GM,
Last week, the U.S. Department of Justice unveiled an indictment that I almost had to "kneel down to read." The crime details were as thrilling as a movie plot. To explain the methods used in the crime to the court, the prosecutor put in a great deal of effort, resulting in the most information-dense indictment I've ever seen. I'll simplify the technical details as much as possible and focus on the case itself.
The defendants are two brothers, Anton Peraire-Bueno and James Peraire-Bueno, who are currently studying at MIT. The Department of Justice accused these brothers of attacking Ethereum and committing wire fraud against arbitrage bots in April 2023, making off with cryptocurrency worth approximately 800 million NTD (New Taiwan Dollars) within just 12 seconds. After a year, Anton and James were finally arrested last week. If convicted, they could face up to 20 years in prison.
This incident is noteworthy because it marks the first time the Department of Justice has enforced the law against Ethereum arbitrage bots. While it is right for fraudsters to be caught and punished, understanding the full context of the case raises the question: who exactly is the justice system protecting? The entire incident traces back to 2022.
Arbitrage Opportunities
Anton and James, aged 24 and 28 respectively, are brothers majoring in Mathematics and Computer Science at MIT. Beyond their academic expertise, they spend their spare time delving into cryptocurrency knowledge and have even reported software vulnerabilities to help developers defend against hacker attacks. To outsiders, these brothers are knowledgeable intellectuals. However, unbeknownst to many, they were secretly planning a hacking attack.
Prosecutors found that in December 2022, Anton and James created a shared document online, detailing a five-step plan to execute their attack. The steps were: operating an Ethereum node, testing bait transactions, exploiting vulnerabilities to obtain data, reordering transactions, and finally, committing the block to the blockchain. The crucial part was the third step. The brothers discovered a vulnerability in Flashbots, an Ethereum arbitrage bot, but instead of reporting it to the developers, they hatched a plan to "counter-kill" the arbitrage bots.
To understand how the brothers managed this "counter-kill," one must first understand the concept of arbitrage on Ethereum.
Arbitrage is quite common in the financial world, though most opportunities are beyond the reach of ordinary people. Suppose a wealthy individual buys a large amount of cryptocurrency on Binance, driving the price of ETH from $3,000 to $3,010. This creates an arbitrage opportunity. One could buy 100 ETH on Uniswap, where the price is still $3,000, and sell them on Binance for $3,010, netting a $1,000 profit from the price difference.
However, only the fastest actor can profit from this opportunity. The key is who can buy those 100 ETH on Uniswap first. In the stock market, the order of transactions is based on the time of order placement1. The faster, the better. But on the blockchain, transaction fees are more critical than timing. The higher the fee paid to miners, the quicker the transaction is processed. In other words, miners determine the order of transactions.
So far, this is common knowledge for anyone familiar with blockchain technology. However, arbitrageurs aim not just for their transactions to be fast but to be the very first to be processed. This dives into the deeper workings of blockchain, which is why Anton and James's first step was to operate an Ethereum node—to fully control the transaction order.
MEV Bots
Suppose both you and I are arbitrageurs, and we simultaneously spot the same arbitrage opportunity. We both press the trade button to buy 100 ETH, expecting a $1,000 profit. How high should the on-chain transaction fee be to ensure our transaction goes through first? The answer is $999.
You might say, "Doesn't that mean we only make $1?" That's correct. The biggest beneficiary in this scenario is actually the miner. This type of arbitrage opportunity is therefore known as Miner Extractable Value (MEV). Deciding the transaction order is a lucrative business. Miners observe the pending transactions in the market and calculate the order that maximizes their profit. Each block contains hundreds of transactions. Even if an arbitrageur pays a hefty fee to get into the first block, the order within the block is still determined by the miner.
Each Ethereum block is produced approximately every 12 seconds. Even though the entire process is highly automated, miners have many calculations to complete within those 12 seconds to maximize their profits, and the final result might not align with overall market efficiency. Thus, the concept of MEV bots was introduced. Similar to "property management," miners install MEV bots to sell block space at a good price, leaving the transaction order within the block to the MEV bot.
A good MEV bot balances price differences across different markets through arbitrage. However, a bad MEV bot will exploit the system.
For instance, if you want to buy a large amount of a cryptocurrency on Uniswap, a malicious MEV bot will front-run your transaction by inserting its buy order before yours and a sell order after yours. Your buy order ends up sandwiched between the bot's buy and sell orders. As a result, you buy at a higher price because the bot bought before you and then immediately sold after you, restoring the price to its original state.
Most people might not notice this slight price difference, but through buying low and selling high, the bot profits from the transaction. This is commonly known as a "sandwich attack," and in the securities market, it's called front running.
When a fund manager executes trades based on insider information, it disrupts market order. Therefore, front running is illegal in traditional financial markets, but on the blockchain, it's considered a trading strategy. One could call it unethical, but it's not illegal.
This brings us back to Anton and James. In 2022, they discovered a vulnerability in the MEV bot's code that could be used to counteract sandwich attacks. This discovery led them to plot their hacking scheme.
The Counterattack
The indictment states that the attack was planned for four months. In late December 2022, Anton and James established a shell company named Pine Needle, where they served as president and financial director. This allowed them to open bank and exchange accounts under the company's name, facilitating large transactions later on.
During this time, they searched online for terms like "how to launder money" and "non-KYC exchanges," indicating their awareness of the potential legal ramifications and their intent to conceal their identities and evade detection. Eventually, they found a foreign exchange that did not require identity verification and allowed large cryptocurrency withdrawals.
Subsequently, they used this exchange to withdraw 529.5 ETH, worth $880,000 at the time, to multiple wallet addresses. They then used Aztec, an Ethereum layer-2 network known for privacy, to break the transaction trail. All this effort was to establish an Ethereum node as anonymously as possible, as the node was about to become the scene of their crime.
Before executing the plan, Anton and James conducted experiments to ensure its feasibility, no wonder they are outstanding students. Their plan involved setting a bait to lure arbitrageurs into performing sandwich attacks. The bait had to be attractive enough, so they deliberately placed a large buy order for a lesser-known token on a decentralized exchange, setting the slippage to the maximum. This is a mistake only a novice would make, as normal exchanges protect users from such losses.
The arbitrageurs, seeing this opportunity, rushed in and placed large buy orders ahead of the bait. At this point, Anton and James exploited the vulnerability, swapping the original transaction and changing their large buy order to a sell order, thus profiting from the arbitrage bots. The entire operation required knowledge of the program vulnerability, certainty that someone would take the bait, and control of their own Ethereum node. The technical barriers were extremely high, making it difficult for ordinary people to even understand, let alone execute.
Ultimately, through this meticulous plan, they released eight baits and in 12 seconds swindled cryptocurrencies worth 800 million NTD. The arbitrage bots, intending to exploit a naive user, ended up losing their principal. This caused a significant stir at the time because over 90% of Ethereum nodes used the same arbitrage bot code. While usage varied, the vulnerability was common.
After the incident, efforts were made to patch the vulnerability and trace the perpetrators through the blockchain. It was discovered that the node had been created only a few weeks prior, and the ETH had been transferred in ways that were difficult to trace. This was clearly not a spur-of-the-moment attack.
Even though the affected arbitrage bots attempted to contact Anton and James through various channels, hoping they would return the funds, the prosecutors found that after the heist, the brothers were busy searching for terms like "top crypto lawyers," "US statute of limitations," "fraud address database," "money laundering laws," and "extradition for trial." They ignored requests to return the money and began laundering the stolen funds, converting them from ETH to DAI, then to USDC, and finally depositing them into the shell company's bank account.
The Fairness of Blockchain
Until last week, Anton and James were only traced and arrested by the police, but this incident still holds other controversies. The Department of Justice seems to be protecting the interests of front-runners, even considering front-running as an integral part of blockchain fairness. According to the DOJ's press release:
Today, U.S. Attorney Damian indicted Anton and James, accusing them of conspiring to commit wire fraud and money laundering... As we allege, the defendants, who are students at a renowned university majoring in Mathematics and Computer Science, used their expertise to manipulate and exploit the Ethereum protocol relied upon by millions worldwide, thereby undermining the fairness of the blockchain. This fraudulent scheme is quite novel, but regardless of the complexity of the technology, prosecutors will hold accountable those who threaten the integrity of the financial system.
By exploiting a program vulnerability to lure arbitrage bots and swapping transactions to take 800 million NTD worth of cryptocurrency without returning it, the brothers' arrest was well-deserved. However, on the other hand, are those arbitrage bots that have long been performing sandwich attacks on ordinary users truly legitimate? The DOJ clearly states in the indictment that these arbitrage bots are engaging in front-running, a practice illegal in traditional finance. So why is front-running suddenly acceptable on the blockchain?
Anton and James might argue in their defense: "These arbitrage bots have been preying on us, never returning their gains from front-running trades. Why are their interests so inviolable?"
This highlights the awkward position of legal intervention in blockchain. Prosecutors might argue that the nature of fraud does not change regardless of the method used. Yet, they turn a blind eye to front-running on the blockchain, even deeming it part of the ecosystem's economic incentives. It's not considered a crime.
This seems contradictory. If survival of the fittest is the law of the dark forest, then these brothers are merely using their own methods to survive. If a more "civilized" legal system is introduced, wouldn't that disrupt the operation of the blockchain? The line between law enforcement and blockchain operations becomes increasingly blurred with this case.
Blocktrend is an independent media platform sustained by reader subscription fees. If you find Blocktrend's articles valuable, we welcome you to share this piece. You can also join discussions on our member-created Discord or collect the Writing NFT to include this article in your Web3 records.
Furthermore, please consider recommending Blocktrend to your friends and family. If you successfully refer a friend who subscribes, you'll receive a complimentary one-month extension of your membership. You can find past issues in the article list. As readers often inquire about referral codes, I have compiled them on a dedicated page for your convenience. Feel free to make use of them.