Notorious teen hacker charged with stealing $65M crypto by exploiting defi protocols


The US Justice Department’s (DoJ) Criminal Division on Monday charged a notorious teen hacker – now an adult – with exploiting two decentralized finance (DeFi) protocols and making off with $65 million in cryptocurrency from the protocols' investors.

The five-count criminal indictment was unsealed on Monday in a New York federal court.

The former teenager-turned-adult hacker, Canadian Andean “Andy” Medjedovic, is charged with exploiting vulnerabilities in the automated smart contracts used by two decentralized finance protocols – KyberSwap and Indexed Finance.

ADVERTISEMENT

Investigators say from 2021 to 2023, Medjedovic “borrowed hundreds of millions of dollars in digital tokens," and then “used the funds to engage in deceptive trading that he knew would cause the protocols’ smart contracts to falsely calculate key variables.”

Medjedovic was then able to withdraw millions of dollars of investor funds from the protocols at artificial prices, rendering the victims’ investments essentially worthless, the DoJ said.

The teen hacker further tried to launder the stolen loot by using digital asset mixers (sites that comingle crypto to hide the origins of the funds), and crypto bridging, which allows transfers between main cryptocurrency smart chains, such as Ethereum and Binance.

He is also accused of trying to open accounts on digital asset exchange platforms using fake or borrowed identities to hide his ownership.

What's more, the FBI said around November 2023, Medjedovic tried to exploit the KyberSwap victims a second time via “a sham settlement proposal.”

The ransom-like 'double extortion' proposal would have given Medjedovic complete control of the KyberSwap defi protocol in exchange for returning 50% of the victim's stolen crypto funds.

ADVERTISEMENT

Tête-à-tête with Canadian cyber police

Ironically, Medjedovic, now 22 years old, has been wanted by the Canadian authorities since he was 18 years old for the defi extortion scheme on Indexed Finance, worth $16 million at the time.

In that scheme, the teen math prodigy, exceptional programmer, and master's degree recipient "allegedly used flash loans” to drain the $16 million from Indexed, CoinDesk reported at the time. (Flash loans do not require the borrower to put up any collateral and are unique to defi platforms.)

It also led the cybersecurity experts investigating the hack to reveal Medjedovic’s identity, his former home base in Waterloo, Ontario and his life on the run.

Indexed and KyberSwap
Indexed and KyberSwap websites referencing the exploits. Image by Cybernews.

What makes the case even more unusual is that Medjedovic, at one point, communicated with Canadian authorities, even showing up for a virtual hearing regarding the theft.

Authorities had urged Medjedovic to return the crypto, but the teen never showed up to court, and instead declared he was legally entitled to the funds because of the “code is law” defense. CoinDesk said he even took to Twitter to say he would “fight to the death” to keep his stash.

“Code is law” which has never been tried in civil court – and still may not be if Medjedovic stays a fugitive – is “an unofficial DeFi ethos” stating that any smart contracts activities that are technically allowed "are not just immutable, but also legally and ethically permissible in court,” according to CoinDesk's Andrew Thurman.

Still, in an interview with DL News in March 2023, the Canadian (and now US) fugitive claimed to have turned over a new hat – a white hat, that is, saying he “now contributes to a platform called Immunefi to help protect investors from hacking.”

vilius jurgita Niamh Ancell BW Ernestas Naprys
Don’t miss our latest stories on Google News
ADVERTISEMENT

Medjedovic is charged by the US with wire fraud, unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering, and money laundering conspiracy.

He faces a total maximum of 90 years in prison if convicted on all counts.