Two MIT students charged for exploiting Ethereum blockchain bug, stole $25 million in crypto

The students, who are brothers, are being charged by the DOJ for wire fraud and more.
By Matt Binder  on 
Ethereum logo
Two brothers alleged stole $25 million from the Ethereum blockchain after exploiting a flaw in a popular cryptocurrency software. Credit: GEOFFROY VAN DER HASSELT/AFP via Getty Images

Just when you've thought you've seen everything when it comes to cryptocurrency theft, two brothers attending MIT have uncovered a brand new way to steal millions.

According to a U.S. Department of Justice (DOJ) announcement on Wednesday, Anton Peraire-Bueno and James Peraire-Bueno have both been charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. The brothers allegedly found a way to exploit the Ethereum blockchain and stole $25 million in cryptocurrency as a result.

“As we allege, the defendants’ scheme calls the very integrity of the blockchain into question," U.S. Attorney Damian Williams for the Southern District of New York said in a statement. "The brothers, who studied computer science and math at one of the most prestigious universities in the world, allegedly used their specialized skills and education to tamper with and manipulate the protocols relied upon by millions of Ethereum users across the globe." 

"Once they put their plan into action, their heist only took 12 seconds to complete," Williams continued. "This alleged scheme was novel and has never before been charged."

How two MIT students exploited the Ethereum blockchain

While one part of the brothers' scheme may have taken only 12 seconds, the DOJ indictment makes it clear that they meticulously planned and prepared for months in order to successfully exploit the Ethereum blockchain.

On the Ethereum blockchain, transactions aren't verified in chronological order, but by "maximum extractable value" or MEV, essentially how much value can be earned by validators from the transaction. Validators verify transactions, and in turn, add new blocks to the blockchain. 

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

According to the DOJ, the two MIT students exploited a flaw in MEV-Boost, an open-source software used by 90 percent of Ethereum validators. Upon discovering the exploit, Anton and James Peraire-Bueno set up a series of validators using shell companies in order to conceal their identities. The DOJ alleges it took "several months" for the two to prepare for their scheme.

The Peraire-Bueno brothers set their plot in motion by creating "bait transactions" in order to trick "victim traders" into revealing their trading behaviors.

In April 2023, the two pulled off their $25 million crypto heist by "luring" in the victim traders' MEV bots with eight transactions containing "illiquid cryptocurrency" to frontrun and then transfer into stablecoins and other liquid cryptocurrencies. These bundled "Lure Transactions" from the brothers were timed to be verified by one of their own validators.

From there, the brothers further exploited the system by forging signatures to deceive the blockchain relay into releasing the transaction information, which they then manipulated. As a result, Anton and James Peraire-Bueno walked away with $25 million and proceeded to take further steps to conceal their alleged crime.

“These brothers allegedly committed a first-of-its-kind manipulation of the Ethereum blockchain by fraudulently gaining access to pending transactions, altering the movement of the electronic currency, and ultimately stealing $25 million in cryptocurrency from their victims,” said Special Agent in Charge Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office in a statement. “In this case, IRS-CI New York’s Cyber Unit simply followed the money."

According to the DOJ, the two left a trail of incriminating evidence, including a document laying out the exploit in full detail, breaking their scheme into "four stages:" The Bait, Unblinding the Block, The Search, and The Propagation.

In addition, in the weeks and months following the exploit, the brothers search history unveiled queries for terms such as "top crypto lawyers," "wire fraud statute of limitations," "money laundering," "fraudulent Ethereum addresses database," and searches related to which countries the U.S. has extradition agreements with.

The two face up to twenty years in prison for each charge.


Recommended For You
27 of the best MIT courses you can take online for free
Girl writing notes

32 of the best MIT courses you can take online for free
Girl with laptop

Watch SZA sweat it out on 'Hot Ones' in bug prosthetics
SZA in bug prosthetics on 'Hot Ones.'

34 of the best MIT courses you can take online for free
Girl with laptop on bed

Somehow crypto scams grew by nearly 50 percent last year
Bitcoin on a red backlit keyboard

Trending on Mashable
Wordle today: Answer, hints for October 11
a phone displaying Wordle

NYT Connections today: Hints and answers for October 11
A phone displaying the New York Times game 'Connections.'

Astronomers just found a galaxy way too advanced for its time
Galaxy forming in the early universe

Tesla’s surprise announcements: Robovan and Optimus
Two images side by side. On the left is a screenshot of the Robovan. On the right is a Tesla promotional image of an Optimus robot serving someone a drink.

'The Platform 2's twisty ending, explained
A close-up of a topless, bald man holding a lit lighter.
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!