Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
$200M Hacker Explains Himself: COINAGE Exclusive
Recorded: June 30, 2023 Duration: 0:58:58Space Recording
Full Transcription
And I'm going to talk about this.
That the Oiler hack changed is that now companies, he hopes, will be more willing
to advertise bug bounties in order to secure their protocols.
Mm-hmm.
They'll be more willing to negotiate with hackers.
Um, we've seen in recent years some success stories when it comes to recovery of the funds.
Even $30 million from the Lazarus Group's big hack was recovered.
So Poly Network was another example where hackers made off with $600 million, I believe,
maybe $610 million, and then returned the funds.
So clearly this is a sea change in DeFi,
and Federico told me that he welcomes that change.
I mean, so you kind of had all this, right?
And we were talking about the days leading up to publishing this story
and the questions of being skeptical.
And I think there's also plenty of examples to point to in the crypto space
to say it's better to be skeptical.
Certainly other influencers have been misled by people online
to believe certain things.
And I guess with this as well, it's a question of,
all right, what could possibly be the other scenario
in which someone would try and point people,
after returning all the money, to somewhere?
And I almost wonder if that's also the same logic that you had on the other side
of why Federico would be coming forward,
which is essentially, I don't want this hanging over my head anymore,
and I kind of want to present my side of the story,
which would be the case for whether or not the hacker that you're speaking with
at this point in the story is Federico or not,
because the one thing we know is that they were behind the hack,
because it's essentially, go talk to this Instagram account,
and that message came from the wallets that were in the attack.
So that's kind of the one thing that you and I knew is,
all right, whoever was in this attack is pointing us in this direction.
But the idea of what he has to gain in coming forward,
did that start to become clear?
Yeah, that's an interesting question.
I mean, from what he tells me,
a lot of his actions were driven by,
I don't want to necessarily say driven by emotion,
but he told me that his life since the hack has been difficult.
He hasn't felt like he has a clear sense of,
it's been a struggle to figure out what to do next,
the logistics of this,
the worry about what could be in store for him.
But I do think that he has a very unique perspective,
a very unique story to tell.
And I think the DeFi space should be somewhat receptive of his message,
because this is somebody with obviously a lot of technical knowledge.
And he was able to pull something off that no one expected.
I mean, Euler was regarded as one of the most well-regulated,
well-audited protocols in the business.
It had been audited something like 10 times in the last two years.
The single vulnerability was in a single smart contract
that had been audited by several security firms.
But yet Federico, as he told me in just an hour of research
into Euler specifically,
he was able to find this vulnerability.
Federico has told me he really admires the Euler protocol.
He wishes them the best in their recovery,
and he regrets the amount of damage he caused to them
and to their community through this hack.
But I think that DeFi as a space has to be real
about the threat that hackers cause both to users themselves,
but also to the reputation of these interoperable trustless systems.
And we got at a lot of that in last week's episode about flash loans.
Sure.
And I think, I guess, expanding on reporting this story out
and what the facts look like.
I mean, so there is this account, right?
And we're trying to figure out,
is this the real Federico?
And we're talking to him.
Is this actually the hacker behind the attack?
And, you know, there are details there
when you start exploring both the Instagram account
and the Twitter account that are linked to,
you know, the wallet transaction message
after it became public.
And one of those ties back to a blog post from before the attack,
which also has a YouTube video from before the attack.
And at that point, you know, it does become clear
the person you're talking to has a lot of information
on other things that have happened in the past, too.
If you Google the name Federico Jaime,
a story about a prior attack comes up as well.
Buenbit, which is in Argentina,
which is supposedly where Federico Jaime is from.
Right.
And the story Federico told me was that
he had an aptitude for this computer programming,
this thinking outside the box
in the way a hacker does from a very young age.
He told me he sold his first program,
which was a plug-in for Minecraft,
for $10,000 at the age of just 14.
And I asked him, you know,
did you tell your parents?
How did they feel?
He told me his dad, who's a computer engineer as well,
who supported this hobby of his,
were thrilled.
They thought, now you can be independent.
And over the years, he got into GTA V,
developing an anti-cheat software
for a popular multiplayer server.
It's very interesting to me
how somebody without a college education,
because he hasn't gone to college yet,
can develop these skills on his own.
And I think there are a lot of examples
across the crypto space.
One of my favorite stories in crypto
came out last year,
where Paradigm, the crypto firm,
had hired this pseudonymous person
by the name of Transmissions
as a Solidity developer, researcher.
And in Transmissions' bio on the website,
they said,
Transmissions is this, this, this, expert,
and this, this, this.
In his spare time,
he also attends high school in California.
Like the crypto space,
I think, it's really powerful
to eliminate these gatekeepers,
because you start finding talent
all over the world,
all different people
in different, you know, languages,
are able to work
on these interoperable protocols together.
And I think that's really
the magic of crypto in a lot of ways.
Well, I mean, obviously,
there's a lot of things also
that are somewhat related
as far as, you know,
the downsides when it comes to,
you know, having access
to all these things,
having a bunch of people
with the knowledge to,
I suppose, exploit.
And we've seen those in DeFi hacks.
But you're right.
This one's unique
in that the money came back.
And I don't know
how many examples there are
in hackers who are already,
you know, participating in these,
giving money back.
I can't think of one necessarily
outside of, you know,
bug bounties and everything else.
But in your discussions,
we're having these.
We're looking at all the facts.
I'm still playing devil's advocate
because I'm saying, look,
just because you have someone
telling you these details,
all of those mostly are public.
Everything you said about
building the anti-cheating system
on the video game
is on a blog post.
It's on the internet.
The Buenbutt news
is on the internet.
All of these things
could potentially be used,
could be used
by someone trying to throw everyone.
off the scent of the hack
onto someone else.
And who but a hacker
who has a great background,
who's clearly very smart
and is also implicated
in this Buenbit thing.
So did you talk to him
about the Buenbit hack
and kind of what happened there?
Because then it's not just,
oh, we have a nice young kid
who stole $200 million
and gave it back.
But also there's this other thing
that happened
that's attached to the name
of Federico Jaime.
Right.
I do want to say
that we've confirmed
through several different
sources of information.
I mean,
as simple as
I asked the person
I've been talking to
to send me a photo
with four fingers raised
in front of his face
and he did.
And it matched
different photos
we have of Federico
from his Instagram,
for example,
from a news story.
But as far as Buenbit,
when I asked him about it,
he was a bit reluctant
to comment.
It's an ongoing situation
and in general,
if you ask investigators,
anybody involved
in an ongoing investigation
or an ongoing open dispute,
they're not generally
willing to comment on it.
But what he did tell me
was that he maintains
his innocence in this case.
He's committed
to resolving it.
He told me his lawyers
are in contact
with Buenbit's lawyers.
I tried to reach out
to Buenbit as well
and they didn't get back to me.
But he told me
that some of the details
that were reported
in the news,
like the fact
that he ran away
from an embassy
after renewing
his passport
for being caught,
seemed to me,
he pointed out
that they were false.
That's what he was alleging,
that the details
were made up.
Yeah.
You know,
police reports
don't always 100%
report the truth either.
But in this case,
there's some ambiguity.
I'm not entirely sure
what to believe.
I think that this is
kind of the hardest part
about everything
in crypto, right?
It's like, you know,
and we're seeing this
even here in the U.S.
at every kind of level
of government,
the idea of
do they understand
the facts
as put in front of them?
Are they native enough
to kind of do
any on-chain digging?
Does any of that make sense?
You know,
it becomes really hard
when you don't even know
what sources to trust,
I guess.
But that was there
and the Buenbit attack
was in the past
and attached
to Federico Jaime.
But then you guys
start discussing,
I guess,
this idea of
why all these
other transactions,
why the hesitation
in even returning
the funds?
Why take,
if you were never
going to keep the money
yourself,
which is what he told you,
why wait so long?
Well,
let me back up
and explain.
So Federico
performed the hack
at 9 a.m.
London time
on a Monday.
The Euler team
was based in London
on March 13th.
It took until
April 4th
for the Euler team
to announce
the full recovery
of funds.
Now,
in that time,
those 23 days,
I believe,
there were
a variety of transactions
back and forth.
There were messages
from Federico
to the Euler team,
messages from the Euler team
to Federico.
At some points,
he would return
large sums of money
from one of the wallets
that was involved
in the attack.
At other times,
he would send money
through Tornado Cash,
which is a mixing protocol
designed to obscure
your transactions
on the blockchain.
At other times,
he would just cease
communicating altogether.
And I have to imagine
that for the Euler team,
who was also not willing
to comment,
but from public statements
that they've made
about the hack,
it was an incredibly
grueling few weeks
for them
with these negotiations
trying to get the money back.
Obviously,
the fact that they were
successful,
I think,
is a testament
to their abilities.
But there were
a few transactions
going into this story
that I absolutely
wanted to ask Federico about.
One of them was
the first message
he responded to,
the first wallet transaction,
I believe,
that he made
that weren't just
transfers between the wallets
following the hack
was there was this
crypto wallet
that had sent him
a message
that ended up
belonging to
an Argentinian
like Federico,
Solidity developer,
who was pleading
with Federico
saying his life savings
were on
were on
Euler finance
and were lost
and begging with him,
you know,
just please
return the funds
to the protocol
and make me whole.
And Federico
sent him back
100 ETH,
which was even more
than the life savings
that this
Argentinian
Solidity developer,
his last name
was Avalos,
had on the exchange.
And right away,
Santiago Avalos
said,
wait,
wait,
I didn't want
to profit
from this hack.
I didn't want
to profit
while other people
have lost so much
and they don't know
if they're getting
the money back.
So he returned
the excess to Euler.
And I asked Federico,
like,
or what I was wondering
was if he was going
to make this victim
hole in the end,
if his idea
from the beginning,
as he told me,
was to return
the funds to Euler,
then why pay it out?
But he told me
that the message
just,
you know,
spoke to him.
It spoke to his heart.
He was moved by it.
And he was even more
moved learning after
that it was
a fellow Argentinian
because his Argentinian
identity means a lot
to him.
Yeah,
and he had mentioned
he was impressed
by that coincidence.
It was a very
interesting coincidence
is what he says.
But beyond that,
there was the other
transaction you mentioned
too because,
again,
most of these hacks
in general,
everyone's gut instinct
is to react
and say,
that must be
Lazarus Group
because they're behind
a lot of attacks,
the North Korean
hacking group.
And that was one
of the other transactions
that was pretty perplexing.
Yeah,
I think,
as you said,
in DeFi,
when there's a big hack,
the first question is,
is this Lazarus
or is this not?
And there is a piece
of evidence
that linked to them
that created
a round of headlines
where Federico
from this attacker
wallet
sent 100 ETH
to the Ronin Bridge
exploiter,
the wallet that was
behind the biggest
crypto hack in history.
Yeah,
it was 600 million,
right?
I think it's tough
to top that.
Yeah.
The values in crypto,
obviously like,
the exact numbers
are sometimes
hard to come by.
Sure.
It's a value.
But one of the biggest
crypto hacks,
it was the bridge
powering the game
Axie Infinity.
And in a classic
Lazarus fashion,
this wasn't a DeFi
exploit,
like a flash loan
attack like Federico
had done.
Instead,
they had phished
an employee,
sending him
a fake job application,
gaining access
to the nodes
that control the blockchain.
But anyway,
Federico sent 100 ETH
to a victim,
which to me
is an act of
kindness and or remorse,
maybe if you were.
But also sent 100 ETH
to this Lazarus Group
linked wallet.
So obviously I asked him
about it.
What he told me was
he didn't realize
the wallet was connected
to North Korea.
But as a white hat hacker,
he wanted to send
a token of admiration
to a black hat hacker,
simply admiring
the engineering
of the attack.
Which still baffles me.
It's still confusing
even as you say that.
A white hat hacker
sending some of the things
that he's stolen
to one of the most
notorious black hat hackers
as a sign of admiration.
It's very interesting.
And again,
that's what he told me.
Yeah.
It's possible he has
another explanation
or that, you know,
there's another
reason behind it.
Behind it.
Yeah.
One of the common theories
at the time
when we weren't sure
who was behind this
was that the hacker
was trying to throw off
investigators sent
by maybe, you know,
pointing to the Lazarus Group
and then maybe everybody
would give up and say,
oh, it's probably Lazarus
and then go home.
Obviously that didn't happen.
Sure.
But I mean,
all those transactions
happened afterwards,
which is, as you said,
an intense back and forth
over a matter of weeks, right?
With the Euler team saying,
please return the funds,
continues to chat with people
and then does
and returns those funds.
Almost not all at once,
by the way.
It was kind of in piecemeal
and still kind of unclear,
I'm sure,
in the moment
for those victims
and Euler themselves
to say,
I'm not sure
if this is ever
going to really come back
if we're just getting
kind of dicked around here,
for lack of a better term.
Yeah.
Even Federico had told me
at one point
that he was like,
I sent this message
from my wallet,
which he did,
saying,
look,
I don't have any intention
to keep these funds.
I want to return them all.
But it still took him
a significant amount of time
between that message
to finish returning the funds.
And when I asked him about it,
he said,
gave me a few explanations.
He said,
you know,
the negotiation with Euler
wasn't about
whether he was going
to return the funds
just how to do it
in a way
that protected his safety
is what he told me.
Yeah.
I think that explanation
is reasonable.
I also think it's
perfectly reasonable
to have doubts
about that explanation.
And we will get into
the doubts,
I think,
now.
And also,
we have a little over
600 people in the space
listening right now
and the moment.
And I would just say,
if you haven't read the story,
definitely do so.
It's pinned at the top
in the space
as well as on our site
at coinage.media.
If you have questions
as you're listening
to this recounting,
feel free to request
the mic and hop up
with Abrams and myself
as well.
And if you're just joining us
and not sure what we're discussing,
it is a new coinage exclusive
that we just published
this morning,
digging into
the Euler finance hack,
the largest hack
thus far in 2023,
and why the hacker
behind it
gave back
the $200 million
he drained
from that protocol.
And that's the exclusive
that we're discussing here
with coinage head writer,
Zach Abrams.
And Abrams,
this is kind of now
inside,
behind the doors,
and I think that's something
that kind of,
you know,
coinage as a community-owned outlet,
as an outlet covering Web3
that's steered and governed
and co-owned
by our NFT holders,
I think that this is kind of
where we peel back the layer.
And I think this is kind of
what coinage is all about.
The idea of,
you know,
newsrooms normally,
traditionally,
maybe closed walls,
you don't know what's going on
behind them.
As a reader,
you have no idea,
you know,
if there are any outside forces
weighing some of that reporting.
And if we can be candid in this,
we're sitting there now
in our office
and you have these facts
and you're reporting this story
and I'm the editor
and I'm trying to figure out
what is true,
as you are.
And we're both sitting there
and we both agree,
is there anything
beyond a shadow of a doubt
that's now sitting in your head,
right,
at your point in reporting this story?
Given everything
that we've seen in crypto
and certainly people
stretching the truth
and maybe misleading reporters
out there all the time,
could this not be the case?
Could it maybe not be true,
everything that you've heard
from this supposed Federico Jaime
who was behind the attack?
To me,
based on
not just the information
in the story,
but also other information
we were able to gather
from a few different sources,
the events took place
as described in the story.
I think
where there's
room for
some healthy doubt
for some discussion
his explanations
for his actions
because
to me,
I think,
you know,
there were a police
report to come out
about this,
that would be pushing
a certain narrative.
Obviously,
he was trying to find somebody
to tell this story
in an attempt
to push a certain narrative,
but I think,
you know,
as a journalist,
you have to assume
that everybody's trying
you know,
present a story
that makes sense
to them,
might make them look better.
My job is to
distill down
the facts
of what they're telling me
and make it very clear
to the reader
where there's
a place
for reasonable doubt.
for example,
in the story,
I say,
Federico told me
that he worked alone.
He mentioned a couple times
a friend,
at times,
an advisor
who had advised him
on a few things
regarding blockchain,
which he says
he was pretty new
to the specific,
you know,
Solidity,
Web3,
DeFi hacking.
But when I asked him
in terms of the hack,
in terms of the response,
he said,
I did it all myself.
Now,
it's impossible
to truly know that
from the information
we have,
from the on-chain data.
However,
to me,
it does make sense
that the actions
could be explained
by a kid
who's,
I think it's fair to say,
flailing a little bit,
trying to figure out
what to do next.
To me,
the actions,
the sending money
in strange installments,
the disappearing
and then reappearing,
doesn't really speak to me
like a well-coordinated group.
Or it doesn't seem
like somebody with
a plan,
like a group
with three competing philosophies.
And so,
you know,
over the course
of speaking with Federico,
I was attuned
for any circumstances
where he contradicted himself,
where he contradicted
any of the other
information we found.
All of the pieces
that I've been able
to find
fit into this story.
I think there are
still details
that could be reported.
Federico's personal situation
is a bit complicated,
but he had expressed to me
that he would be interested
just as you sat down
with Do Kwan,
sitting down with Coinage
and telling his story.
So I'm hoping
we can make that happen
in the future.
But,
you know,
attempted to do
my due diligence
with this story.
I really thought
through every detail.
You helped me
by expressing
plenty of doubts
as my editor,
which I thank you for.
Have to.
Sometimes it was frustrating,
but in the end,
I do believe
it made the story
much stronger.
Well,
I think,
you know,
one of the things too
is obviously
as everyone's listening
and as everyone's reading,
if you have any questions
and hit us in the replies
or your general gut reaction
to what we're describing here.
And again,
I think anyone just reading
kind of the main takeaways
and the headlines here
you know,
someone
stealing $200 million
and returning it,
obviously,
just that by itself
begins to set off
alarm bells
in terms of
in terms of
does that actually
make sense
and can I believe that?
Can I wrap my head
around even having
$200 million?
What would that look like?
And,
one of the interesting
things he told me,
which totally makes sense
to me personally,
I think it might be crazy
to some people,
but he told me
when he was deciding
whether to
try to keep
the $200 million
or take the bug bounty
of $20 million,
and I asked him,
like,
this was in the story,
I asked him,
did you picture yourself
on a yacht
in a mansion
spending the money?
He told me,
I never thought
about the money.
He also said
at some point,
like,
just the,
the,
the magnitude
of these sums
of money
kind of broke
his brain.
He couldn't really
think about
the difference
between $20 million
and $200 million
and I can understand
that.
I mean,
I think,
in a sense,
this crime is so digital.
Federico to me,
just personally to me,
doesn't seem like
the type of person
who would be able
to mug somebody
at gunpoint,
for example.
In a sense,
that's a smaller scale
crime than what he did.
It's affecting one person.
You could take maybe
$50 out of their wallet.
This is $200 million
we're talking about.
But when it comes
to the online space,
I think there's a kind
of unreality to it.
It feels like you can
close your computer
and none of it
ever even happened.
And I think
I can understand
how he wasn't
really thinking
about the money
when he was working,
as he tells me,
sleeplessly
for two days
after he found
this vulnerability,
preparing the code,
preparing the hack.
It worked.
He told me he didn't
really expect it to work.
It worked.
And then he had
kind of an oh shit moment.
Like,
I have to take care of this.
And he struggled,
as he told me,
to do the right thing.
But I do think
he deserves credit
in the end
for returning the funds.
Yeah,
and I think
that's kind of
a good way
to wrap up
what we know now
and kind of
what happens now,
too, right?
Because if you think
about someone
in that position,
they may think
they've cleared themselves
by returning funds
that they have
not harmed anyone,
right?
That they've done nothing,
essentially.
It's as if nothing
ever happened.
But, you know,
on the Euler side,
if you look at
what they had to do
is, all right,
well, now we've got
this money back,
but now we need
to figure out
how to rightfully
give that back to people
because they're
a protocol
that has people
on the long side
and short side.
So how do we
make this,
like, how do we
make our users whole?
Which is a tricky
question to answer.
But also,
they've already
gone down the path
of trying to negotiate
and figure out
who this hacker was.
Which means,
you know,
I suppose,
I would imagine
bringing other,
you know,
law enforcement agencies
around the world
because you don't know
where this person is,
you don't know
who it is,
to try and figure it out.
And as Euler has mentioned,
when you have
a lot of people
who have just been
screwed over
and basically robbed
of $200 million,
you have a lot of people
with a lot of energy
and a lot of anger
and they're all working
to figure out
who that one person is.
So, I mean,
I wonder what you think
happens now,
now that you have
these facts reported
in your story
for Federico Jaime.
Well, I asked Federico
if he was worried
about any ongoing
legal consequences
from this hack
and he told me
something very interesting,
which is that
he doesn't think
the Euler team
would go after him
because it would
dissuade
other white hat hackers,
so-called white hat hackers,
who hack,
you know,
to expose security
vulnerabilities
rather than
actually draining
everything for themselves.
Yeah.
he thinks that
if Euler were to
continue coming after him
legally,
that it would
dissuade other
white hat hackers,
which he sees as good
for the DeFi ecosystem.
Not everybody agrees.
I spoke with someone
at Chainalysis,
Erin Plant,
who is their VP
of investigations.
She describes herself
as a certified
ethical hacker,
which is apparently
a certification
you can get
that certifies
that you're
the type of ethical hacker,
the type of white hat hacker
to attempt to
discover vulnerabilities,
report them.
And what Erin said
was that
some protocols
in DeFi
are concerned
about white hat
hackers and bug bounties
because
stealing $200 million
and then,
you know,
demanding a bug bounty
to give it back,
in this case,
Federico didn't accept
the 10% bug bounty
that Euler offered,
but in other cases,
hackers do accept
the bug bounties.
And Erin was worried
about the fact
that this could
normalize extortion
of these protocols.
She said it sounds
more like extortion
than an act of altruism,
which I think is interesting.
But as for the Euler team,
I mean, it's true.
They did have to
untangle the effects
of this hack.
It took them a while.
The contagion effected
something like
10 or 11 other
DeFi protocols.
One of them,
called Yield Protocol,
only announced
its full recovery
from the Euler hack,
which again,
happened back in March,
three days ago
on Wednesday.
So obviously,
the impacts
across the ecosystem
were large.
I think Federico hopes
that the good
that comes out of this,
both for Euler
as they're hard at work
developing Euler version 2
and saying they want
to make Euler great again,
that's in their tweets,
but also for the wider
DeFi space
when it comes to security.
I also spoke,
this is a bit of an aside,
but I spoke with the team
of a project called Forda
that I found very interesting
because certain projects
like Forda
and this other one,
Hypernative,
are developing
what I think
is an important
third prong
to DeFi security.
So right now,
we have the preventative security,
which is the audits
that DeFi protocols do,
making sure the code
of their smart contracts
is secure
and not exploitable.
Then there's also
the post-hack
or the post-security
incident response,
which involves negotiating,
might involve
investigating,
but there's a missing piece
in the middle
that Forda
and this other
project,
Hypernative,
are trying to develop,
which is
the live incident response.
And Forda's bot,
they told me,
determined that Euler
was about to be hacked
about three minutes
before the hack commenced.
And that's interesting
because three minutes
is right in that zone
where it's really too short
for a human to respond.
You can't build a system
that relies on somebody
barely even log in
to Gmail.
Exactly.
I just imagine
trying to get the face ID
and the seconds
are taken down.
2FA?
You're not going to get
a two-factor authentication code
in two months.
Even with the Apple
autocomplete,
it's too short.
But three minutes
is plenty of time
for computers to act.
And so I asked them,
well, that sounds
kind of like
it might make
some DeFi people
uncomfortable
if there's a kill switch
that maybe somebody
can trigger maliciously.
But then they said,
well, maybe you could have
several different bots
and if they all agree
that there's an attack,
you could try to isolate
the protocol.
I found that really interesting
and I think that speaks
to Federico's idea
that hopefully
if this hack has
a beneficial effect
for DeFi,
it's just encouraging people
to continue to think about
how to prevent these attacks
from all three stages,
from the audit,
from the live incident response,
and from the post-hack negotiations.
Yeah, I think there's a lot
of different learnings
that will be taken away
from this story.
And obviously there already were,
I think,
before your story hit
in regards to the idea
of what can go wrong
and what can go right
in any exploit.
Really, the idea
of getting money back
is great for the actual protocol
and its users,
but very rarely
when that happens
does anyone really ponder
what happens on the other side.
What happens to the attacker
if it is a human
and not some, you know,
huge, complicated web
of, I guess, thieves
like we've seen
with the Lazarus Group.
Granted, there are certain things
we don't know.
Like you said,
we don't know
how complicated
the web might be
behind what was actually done here.
You have what Federico's
telling us and telling you,
but until more details come out,
I think,
or if there's more reporting
to be done,
it's very difficult
to actually tell
a lot of this stuff.
There were only three wallets, right,
that were actually attached
to the hack itself.
Right.
That could be three different people
running their own thing.
That could be one person
who controls them all.
It could be a mix
of all that stuff.
It's, I don't know,
there's a lot of weird things
about crypto reporting
where so much happens on chain
and so much you can see
that you think is fact
and things you know,
but you don't know
who's behind them.
Right.
And to me,
one of the reasons
why I loved reporting this story,
why I wanted to work on it
from the beginning was,
to me,
this story is,
so crypto.
I mean,
from the fact that
it was a flash loan attack
on a protocol
to the public messages
being sent back and forth
to the fact that,
and I couldn't even work this
into the story,
but it appeared that North Korea
tried to counter-hack him
to try to get him
to reveal the public key
to the wallet
after he sent the money
to the Ronin Bridge exploiter.
There are so many details to me.
Even the disaster response,
I was talking with the Ford team
and I was like,
it sounds like somebody,
you know,
pulls out a mask
and a gun at a bank
and then Ford comes in
and says,
hey,
we've got a bigger gun,
so you better not do that.
Yeah.
These are only things
that can really happen in crypto
and that's why I find it
so fascinating.
But as a crypto reporter,
I mean,
being able to look at this
on-chain information
to verify what somebody
is telling me,
where otherwise
these would be
hidden bank statements,
potentially
something that would require
subpoenas,
investigative powers
that we just don't have.
I mean,
I think there are a lot
of real assets to,
and we've seen this
with crypto journalism outlets,
with community reporting.
I think the availability
of this data enables
some really interesting insights.
And I think that's kind of
what's interesting
to have happen here too, right?
If you're listening to this space,
feel free to request the mic
because, you know,
I think that's one of the main things
that we try and do
and that we're doing actively
with the Quintage experiment,
which is a show
that is decentralized
in ownership.
Our NFT holders
actually do own the show
via a cooperative DAO.
And the question there being,
can you see things
from a different angle
that yields different results?
And I think that's kind of why
the structure exists
in journalism
to have a reporter
and an editor
who plays the skeptical role
of can this actually be proven
beyond a reasonable doubt?
What are we missing?
What would we need to,
I guess,
disclose as potential issues
as we tell this tale?
And obviously,
I think that that's one thing
that does benefit us
as having a bunch
of different experts,
you know,
in whether it's something like this,
which to your point
is so complicated,
is so much going on
when it comes to flash line attacks
and the people you spoke with
are certainly more experts
than we are
when it comes to
defending against those
or even understanding
what the hell is going on.
And also,
while reporting stories
about stable coins
and de-pegging
as we did with Doquan before,
it's like everyone
in this ecosystem
has a different knowledge base.
Right.
And a different way
of looking at something
that could be true,
could be false.
And I think that's one of the things
that is extremely interesting
about, you know,
what we do at Coinage.
But I also feel like
extremely interesting
to see a story like this
reported now
as it's out there
and other people
take notice of it
because,
as we discussed
on the beginning of the space,
this was a story
that was out there.
Everyone saw it happen.
Right.
This has been sitting here
for months,
basically,
of everyone trying to figure out
and there was a Defiant piece
with someone
who was on that side
trying to figure out
who this hacker was.
And they had a tale
of kind of what happened
more on the Euler side,
right,
after it was hacked
for 200 million,
what their war room
looked like.
And this is the story
of the person
on the other side.
Right.
And both of them
seem to generally match
in, I guess,
the details, of course,
that were already faxed.
The details match.
I have to imagine
that the interpretation
differs a bit.
And I think that's
what makes this story
interesting.
Like, you know,
as I said before,
for the Euler team,
from what we know,
for the fact that
it took three weeks,
it was a lengthy
grueling process.
You know,
they weren't really
updating their Twitter,
but the CEO
in a statement
called it, you know,
some of the hardest
days of his life.
But as you were
saying before,
I mean,
I think one of the
things I love most
and hate most
about reporting
on crypto is
almost every day
I come across a tweet
and I completely
do not understand it.
And in one sense,
it feels frustrating.
Like, I've been
deeply immersing
myself in this stuff
for a year
and there's still
so much of it
that I haven't
been able to
explore yet.
But in another sense,
that's the greatest
gift for a journalist.
There are always
rabbit holes
to fall down.
And, you know,
as the coinage
community grows,
I'm so fascinated
in hearing about
crypto in other
jurisdictions.
I mean,
the crypto space
just in the
English-speaking
world is so intense.
But Federico's
native language
isn't English.
Doquan's native
language and,
you know,
birthplace
isn't an
Anglophone country.
So it's truly
just crypto
is such a wide
world.
And I have yet
to find a corner
of the crypto space
that does not
have an interesting
story to tell.
Yeah, and again,
one that can be
viewed, as you said,
kind of through
both lenses,
through the lenses
of a victim,
of, hey,
wait a minute,
my money is not
there anymore.
And the other
side, which is
an exploiter who
might think they're
doing something good
for the space,
or, you know,
in the case of
white hat hackers,
definitely thinking
that they're doing
something good
in that moment,
depending on what
happens afterwards.
And, you know,
we've seen that
with other hacks
and exploits,
too.
You know,
the mango markets,
we covered that
in our Flashland
episode,
the idea of
various actors
thinking that they're
operating above board.
And Abraham Eisenberg
behind that hack
called it a, quote,
profitable trading
strategy.
Highly profitable
trading.
Yeah, so you've
got that going on
versus what's
happening here,
and what did the
end results look
like, right?
You've got people
who were victims,
and you've got
someone on the other
side saying they're
operating normally.
And it's mostly,
I think, you know,
obviously, no court
of public opinion
is an actual court.
So that's the
important thing is,
you know,
especially journalists
don't have subpoena
power either to kind
of get all the facts.
That's what courts
are for.
But when you're out
there trying to figure
out what's true,
you present that
information to the
community,
and they essentially
say, some of this
looks right,
some of this looks
wrong.
What do you think?
And that's basically
kind of why we're
talking about this
on a space right now
to dig into all this
is what people think
and put the story out
to see what they think
as well.
But those are the facts.
And again,
those were the facts
that existed even
before this wallet
started coming forward
with information
about who he is.
I wonder, Abrams,
when you kind of
step back now,
obviously,
it's been a very
busy week in
reporting this story
and getting it to
the finish line.
When you kind of
look back on it now
with hindsight,
I mean,
what are those things
that stand out to you
as kind of like
important enough
to take a second
look at?
Hmm.
In a second look
in what way?
Well,
in either of the ways
that you would have
to extremely defend it
against people
who might say,
what about that?
Or just the ones
that smack you of,
wow,
that actually happened.
I mean,
there are so many
details that seem
stranger than fiction
in this story.
But,
you know,
we have the facts.
We have the on-chain
evidence of what happened.
This money was stolen
and returned.
And I find that Federico's
explanations for these actions
were sometimes
what I would have suspected,
sometimes completely different
than what I suspected.
Like,
look,
I've seen some accusations
that this article
is an attempt to glorify Federico.
Yeah.
It's absolutely not my intention.
I mean,
in the article,
it talks about how he sent
a hundred eighth
to a North Korean group,
which funnels,
according to the Wall Street Journal,
about half of the money
they receive
from illicit crypto operations
directly into North Korea's
ballistic missile program.
I'm not a supporter
of North Korea's
ballistic missile program.
Are you sure?
Personally.
But look,
it's up to the reader.
I'm not,
I'm not going to
treat my audience
like they need to be told
what to think.
I'm going to let them
think for themselves.
And I think that
what strikes me
about this story
in hindsight
is how much
there's room
for reasonable
interpretations
of the events.
And I'm looking forward
to talking with people
about it,
both in my life
in the cryptosphere
and saying,
what do you think?
Because I don't think
anybody could really
have a wrong opinion
on this story.
I'm really interested
to hear what conclusions
people draw
from the evidence.
You know,
I presented
what I felt
was the most accurate
way to tell this story
given the information
I had.
But you could
take these facts
and draw different conclusions.
I'm leaving that to you
because I trust you,
the audience.
Yeah,
the interesting piece
of all this obviously
is, you know,
when you report
these stories,
as we've seen
even with the Doquan
piece we put out
last year,
it's never over, right?
I mean,
that's just kind of
the beginning
and then law enforcement
jumps in and does
whatever they're going
to do after the facts
come out.
And that's a whole
other story in and
of itself.
And obviously one
that we'll see
what happens
with all of this.
But, you know,
as far as cases
in the court
of public opinion
are concerned,
those remain unchanged
mostly from what
we knew back
in March
in terms of what
happened after
the exploit
and the money
being returned.
The outcome's
essentially the same.
But do you think
that there's anything
that kind of sways
anyone's belief
that, you know,
it shouldn't even
be looked at
as an attack
or an exploit
or maybe it should?
I don't think so.
And that's what I like
about this story.
I think that
if you truly believe
one version of events,
you'll be able to find
evidence to support that.
And it doesn't mean
that there's
no truth here.
There's nothing useful
learning.
But it does mean that,
you know,
I think people can have,
again,
valid interpretations
of this story
and I'm looking forward
to hearing them.
But I do think,
like,
it's worth it
for the DeFi community
to look at this story
and to listen to
what Federico is saying
because obviously
he has had
this experience
that very few
of us have had.
And I think
it's worth thinking about,
thinking critically
about the story
and thinking,
how can this make
DeFi better
in the future?
Yeah.
And all of the
different things
that could be,
I guess,
if you're on the
hacker side,
like,
that's one of the
always,
it's like,
I think kind of
where the phrase
we don't negotiate
with terrorists
comes from
is the idea
of what happens
when you start
offering alternative
pathways to people
who are now stuck
in that position
I need an exit.
And,
you know,
that's,
I think,
one of the people
maybe watching this
saying,
well,
what does that
maybe do
to unlock the door
to having more
exploits where
someone can walk
away scot-free?
Right.
Which is almost
just as much
a danger,
I think,
when you're talking
about,
you know,
ethical white hat
hackers and,
like,
what that looks
like,
that's always
a question
of what happens
if you don't
make an example
out of people.
And you're seeing
the same thing
discussed,
right,
in almost every
crypto case
that's now brought,
at least here in
the U.S.
I think the other
exciting thing
that might come
from this
is the idea
of what happens
in the other
jurisdictions,
right?
Buenbit,
obviously not
a U.S.-based
company.
And so,
you know,
we've seen that
in cases brought
against Nate
Chastain at OpenSea,
right,
how harsh the
penalty there is
relative to maybe
if someone had
stolen 50 grand,
60 grand of
dollars and didn't
involve NFTs,
would the government
be so aggressive
in pursuing and
prosecuting a case
like that?
In the case
of Do Kwon,
would you have
the U.S.
and Korea
fighting over
jurisdiction for
somebody?
Maybe not if it
wasn't such a
huge publicly
documented downfall.
In the case
of SBF,
would you have,
you know,
as much news
coverage as you
do around it?
Would you have,
I mean,
it's interesting
to now watch
how people
outside of the
cryptosphere
might look at a
story like this
as well.
Yeah.
Yeah,
it's interesting.
Something you said
before about
negotiating.
I pulled up
the quote from
Aaron Plant
again,
Chainalysis's
VP of
Investigations.
Chainalysis does
great work
tracking crypto
crimes.
One of the
findings that
they found in
last year's
annual crime
report is that
DeFi has become
the primary
target of
hackers in
crypto.
The hacks
from DeFi
protocols made
up over 80%
of all crypto
theft and all
crypto scams
scams,
according to
Chainalysis's
analysis in
2022.
Aaron Plant,
the certified
ethical hacker,
told me,
you know,
most DeFi
hackers are not
after $100,000
or $500,000
payouts from
legitimate bug
bounties,
but frequently
ask upward of
50% or more
of the gross
amount of
stolen funds
as commission,
which is
somewhat similar
to the Abraham
Eisenberg case,
as we mentioned,
and continued,
this is more
like extortion.
So I think
that's a
completely
legitimate way
to view
things.
Federico,
from what he's
told me,
views things
differently,
where he thinks
that DeFi
industry will
move more
from audits
towards bug
bounties,
negotiations,
prevention.
I'm not so
sure that answer
would be
satisfying,
especially if
DeFi is
looking for
mass adoption
to people
saying,
hey,
your protocol
might be
hacked,
but we have
good people
working on
recovering the
funds.
I'm not so
sure that would
sell people.
Well, it almost
doesn't sell
anybody else.
even if you
do get the
funds back
to make
you want
to put
your money
into a
DeFi
protocol.
Though Federico's
argument is
that DeFi
protocols that
get hacked
and survived
come back
stronger,
more secure,
better aware
of how to
secure
themselves.
And throughout
our conversations,
he always
took some
time out to
say nice
things about
the Euler
team when
they came up.
he admired
their work
with the
protocol.
He's looking
forward to
Euler version
2 when it
launches.
He even said
he would be
interested in
continuing to
work for them
as a security
researcher,
as a white
hacker looking
for bug
bounties.
To me,
that's really
interesting because
obviously he
attacked this
protocol.
He caused a
lot of damage,
but he also
really respects
them.
And that to me
is just one
of the really
fascinating
contradictions at
the heart of
his story and
the heart of
his character.
Yeah, a lot
of contradictions,
a lot of
things that
people I think
are going to
have a fun
time digging
through as
well after
this story is
out there.
And again,
it's pinned in
the space,
but if you
haven't read it
yet, up on
coinage.media
from our
head writer
Zach Abrams.
And it was a
hell of a
tale and a
hell of a
kind of
checking
everything again
against what
was known on
chain and
what other
reports have
surfaced when
it comes to
what was
gleaned after
the hack and
putting it all
in context and
again, taking it
with a grain of
salt when you're
talking to
someone who
is also listed
in potentially
another exploit
in his home
country of
Argentina.
So all of
those things
taken into
consideration here
to put the
facts out there.
And look, it's
a long read.
I've seen some
complaints about it
being a long
read.
I don't want to
hear it.
It's a long
weekend coming up
for some of us,
4th of July in
the US.
That's right.
You know, download
it to your phone,
bring it to the
beach, take
your time.
I truly think
that the details
I've included in
this story I've
included not
because I, you
know, just
threw them in,
but because this
is such a
complex story and
I truly think
every detail
adds to it
and adds, you
know, another
interesting facet to
this really
complex situation.
Yeah, and if
you're skeptical, I
mean, those
views are
welcomed as
well.
Join our
community, raise
those issues
with us, join
and, you
know, mint an
NFT to
call on what
we're building
here, I think
would be the
takeaway and to
have your voice
heard in some
of this too,
because we'll
both be better
for it.
But Abrams, I
appreciate that.
Programming notes,
I think just a
flag.
We've got an
interview coming up
with SEC
Commissioner Hester
Purse on
coinage, which
we do not want
anyone listening to
this or our
followers to miss.
Did you say SEC
Commissioner Hester
Purse?
Yes, that's
right.
Cryptomomom, as
she's eloquently
known.
Yes, Cryptomomom
going to be on
coinage discussing
all the things
happening at the
SEC.
Well, they won't
they on a
Bitcoin spot ETF.
Nobody really
knows.
But that
interview coming
up on
coinage.
Of course, you
can subscribe to
get all of our
info on YouTube
right here on
Twitter, as well
as coinage.media.
For Zach
Abrams, I'm Zach
Usman, the host
of coinage, signing
off from our
Brooklyn studios
in New York
City.
Thanks again,
everybody, for
listening.
Have a great
long weekend.
Bye.
Bye.
