conceal their identities through transactions that are not intermediated via regulated persons, which are then recorded on the blockchain.[5] The Indictment details how the brothers created and utilized shell companies and private crypto addresses to conceal their identities and then open crypto exchange and bank accounts. As part of their scheme and through these shell companies, the brothers conducted crypto transactions through foreign exchanges that lacked know-your-customer (KYC) requirements, with the acquired crypto returning to Ethereum, where the brothers, through their fictitious addresses and companies, established themselves as “validators”.[6] As the Indictment’s allegations demonstrate, the use of private party “validators” on an unregulated, decentralized exchange results in significant risk of market manipulation and criminal activity. While the blockchain’s records are beneficial to law enforcement, the decentralized exchange model too easily allows for identity concealment, money laundering, and other crimes.
Notably, the brothers also utilized stablecoins to accomplish their theft and related money laundering.[7] As the Indictment alleges, through a series of nine steps, the brothers converted the stolen cryptocurrency to different stablecoins and then to U.S. dollars that they deposited into shell-company bank and brokerage accounts.[8] These steps were intended to conceal the true source of funds, which is classic money laundering activity. Based on the indictment, two banks were utilized: JPMorgan Chase and Choice Bank.[9] One can surmise that these regulated banks, and the brothers’ need to exchange the stolen crypto for U.S. dollars, caused the downfall of the brothers’ otherwise concealed criminal scheme.
So, what does this say for crypto? At least three important points follow: First, crypto should never be deemed a separate currency from the U.S. dollar, as the need for U.S. dollars in our economic system mitigates criminals’ ability to use crypto for illicit purposes. Second, U.S. bank regulators, and the Federal Reserve in particular, should be involved in the drafting of any crypto legislation (including stablecoins legislation), in order to protect the banking system and U.S. monetary policy. And third, crypto trading platforms and participants, including through decentralized exchanges, should be regulated fully, like the U.S. securities markets. Rather than debate a narrow piece of legislation covering stablecoins and attack the SEC for its enforcement efforts, Congress instead should enact a comprehensive regulatory structure for the entire crypto industry, which legislation should select one strong regulator for the task. In the meantime, the U.S. Department of Justice continues to demonstrate its prowess in investigating and prosecuting wrongdoers, while uncovering weaknesses in the crypto system that require strong action.
Footnotes
[1] U.S. v. Peraire-Bueno, No. 24 CRIM 293 (unsealed May 15, 2024) (“Indictment”), https://www.justice.gov/opa/media/1351996/dl. As described in the Indictment, Ethereum is a decentralized blockchain that records transactions without a central actor and ETH is the native cryptocurrency on Ethereum. See Indictment, ¶ 7.
[2] Indictment, ¶¶ 9-11, 26.
[3] See Securities and Exchange Commission (SEC) Rule 17j-1.
[4] Indictment, ¶¶ 24-26.
[5] Indictment, ¶ 19.
[6] Indictment, ¶¶ 3, 17-19.
[7] Indictment, ¶¶ 24, 31.
[8] Indictment, ¶ 31.
[9] Indictment, ¶¶ 41-42.
Maria T. Vullo is a Senior Fellow at New York University School of Law’s Program on Corporate Compliance and Enforcement (PCCE), an Adjunct Professor of Law at Fordham Law School, CEO of Vullo Advisory Services, PLLC, www.vulloadvisory.com, and a former superintendent of financial services for the state of New York.
How the Value of ETH Reminds Us that a Press Release is a Political Document
by Daniel Payne
On May 15, 2024, the U.S. Attorney for the Southern District of New York unsealed an indictment against brothers Anton and James Peraire-Bueno for fraudulently obtaining $25 million worth of cryptocurrency on the Ethereum blockchain. As described in the SDNY’s press release announcing the charges, this was no ordinary cryptocurrency hack. The US Attorney alleges a “novel scheme by the defendants to exploit the very integrity of the Ethereum blockchain.” The brothers allegedly “tamper[ed] with and manipulate[d] the protocols relied upon by millions of Ethereum users across the globe.” One of the prosecutors explained that the alleged fraud was a “first-of-its-kind manipulation of the Ethereum blockchain.” In sum, according to the SDNY, the brothers hacked the Ethereum blockchain, which has never been done before and calls into question one of the foundational characteristics of blockchain technology: its security.
Exploiting a defect in the code of the Ethereum blockchain, as opposed to simply stealing funds from an unsecured wallet, would fundamentally change the value of ETH. Imagine a thief blowing a hole in a bank vault, exposing everyone’s money. We would expect people to stop depositing money into that bank! Similarly, if the SDNY is right that the brothers manipulated the blockchain itself, ETH’s value would undoubtedly plummet (even in the somewhat irrational crypto market).
And yet here we are: the price of ETH from May 15 to May 21 has increased from approximately $3,000 to approximately $3,800, or 27%. How can we explain this price increase? Maybe the market is just irrational enough to ignore an exploit that threatens the security of its currency. More likely, though, is that the brothers did not hack the blockchain. Indeed, as the indictment spells out, the hack targeted the blockchain validators through a MEV exploit.[*] Although MEV is blockchain-adjacent, it is not the blockchain itself, which the market appears to understand better than the SDNY. Thus, the increase in the value of ETH reminds us that a prosecutor’s press release is a political document. Always read the indictment to gauge what misconduct is actually alleged.
Footnotes
[*] “MEV,” or maximum extractable value, is the process by which validators reorder Ethereum transactions to maximize the value to the validator when the transactions are confirmed to the blockchain.
Daniel Payne is a Senior Fellow at the International Congress of Blockchain Advisors and serves as in-house counsel to blockchain brands.
The Least Technical Evidence May Prove to Be the Most Compelling
by Elizabeth Roper and Usman M. Sheikh
The May 15, 2024 indictment charging Aton and James Peraire-Bueno for their roles in a complex cryptocurrency scheme that compromised the integrity of the Ethereum blockchain is remarkable for its sophisticated and highly technical factual allegations, which detail trading activity that allegedly resulted in the theft of over $25 million. In laying out this elaborate scheme, the indictment reads like a primer on some of the most niche aspects of block production and cryptocurrency trading.
In addition to being technically complex, the case may come to raise a fundamental tension at the heart of the fight to deter unfair or manipulative blockchain trading activity. In many such cases, hard-line crypto purists take the view that any action that is technically possible on a given blockchain is inherently permissible, since the underlying code was developed to operate autonomously and free from intervention. This defense – that “code is law” – was recently raised in another SDNY prosecution, in which Avraham Eisenberg was charged with commodities fraud, market manipulation, and wire fraud for crypto trading that effectively wiped out the decentralized exchange Mango Markets. Eisenberg exploited a loophole in the Mango protocol to inflate the value of certain assets (i.e., Mango Markets perpetual futures contracts), then used those assets to borrow and withdraw other cryptocurrencies from Mango Markets, ultimately draining the exchange of over $100 million of value. At trial, Eisenberg did not dispute the factual allegations, but argued that his conduct was permitted by the smart contract code that governed transactions on Mango. Like most decentralized platforms, Mango was run by smart contracts that self-execute when pre-determined conditions are met. Eisenberg’s attorneys argued that if the underlying code allowed the trades to go through, then by definition they could not have been fraudulent. A jury disagreed, and Eisenberg was convicted on all counts.
That doesn’t mean that the code-is-law defense is doomed in this case, though. In addition to other distinguishing factors, in the Eisenberg case, the losses were borne by the exchange itself, and ultimately by other crypto investors who participated in the exchange. Here, the alleged victims – operators of MEV bots (i.e., programs that identify and front-run pending transactions) – are considered by some to be engaging in ethically dubious conduct themselves. Some may argue that the Peraire-Bueno brothers were essentially beating these MEV bot “searchers” at their own game, and it will be interesting to what extent the legality of the victims’ own trading activity becomes an issue in the prosecution. If the MEV bots can problematically take advantage of opportunities presented by the platform’s protocol, in other words, why can’t the defendants? Ultimately, though, it may be challenging for the Peraire-Bueno brothers to claim that they were simply executing a lucrative trading strategy, when the evidence will also show that they were searching the internet for countries that do not have extradition treaties to the United States. Sometimes the least technical evidence proves to be the most compelling.
Elizabeth Roper and Usman M. Sheikh are Partners at Baker & McKenzie. Roper is a former Bureau Chief of the Cybercrime and Identity Theft Bureau at the Manhattan District Attorney’s Office. Sheikh is Chair of the firm’s Blockchain & Fintech Practice.
Who’s at fault?
This case raises the age old question: Who’s at fault? More specifically, in blockchain-based decentralized finance, who’s responsible for securing decentralized finance tools and who’s liable when they are defective? The crime here exploited a previously unknown vulnerability in a software tool, MEV-Boost, that is widely used by Ethereum validators (or “miners”) to prioritize Ethereum transactions for validation. Many critical blockchain protocols, like Ethereum itself and MEV-Boost, are decentralized and open-source. So if the criminals that get prosecuted are judgment-proof (as they often are), it is unclear whether victims of these types of crimes have any hope of recovery.
The debate over liability here mirrors a debate that is currently raging among policy makers and in courtrooms over who is liable for defects in software – the makers or the users? This issue is running hot because cybercriminals have become experts at exploiting software vulnerabilities and the damage done through even a single critical vulnerability can run into eight and nine figures. For software, however, at least there are clearly defined makers and users – sellers and buyers. The world of decentralized blockchain finance suggests a third possibility – if no entity is responsible for the protocols, no one is liable for their defects. In this scenario, blockchain finance will operate under the principle of caveat emptor (buyer/user beware).
I expect this issue will be hashed out in courtrooms and among regulators in the coming years. Decentralized finance protocols can be as complex as traditional software, and like traditional software they inevitably have bugs and vulnerabilities. As block-chain based assets and smart contracts get more complex and their value grows, expect to see more hacking and manipulation. We are going to have to decide who – if anyone – is responsible.
Justin Herring is a Partner at Mayer Brown. He is a former federal prosecutor and Executive Deputy Superintendent of the Cybersecurity Division at the New York State Department of Financial Services.
Fueling Distrust of the Crypto Industry
The recent indictment of two brothers for an allegedly successful breech of the blockchain and theft of $25 million in crypto-currency assets is groundbreaking. As referenced in the indictment, the studied and choreographed effort to obtain the funds will present significant challenges for the government in attempting to explain the blockchain and its role in the cryptocurrency ecosphere to jurors, who are unlikely to be familiar. Terminology will be a challenge in itself. The utilization of more conventional wire fraud charges is the government’s first step in addressing the “language” barrier.
There will certainly be legal challenges, including whether such an undertaking can be deemed a fraud, given the public nature and transparency of the blockchain. How can you deceive others when everything that is done is open and notorious — to use some old terminology? Similarly, our legal jurisprudence is quite protective generally of individuals who exploit loopholes in the law and public systems. All of this will undoubtedly play out in motions and legal filings that are to come.
Possibly more important are the ramifications of this indictment on the efficacy of the blockchain and the stability of cryptocurrencies. It is certain that these two brothers are not the first to conceive of the alleged scheme, and there are assuredly others who are plotting similar efforts. Fraudsters are always ahead of enforcement in the exploitation of technology for gain.
This indictment is like that half glass of water that looks insignificant in a glass, but when it hits the ground covers the entire floor. Prosecutors and enforcement authorities do not have a favorable view of cryptocurrency or the blockchain. There is a general distrust of the entire landscape and its participants. This will only fuel that distrust, and thus reinforce a current environment in which a developing FinTech world is frustrated by regulatory inaction and antipathy.
Robertson Park is a Partner at Davis Wright Tremaine LLP. Earlier in his career, he was a federal prosecutor and supervisor in the fraud section at the U.S. Department of Justice.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).