Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Someone a couple of years ago compared
0:02
the smart contract with the mission-critical
0:05
code He was telling me that you
0:07
could actually compare it to like the code
0:09
that's used in an f-35 Or
0:12
to launch a satellite in space. It's
0:15
code that you really have to get right.
0:18
I have read the charges against Shaqib
0:21
Ahmed a few times now and
0:24
I think I almost entirely
0:26
understand it
0:28
Without
0:28
getting too into the weeds and
0:30
there's a lot of weed the story is set
0:32
exclusively in weeds Here's
0:35
the basics According
0:38
to the US Department of Justice in
0:40
July 2022 Shaqib
0:43
hacks a decentralized cryptocurrency
0:45
exchange
0:47
the 15-page sealed indictment unpacks
0:50
how but the gist And
0:52
I'm gonna stop saying allegedly now because these are
0:54
all Allegations is
0:57
that he found a way to imitate
0:59
the equivalent of an admin account That
1:02
he then used to fraudulently manipulate
1:04
the fees that a user got paid
1:07
for lending the exchange money
1:10
He then borrowed a ton of crypto
1:12
from somewhere else Briefly
1:15
loans it to the exchange
1:17
gets paid out millions in these
1:19
fraudulently inflated fees Before
1:22
returning the loan and walking
1:25
away with the money
1:26
He allegedly does this 21 times? extracting 9
1:30
million US dollars in fraudulent
1:32
fees from the exchange
1:35
In the days following the hack the government
1:38
then alleges Shaqib does two things First
1:43
he Googles all of the stuff you
1:45
would Google if you had just done a big
1:47
cyber money crime heist In
1:50
a section of the sealed indictment named Ahmed's
1:52
post-attack internet history it
1:55
outlines these searches they
1:57
include decentralized
1:59
finance hack FBI, DeFi
2:02
hack prosecution, evidence
2:04
laundering, wire fraud, how
2:07
to prove malicious intent, can I
2:09
cross border with crypto, buying citizenship,
2:12
how to stop federal government from seizing
2:14
assets.
2:16
It is by no means illegal to search any
2:18
of these things, but I do get
2:20
why if you are trying to make the case
2:22
that this person is guilty, you
2:24
would include the fact he had googled them.
2:27
Lastly, they alleged that Shaqib
2:30
sends an email, a
2:32
very important email, an
2:34
email that kind of changes what kind
2:37
of crime this ultimately is because
2:39
up until now it's theft.
2:42
But with this email
2:44
to the exchange he had allegedly stolen
2:47
from, it kind
2:47
of becomes something else. A
2:51
negotiation or
2:53
a ransom might
2:55
be extortion, I'm not totally sure.
2:59
But we're going to get to that. I
3:02
called up friend of the show, Lorenzo Franceschi
3:05
Bicaray over at TechCrunch, who
3:07
has been reporting at length on this story to
3:09
help me try and make sense of it. Scott's
3:12
away this week, so this episode is
3:14
my conversation with Lorenzo.
3:17
The last thing you need to know for all of this to make
3:19
sense has to do with smart
3:21
contracts. These decentralized
3:23
crypto exchanges, basically all of
3:25
them, operate using something called smart
3:28
contracts.
3:30
Instead of the software that governs the
3:32
exchange being stored on a server, it's
3:35
stored on the blockchain. The
3:37
very software that rules these exchanges
3:40
is public and generally
3:43
immutable,
3:44
which sounds great until something
3:46
goes wrong. Like say,
3:49
a hacker finds
3:51
a bug
3:53
and now you're trying to fix a thing
3:55
inside of a thing that wasn't really built
3:57
to be fixed.
3:59
It depends on code
4:01
that is completely open source. It
4:03
is public. And as you say, in many
4:06
cases it's immutable because the
4:08
developers don't even realize the risks.
4:11
So here's my chat with Lorenzo about
4:14
the charges against Shakib Ahmed. What
4:16
happens when someone finds a vulnerability
4:19
in a system that is supposed to be beyond
4:21
anyone's control and
4:23
whether giving back most of what you
4:25
stole changes
4:27
the fact that you did steal it on
4:31
this episode of Hacked.
4:35
Thanks for sitting
4:38
down with me, Lorenzo. It's
4:50
good to have you back. Thanks for having me. So
4:53
you've been covering the story since the US Department
4:55
of Justice announced this arrest
4:58
and I want to start with the person at
5:00
the heart of all this.
5:02
Who is Shakib Ahmed? What
5:04
do we need to know about him for this story to make sense?
5:07
Yeah, so Shakib Ahmed is
5:09
or was, we
5:11
should probably say
5:13
someone who worked in cybersecurity.
5:16
He worked at a couple of
5:18
small companies, small cybersecurity companies,
5:21
Optiv and Red Balloon. Red
5:24
Balloon in particular is a startup here in New York.
5:27
And he worked for Amazon, I think
5:29
Amazon AWS in particular
5:31
as a security engineer. He had all
5:34
the necessary skills to do
5:36
a hack to perform cyber attack
5:39
and steal money, which is what
5:41
he's accused of. And
5:43
just to start, if I forget
5:46
to say alleged, we should
5:48
assume that everything I say about Ahmed
5:50
is alleged based on what the feds
5:52
are accusing him of. So
5:55
in short, he was a cybersecurity
5:57
engineer and he...
5:59
specific knowledge about
6:02
how to exploit systems,
6:04
how to exploit smart contracts and
6:06
things like that. At least that's what the Fed say.
6:09
To be honest from his LinkedIn, it's
6:11
not clear that he specifically had knowledge
6:14
about smart contracts and cryptocurrency. But
6:17
a lot of the skills that you have
6:19
as a cyber security researcher engineer
6:21
translate relatively well to
6:24
smart contracts. At the
6:26
end of the day, it's all the way to the world
6:28
that you find bugs in,
6:29
that you find flaws in, and you
6:32
figure out how to exploit those
6:34
flaws. Yeah, I want to talk a little bit more
6:36
about the difference between exploiting
6:39
smart contracts and more traditional server-side
6:41
kind of software. But
6:43
as you said, importantly, these are just
6:46
charges, they haven't been proven
6:48
in court. But broadly speaking, what is the Department
6:51
of Justice alleging he did, 10,000
6:53
foot view? Yeah, so the DOJ is simply
6:56
accusing the Department of Stealing around
6:59
$9 million in crypto from a cryptocurrency exchange,
7:03
which the DOJ doesn't name. But because
7:05
of the dates of the attack
7:08
and the description of the exchange and the money
7:10
stolen, it's clear that it was a crema,
7:13
like a company from abroad
7:15
that operates
7:16
a cryptocurrency exchange. Which
7:21
it's basically like what Coinbase or Gemini, Binance,
7:26
all these companies provide, essentially
7:28
a platform to exchange money for crypto
7:31
or some crypto for some other kind of crypto
7:33
and things like that.
7:35
And the DOJ says that he exploited this
7:39
platform in July of
7:41
last year. And he
7:43
then proceeded to try to launder
7:46
the money. He also was in
7:48
touch with the cryptocurrency
7:50
exchange. There was a little
7:53
negotiation going on. And
7:55
he agreed to return almost
7:58
all of the money he kept like.
7:59
only 1.5 million in crypto.
8:03
He also agreed to tell
8:05
them about the flaws that
8:07
he allegedly exploited in an
8:11
attempt to presumably
8:13
in an attempt to be like, okay, I'm a good guy. I'm
8:15
going to help you fix this flaws so nobody
8:18
else exploits them. Yeah,
8:21
I want to talk a little bit about
8:24
the timeline of the negotiation that took place
8:26
there because I think it's pretty important to whether this
8:28
was a black hat, white
8:29
hat, gray hat type thing. But
8:31
before we get to that,
8:33
I want to dig a little bit more into how this hack worked.
8:36
I read, I think it's a 15 page sealed
8:38
indictment. The middle like third of
8:40
it really digs into that hack. The rest of
8:42
it's pretty readable. I think I read that middle
8:44
section four or five times just trying
8:46
to like,
8:47
grok how this hack
8:50
actually worked. You've got fees
8:52
for contributing to a liquidity pool. You've
8:55
got these tick accounts. You've got flash
8:57
loans. It's a lot.
8:59
Can you help me make a little bit of sense
9:02
of what are they accusing? He actually did. How
9:04
did this hack allegedly actually
9:06
work?
9:07
Yeah, so it's a little complicated. And to be honest, I
9:09
am also not sure about
9:12
all the details and all those like sort of buzzwords
9:14
that are common in crypto, but are really
9:17
not common outside of crypto. Yeah.
9:20
So the understanding is that essentially, Ahmed
9:22
allegedly found flaws
9:25
in the exchanges
9:27
smart contract. And he tricked
9:29
the smart contract into believing that he was providing
9:32
more liquidity, meaning more crypto
9:35
to
9:36
the liquidity pool. And
9:38
when people contribute crypto
9:41
or liquidity to this pool, they get
9:43
some fees. They got some sort of like
9:46
reward for contributing to the liquidity
9:48
pool. So he essentially tricked the
9:50
exchange, the smart contract into
9:52
believing, quote unquote, that he had provided
9:55
more money, more crypto that he had. And
9:57
so he cashed out on that.
9:59
In terms of the flash loans, took
10:02
out 21 flash loans. My understanding
10:04
of the flash loan is that it's essentially a loan
10:08
in cryptocurrency that doesn't actually have collateral
10:11
because it's done very quickly. And
10:15
so he was able to do that without actually
10:17
giving
10:19
any cryptocurrency, if
10:21
that's my understanding. The
10:23
indictment actually says so that he performed
10:25
at least 21 flash loans and
10:28
used them to generate falsely inflated fees
10:31
from five separate liquidity pools. So I
10:33
think it's a similar attack to the first one
10:35
that we described. It's
10:38
essentially he found a way to
10:41
trick the exchange
10:43
into giving him more cryptocurrency
10:45
that he was owed, that he was actually supposed to
10:47
get.
10:52
This episode of hacked is brought to you by
10:54
delete me. I host a podcast
10:56
about security stuff. So privacy naturally
10:59
matters to me. Meanwhile, I'm
11:01
hanging out all day on an internet rife with
11:04
data brokers. They're these big corporations
11:06
that crawl the web searching for information
11:08
to build a profile about you. They
11:10
find it from public records, self-reported information,
11:12
social media, buying it from other data
11:14
brokers. They then package it all up to create
11:17
profiles with your personal information.
11:20
Things like your social security number, birthday, information
11:22
about your relatives, past and recent addresses.
11:25
They package that all up and then they monetize it.
11:28
I don't love that.
11:29
And that's why I use delete me.
11:31
Delete me keeps your personal information
11:33
safe. I signed up and the way it
11:35
works is once you've completed your sign
11:37
up for delete me, they send you a welcome
11:39
email so you can get started right away. You
11:42
log in, find your delete me personal
11:44
profile page. You tell them exactly what information
11:46
you want scrubbed and their privacy experts
11:49
take it from there. If you want 20% off
11:52
all consumer plans, congratulations
11:54
as a hacked listener, we're going to hook you
11:57
up. Just use the promo code hack20.
11:59
That's one word, all
12:02
caps, HACK and then the numbers
12:04
2-0 for 20% off. Go
12:06
to joindeleteme.com slash HACKED
12:09
and use that promo code HACK20 for 20%
12:11
off.
12:13
Keep your personal info private
12:15
with DeleteMe. When
12:18
do you have insight into your compliance, security,
12:20
and risk postures? If it's right
12:22
before an audit, you are in the same boat
12:25
as many other organizations. With
12:27
DRADA, a G2 leader in cloud compliance
12:29
software, you'll have continuous monitoring
12:31
and visibility into your risk, security
12:34
controls, and audit readiness for
12:36
standards like SOC 2, ISO 27001, GDPR, HIPAA,
12:38
and more. DRADA
12:43
can streamline compliance for over 14
12:45
frameworks and even automate the custom frameworks
12:47
and controls you create
12:50
to meet your organization's unique security
12:52
needs. With more than 75 native integrations
12:55
and a risk management solution, you'll have a
12:57
tool that will scale with you.
12:59
Countless security professionals from companies like
13:01
Notion, Lemonade, and Bamboo
13:04
HR have shared how crucial it has been
13:06
to have DRADA as their trusted
13:08
compliance partner. Listeners
13:10
of HACKED can get 10% off DRADA
13:13
and waived implementation fees at DRADA.com
13:16
slash partner slash HACKED. Startmail
13:19
is a privacy-first email service that keeps your inbox safe. With
13:24
over 330 billion emails
13:26
sent daily, email continues to be an
13:28
essential part of our lives. But sending email is structurally
13:31
unsafe. It's like sending a postcard. Anyone
13:34
who delivers the post can read your message or make
13:36
a copy of it. Startmail
13:38
will never stop sending emails.
13:40
It's a way to
13:42
keep your inbox safe. Startmail
13:48
will never serve you as a text or inbox
13:50
with state-of-the-art security. It blocks all
13:52
tracking pixels and warns you every time you click
13:54
an external link. It protects you from phishing
13:57
attempts and keeps your personal data safe.
13:59
It provides world-class encryption to protect
14:02
your confidential messages from interception.
14:05
And it allows you to create unlimited
14:07
aliases to protect your inbox from spam. So
14:10
when you need to sign up for something with a temporary email
14:12
address or get through a paywall,
14:15
that's maybe not just a paywall, it's an authentication wall,
14:17
you can create an alias for your email and
14:19
just
14:20
use that. It goes away in a
14:22
matter of time and you don't have to worry about getting spammed
14:25
constantly. Check it out. Startmail.com.
14:29
That's Startmail. S-T-A-R-T-M-A-I-L.com.
14:38
There's
14:40
only one line in the whole document that really
14:43
warrants a little bit of explanation that they
14:45
don't really provide. And it sounds like
14:49
this smart contract has two different types
14:51
of accounts. Normal accounts, like I think they
14:53
call them position accounts, and then
14:55
almost an admin style tick
14:57
account.
14:59
And with that tick account, he
15:01
was able to fudge, I think,
15:03
the rates that got paid out, like
15:06
the fees that got paid out
15:08
for loaning the system money. What's
15:11
unclear to me is how he was able
15:14
to get a normal account
15:16
to imitate that admin style account.
15:19
What the vulnerability on the smart contract
15:21
was that let him do that, I
15:24
guess, kind of, yeah, that little subterfuge,
15:27
that little imitation.
15:28
Yeah, I mean, my intuition here is that
15:30
the smart contract had some sort of bug that allowed
15:33
him to pretend that he had an admin account
15:36
and act as an admin, whereas he was
15:38
just a regular user. So he allegedly
15:42
figures out this vulnerability in the smart contract,
15:45
uses this flash loan vulnerability
15:47
to pump a bunch of money out, take out
15:49
these inflated fees, return
15:52
the loan and walk away with $9 million
15:55
in cryptocurrency.
15:56
He then launders that.
15:59
The feds alleged that Ahmed
16:02
then proceeded to launder the
16:04
stolen crypto, which is a pretty standard
16:08
technique, pretty standard thing to do after
16:10
he steal crypto. You try to launder
16:13
it and essentially hide your
16:15
tracks cuz as all
16:19
the listeners know, cryptocurrencies
16:22
are all based on blockchain technology,
16:24
which the main feature
16:27
of it is that all the transactions are recorded,
16:29
they are recorded forever, they're immutable.
16:32
So anything you do on the blockchain is recorded,
16:34
any movement of the crypto
16:37
is right there. And so this
16:39
makes it relatively easy for the feds to
16:41
find or at least follow the money. Finding
16:44
who did it is one thing because the blockchain
16:46
is not, the users are
16:48
not necessarily identified there. You
16:51
can see the flow of money, but you may not know who did
16:53
it, but you can see the flow of money. Sometimes
16:55
it leads to a person cuz at the
16:57
end of the day, you got some cryptocurrency,
16:59
you may want to cash it
17:02
out and not just keep it there. So
17:05
what he did or what he allegedly
17:07
did was to do a series of transactions
17:09
to launder it. They were all pretty
17:11
standard. He swapped some tokens
17:14
from others, so some cryptocurrency from other
17:16
kinds of cryptocurrency. He used
17:18
bridges, which are technology,
17:21
some sort of blockchain technology that bridges
17:24
from one blockchain to another. So
17:26
you can go, for example, from the Bitcoin
17:28
blockchain to the Ethereum blockchain and exchange
17:31
Bitcoin into Ethereum directly. He
17:36
also transferred some of the crypto and
17:39
or exchanged it rather into Monero, which
17:41
is a relatively well known and pretty
17:44
anonymous cryptocurrency. It's one of
17:46
the few cryptocurrencies that are actually much
17:49
harder to track. It's unclear
17:51
actually if the law enforcement is able to track
17:53
it at all, and it was specifically
17:56
designed to be very hard to
17:58
track. So this was a smart move.
17:59
on his part. The
18:05
rest, clearly, the rest of the flow of the money is
18:10
traced to him and traced to the hack.
18:30
Because
18:40
they didn't need to do that for the indictment, and it
18:43
will come up later in the case.
18:45
That would be my bet, because clearly
18:47
they were able to go from
18:50
this anonymous person that stole
18:52
the cryptocurrency and laundered it to
18:54
actually identifying this person.
18:57
And that's the first step before
18:59
they are able to look at
19:00
his search history. Because
19:03
I imagine that once they identified him, however
19:05
they were able to do that, then they just
19:08
got a search warrant, went to Google,
19:11
and asked Google what happened with the
19:13
Google around those days. And
19:16
they struck gold because they found out that just
19:19
a couple of days after the hack, he
19:22
was Googling stuff like DeFi hack,
19:24
which stands for Decentralized
19:27
Finance. He
19:29
Googled
19:30
stuff like, why
19:32
expensive crypto hacks are the cost of doing
19:34
business? He
19:37
also searched for
19:40
embezzled. He searched for
19:42
DeFi hacks FBI, DeFi
19:44
hacks prosecution, and I'm quoting from the
19:48
indictment here. He Googled for wire
19:50
fraud, which is, I guess, ironically
19:53
the crime
19:55
that he was indicted for. He
19:58
also allegedly searched for how to prove Malay. And
20:00
then he also searched for how
20:03
to get citizenship
20:06
in other countries. Even visited a website
20:09
that, like a blog titled 16 countries where
20:11
your investments
20:13
can buy your citizenship. So
20:17
not only was searching for terms
20:20
that suggest that
20:22
he was sort of trying to figure out how much
20:25
trouble he was in, but also
20:27
then he moved on to, okay,
20:30
what can I do about this? He probably realized
20:32
that it was in trouble. I mean, it's hard to believe
20:34
that he did not know that what he was doing was a crime,
20:36
but we'll see
20:38
what him and his lawyer argue. I
20:41
can imagine a universe, and this is me speculating,
20:44
but I can imagine a universe in which he
20:46
claims that he found those flaws and
20:49
maybe he was worried that they
20:52
could be exploited by
20:54
somebody else. So he decided to exploit them
20:56
and then get in contact with the target,
21:00
which is something that actually has happened in
21:03
the world of crypto and Web3. But
21:06
in any of those cases, it's really hard for
21:08
prosecutors, especially, to really believe
21:11
that these people actually
21:13
were just sort of white hats, looking
21:15
for flaws and trying
21:18
to alert the targets on how
21:20
to fix these flaws. We
21:23
can get into it a little bit later more
21:25
if you want, but yeah, this does happen.
21:28
It does happen. There's even some companies that
21:31
have talked about it publicly, about
21:33
how they noticed there was a bug
21:35
in the smart contract. And because smart
21:37
contracts live on the blockchain as well, and
21:40
so they're completely basically open source and anyone
21:42
can read them, they were
21:44
worried that somebody else could steal
21:46
the money. Or in some cases, they even saw
21:48
that someone started stealing the money, and so they stole
21:50
it back or they stole it first and
21:54
then contacted the target. So
21:56
I think there is a universe in which Ahmed and
21:58
his lawyer...
21:59
I would argue that that's what it did, but
22:05
even in that case, I don't think the law doesn't care. I
22:10
don't think the law cares about the intent of
22:13
doing something like this.
22:16
At the end of the day, you're stealing
22:18
money, you're hacking a smart contract and a
22:20
company, and that's kind of
22:22
all that matters in a case like this. Yeah,
22:25
let's talk about that a little bit of policing
22:27
defense, and yet it doesn't
22:29
sound like
22:29
this is the first time that argument
22:32
has been made. We don't know that's what they're going to argue,
22:35
but it feels like it's going that way. So
22:37
in the days after this hack happens,
22:40
Shakib is Googling the series of terms, and
22:44
then the crypto exchange crema sends a message publicly
22:47
on the blockchain to the hacker, to which
22:49
allegedly Shakib responds,
22:52
starting some kind of a dialogue, almost a
22:54
negotiation, to give back some portion
22:57
of this stolen $9 million.
23:00
Take me through that, and
23:02
a little bit about why a person
23:04
in this situation might offer to do that.
23:07
Yes, I think this is an important step because in
23:11
that universe that I was talking about before, I
23:13
think one of the key things would be for him to
23:16
have reached out to the cryptocurrency
23:18
exchange proactively. Sure. I think it's going
23:20
to be much harder to argue that that was his intent
23:24
because he didn't do it. So
23:26
the exchange made the first step, took the first
23:29
step, they
23:31
posted on the blockchain, basically pleading
23:34
for the hacker to return the money, which
23:36
is super common. This happened
23:39
more times than I can count and more times than I can,
23:41
they have even written
23:43
about. But this has become a very
23:45
common technique because a common strategy,
23:47
rather, because it's actually worked
23:50
a few times. Perhaps
23:52
the most well-known case
23:55
of a hacker that returned all
23:57
the stolen crypto
23:59
was...
23:59
the Poly Network hack in 2021.
24:04
In that case, the hacker or hackers
24:07
stole 600 million dollars in
24:09
crypto. That was the
24:11
valuation at the time. The
24:13
Poly Network started a negotiation that
24:16
was, in this case, all on the blockchain. So
24:18
everyone could follow it. And it was pretty bizarre. They
24:21
called the hacker, like, dear hacker,
24:23
dear white hat, please return
24:25
the money. And eventually they did. The hackers
24:28
returned all the money. Whereas
24:30
in this case, going back to Ahmed and
24:32
Cramma, Cramma posted
24:35
the message on the blockchain, then Ahmed sent
24:37
an encrypted email to the exchange.
24:40
So we don't know exactly, or rather
24:42
the indictment doesn't show us the
24:44
whole dialogue. Basically,
24:47
Ahmed is allegedly emailed
24:50
Cramma and started a dialogue. And
24:52
he agreed to return
24:56
most of the money. Around $8
24:58
million, he kept something like $1.5 million. The
25:03
exchange in their message
25:06
reaching out told
25:08
Ahmed, if you return the
25:10
money, we're not gonna press charges. You
25:12
might like, well, you're gonna avoid prosecution.
25:17
Which it's definitely a promise that they
25:20
cannot make because that's how the law
25:23
works. But somehow
25:25
Ahmed was convinced by this. He
25:28
returned most of the money. He told him that he was gonna
25:30
keep some. And in return, he was gonna tell
25:32
them the flaws. So the
25:34
indictment doesn't use these words. But this
25:36
seems like Ahmed was sort
25:38
of like trying to set this up as
25:41
some sort of like bug bounty. More
25:43
traditional, I found these flaws. Give
25:46
me a bug bounty and you
25:49
can fix them. And
25:52
the amount of money that he got is
25:55
a lot. But the bug bounty is for
25:57
blockchain and Bitcoin and Web3. crypto
26:00
projects can be very high because some
26:03
of these smart contracts contain
26:05
a lot of money,
26:08
a lot of liquidity, a lot of crypto
26:11
that's worth millions and millions, if not
26:13
hundreds of millions of dollars. So a lot
26:15
of these companies see back
26:17
bounties of like even $10 million as
26:19
something that is worth it because it will
26:22
save you from losing much, much more. And
26:25
so long story short, Kramer and
26:27
Aachem made the negotiate and eventually
26:29
Aachem
26:29
had returned some of the money.
26:32
And that's kind of how
26:34
it ended, at
26:36
least between them, as far as we
26:38
know. I mean, you used a really interesting word
26:41
there, which is negotiation. In
26:44
most cases, I know
26:47
you can't speak to all bug bounties, but is
26:49
it a negotiation? Because that seems relevant
26:51
to me. I found a vulnerability
26:54
and pay me some money for it is different than I
26:56
found a vulnerability and now we're going to
26:58
negotiate over whether it's worth two and a half million, 1.8
27:00
million, 1.5 million. That
27:03
sounds a little bit more like a hostage
27:05
situation. Yeah,
27:06
exactly. I mean, obviously the listeners
27:08
here know about like a bug bounty usually just
27:11
works like this. The company whose
27:14
software is, we're
27:16
talking about sets a
27:18
set of publishers, a set of rules,
27:20
a set of limits
27:22
and boundaries for
27:25
where people can look for bugs. And
27:29
they establish a very clear list of rewards
27:33
for the type of bugs that people find.
27:35
I think there may have been some cases where the
27:38
impact of the bug was so high that the company decided
27:40
to give the person more money. But
27:43
this is really, it's not what happened
27:45
here. It's completely different. Like in this case,
27:49
the person stole the money so they exploited
27:51
the bug. Usually in bug bounties you don't
27:53
exploit the bug. At least maybe you
27:55
do a proof of concept, but you don't
27:57
hack into the servers of Facebook, to
28:00
show them that you found a bug. So
28:03
yeah, I think the hostage situation is a
28:05
great way to look at it. I didn't think about it that way,
28:08
but yeah, it's essentially, you can
28:10
imagine someone stealing a car
28:12
and saying, hey, I have your car. Just,
28:16
I found it, it was unlocked and
28:18
I ran away. But now it's been a couple
28:20
of days and how about I return it
28:22
to you? You give me, I don't know, $5,000 and we forget about all this.
28:29
And again, that's something that would work either
28:31
in the real world outside of the Internet.
28:35
But yeah, this is what happened here and I
28:37
don't think, I haven't checked
28:39
this, but I don't think Crema had a bug bounty
28:42
program. So this
28:44
is really, I don't think anyone can call
28:46
this a bug bounty in
28:49
good faith. It's clearly, this
28:51
was a cyber attack, this was a theft.
28:54
And then
28:56
the hacker somehow
28:58
hoped that by returning some of the money, they
29:01
could get away with it,
29:03
which he didn't or they didn't.
29:06
It does raise the question of whether or not,
29:08
how do I put this? Whether or not Crema honored
29:10
the arrangement. And again, it's an agreement
29:13
made kind of at gunpoint a little bit, so you
29:15
couldn't really blame them for making
29:17
the deal and then immediately turning around and turning
29:19
him in. But you do wonder how the feds
29:21
got onto the case and whether
29:23
or not Crema was involved in
29:25
it. Yeah, I'm not a legal expert,
29:28
but I think that
29:29
it doesn't matter. In a case like this, it doesn't matter
29:32
if Crema presses charges,
29:34
because presumably some of the users
29:36
on the exchange are Americans. And
29:39
so those are actually victims as well. So
29:42
even if Crema doesn't press charges, the DOJ
29:44
investigates because there's a bunch of Americans who
29:46
have lost quite a lot of money potentially.
29:49
So we don't know how many users
29:52
were affected or if
29:55
it was just like money that
29:57
Crema owned. But essentially,
29:59
if there's
29:59
a- theft and the
30:02
DOJ can get involved even if Crema does
30:05
a press charger or
30:06
decides not to press chargers. That's
30:09
my understanding at least.
30:11
Like basically what I'm saying is that
30:13
when Crema promised this, they were
30:16
either lying or they didn't know how these
30:19
things work. That makes sense. Even if they were honest,
30:21
I don't think they realized that that's not how it works.
30:24
Well, it's an easy promise to be able to
30:26
make. It's like, sure. Whether or not
30:28
we make these, whether or not we refer
30:30
this on the law enforcement is relevant
30:33
to, but ultimately distinct from whether or not law
30:35
enforcement decides to push it. Yeah, and I think that
30:37
you suggested this. They
30:39
were trying everything they could to get the money back
30:42
because as we were discussing,
30:44
the blockchain doesn't forget.
30:46
And also cryptocurrency transactions
30:49
are usually irreversible. And
30:53
so once the crypto is gone,
30:56
you really need to get it back. It's not
30:59
like a bank that has some sort of insurance.
31:02
So, pleading with the hackers
31:04
to get the crypto back is the easiest way
31:06
to solve the problem and get
31:08
the money back for your user or customers.
31:13
This story partially caught
31:15
my attention because the government referred to it as
31:18
a first of its kind. And
31:20
I think what they mean when they say that is that
31:22
it is the first charges laid
31:24
concerning the hack of a specifically
31:26
decentralized crypto exchange. I
31:29
think that's what they mean when they say it's a first.
31:32
Is that your sense of it? How was it a first?
31:34
And as a journalist who has covered these kinds of stories,
31:37
how is it also maybe familiar? That's
31:40
interesting. I forgot that they claimed that it was
31:42
a first case.
31:45
I mean, I don't really understand why they call it the first
31:47
case because a lot
31:49
of smart contracts have been exploring the past.
31:52
Maybe nobody has gotten caught yet.
31:55
But I don't see how this is different from exploiting
31:58
the Pauli network or...
31:59
Ronin, which was like
32:02
that sort of video game where
32:05
the North Koreans stole a lot of crypto. So
32:09
yeah, it's strange. I don't know exactly
32:11
why they called it the first. It's
32:14
also like only in the title of the
32:16
press release. It hasn't really been
32:18
explained. So
32:21
yeah, honestly, I don't know exactly what the DOJ meant
32:23
here. It's
32:25
a little unclear. I
32:30
wonder if it has to do with charges being laid
32:32
against an American, but
32:35
it does seem like a pretty in the weeds distinction.
32:40
Yeah, I mean, maybe you're right that it's because it's a decentralized
32:42
exchange rather than a coin-based sort of
32:44
exchange. I don't see how
32:45
that distinction is very, very relevant to most
32:48
of the public, to
32:49
be honest. centralized exchanges, especially ones using
32:52
like big liquidity pools governed
32:54
by smart contracts versus the older
32:56
order book style. This
32:58
whole tech really lives and dies
33:01
by the quality of the smart contract. And
33:04
some smart contracts are upgradable.
33:07
But my understanding is once they're deployed,
33:10
once they're out in the world and people are using them, they're
33:13
either immutable or much harder
33:15
to change than server-side software.
33:18
Does this style of decentralization
33:21
make fixing vulnerabilities in a design
33:24
just a lot
33:25
harder when it comes to things
33:28
that deal with money? Yeah, absolutely.
33:33
I don't know. Maybe this shows my bias on
33:36
my opinion on cryptocurrencies and Web3
33:38
and all this stuff. But to me, it's ridiculous
33:41
that you're
33:43
essentially
33:45
resting the future
33:47
of a lot of money that comes from
33:49
people who at the end of the day are investors. Not
33:52
all of them are millionaires or billionaires.
33:55
A lot of them are small investors who
33:57
have read about crypto on some
33:59
matter.
33:59
some newspaper and
34:02
they've seen the returns that some people
34:04
have made and they decide to put maybe
34:06
all their savings in it.
34:09
And all that money is, you know,
34:12
that's the safety of that money depends on code
34:15
that is completely open source. It
34:17
is public. And as you say, in many
34:19
cases it's immutable because the
34:22
developers don't even realize the risks, especially
34:25
a couple of years ago or even last year when
34:27
crypto was still really
34:30
when most cryptocurrencies
34:33
were incredibly valuable
34:36
and were growing in value constantly.
34:38
There was a lot of interest, not
34:41
only from investors, but from developers to create
34:44
new financial products, basically new crypto
34:46
projects, new anything, you know,
34:49
web3games, anything
34:52
that you can think of. And so there was sort of a rush.
34:54
There was a gold rush to cash
34:56
in. And so a lot of people that had even
34:59
limited, to be honest, even limited the software development
35:01
knowledge, launched projects, put
35:04
these smart contracts online, didn't even
35:06
get an audit or just
35:09
hoped or didn't even realize
35:11
that this is how it works. Your code is out there.
35:13
If someone finds a flaw, then
35:15
there is nothing you can do to stop it. And
35:18
because cryptocurrency
35:21
transactions are almost immediate,
35:23
I mean, Bitcoin is a little slower and, you know, they're
35:25
not like technically immediate, but they're
35:28
pretty quick. And so if you're not
35:30
monitoring what happens on your network, you're
35:32
not going to find out. There are security companies
35:35
now that offer threat intelligence
35:37
and monitoring
35:39
of this kind of attacks. But at the end of the day,
35:41
these are just, or some
35:43
of these are just, you know, regular
35:46
transactions. And it's
35:48
really hard to tell whether someone is moving $9 million
35:51
in crypto because they're just moving them, or
35:54
it's because they're stealing them. So,
35:57
yeah, someone a couple of years ago, compare
36:01
the smart contract with the mission
36:03
critical code. He was telling
36:05
me that you could actually compare it
36:07
to the code that's used in an
36:10
F-35 or to launch a satellite
36:12
in space. It's code that you really
36:14
have to get right. One thing is
36:16
to launch, I don't know, threads, for example,
36:18
Facebook launch threads. There are
36:20
some bugs in it. Sure.
36:25
Maybe some of them are embarrassing or can
36:28
have different kinds of impacts. By
36:30
the end of the day, it's a social media network.
36:33
You find the bugs, you fix them and
36:35
life goes on. Here, if there are
36:37
bugs, if you
36:39
get unlucky, if the bad people find
36:42
those bugs, then all of a sudden you're
36:44
out of nine million dollars or six hundred million
36:46
dollars or who knows how many million dollars. So,
36:48
you know, to me, it's still crazy that
36:51
we're
36:52
resting
36:55
the faith of all this money on code
36:57
that it's not only public, but a lot
37:00
of times unfortunately developed by people that
37:02
don't really understand security and don't understand the risks
37:04
involved. I appreciate you taking
37:06
the time to chat with me about this, Lorenzo. It's a very
37:09
interesting one. I think we'll be following it. My pleasure.
37:30
This is 3C Body Shop, here to share
37:32
Gerard's real experience getting his car fixed
37:34
after he was in an accident. I drove over
37:36
something on the road on my way to work really
37:38
early in the morning and it ruined my car. They took
37:41
care of everything. They dealt with my insurance
37:43
and they got me a rental card right away
37:45
while mine was being fixed. When I got it back, it
37:47
blew me away. It was absolutely beautiful
37:50
like it just rolled off the assembly line.
37:52
I'm Gerard from Delaware and I would absolutely
37:55
recommend 3C Body Shop.
38:00
When you download the Kroger app, you
38:02
have easy access to savings every
38:04
day. Get the most out of weekly sales
38:06
and receive personalized coupons to save on your favorite
38:08
items, all while earning one fuel
38:10
point for every dollar spent. Kroger
38:13
makes it easy to save while you shop, whether
38:15
it's in-store or online, so you get
38:17
the most value out of every trip, every
38:19
time. Download the Kroger app now
38:21
to save big on your next purchase. Kroger, fresh for everyone.
38:25
Must have a digital account to redeem offers. Restrictions
38:27
may apply. See site for details.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More