0:00

Someone a couple of years ago compared

0:02

the smart contract with the mission-critical

0:05

code He was telling me that you

0:07

could actually compare it to like the code

0:09

that's used in an f-35 Or

0:12

to launch a satellite in space. It's

0:15

code that you really have to get right.

0:18

I have read the charges against Shaqib

0:21

Ahmed a few times now and

0:24

I think I almost entirely

0:26

understand it

0:28

Without

0:28

getting too into the weeds and

0:30

there's a lot of weed the story is set

0:32

exclusively in weeds Here's

0:35

the basics According

0:38

to the US Department of Justice in

0:40

July 2022 Shaqib

0:43

hacks a decentralized cryptocurrency

0:45

exchange

0:47

the 15-page sealed indictment unpacks

0:50

how but the gist And

0:52

I'm gonna stop saying allegedly now because these are

0:54

all Allegations is

0:57

that he found a way to imitate

0:59

the equivalent of an admin account That

1:02

he then used to fraudulently manipulate

1:04

the fees that a user got paid

1:07

for lending the exchange money

1:10

He then borrowed a ton of crypto

1:12

from somewhere else Briefly

1:15

loans it to the exchange

1:17

gets paid out millions in these

1:19

fraudulently inflated fees Before

1:22

returning the loan and walking

1:25

away with the money

1:26

He allegedly does this 21 times? extracting 9

1:30

million US dollars in fraudulent

1:32

fees from the exchange

1:35

In the days following the hack the government

1:38

then alleges Shaqib does two things First

1:43

he Googles all of the stuff you

1:45

would Google if you had just done a big

1:47

cyber money crime heist In

1:50

a section of the sealed indictment named Ahmed's

1:52

post-attack internet history it

1:55

outlines these searches they

1:57

include decentralized

1:59

finance hack FBI, DeFi

2:02

hack prosecution, evidence

2:04

laundering, wire fraud, how

2:07

to prove malicious intent, can I

2:09

cross border with crypto, buying citizenship,

2:12

how to stop federal government from seizing

2:14

assets.

2:16

It is by no means illegal to search any

2:18

of these things, but I do get

2:20

why if you are trying to make the case

2:22

that this person is guilty, you

2:24

would include the fact he had googled them.

2:27

Lastly, they alleged that Shaqib

2:30

sends an email, a

2:32

very important email, an

2:34

email that kind of changes what kind

2:37

of crime this ultimately is because

2:39

up until now it's theft.

2:42

But with this email

2:44

to the exchange he had allegedly stolen

2:47

from, it kind

2:47

of becomes something else. A

2:51

negotiation or

2:53

a ransom might

2:55

be extortion, I'm not totally sure.

2:59

But we're going to get to that. I

3:02

called up friend of the show, Lorenzo Franceschi

3:05

Bicaray over at TechCrunch, who

3:07

has been reporting at length on this story to

3:09

help me try and make sense of it. Scott's

3:12

away this week, so this episode is

3:14

my conversation with Lorenzo.

3:17

The last thing you need to know for all of this to make

3:19

sense has to do with smart

3:21

contracts. These decentralized

3:23

crypto exchanges, basically all of

3:25

them, operate using something called smart

3:28

contracts.

3:30

Instead of the software that governs the

3:32

exchange being stored on a server, it's

3:35

stored on the blockchain. The

3:37

very software that rules these exchanges

3:40

is public and generally

3:43

immutable,

3:44

which sounds great until something

3:46

goes wrong. Like say,

3:49

a hacker finds

3:51

a bug

3:53

and now you're trying to fix a thing

3:55

inside of a thing that wasn't really built

3:57

to be fixed.

3:59

It depends on code

4:01

that is completely open source. It

4:03

is public. And as you say, in many

4:06

cases it's immutable because the

4:08

developers don't even realize the risks.

4:11

So here's my chat with Lorenzo about

4:14

the charges against Shakib Ahmed. What

4:16

happens when someone finds a vulnerability

4:19

in a system that is supposed to be beyond

4:21

anyone's control and

4:23

whether giving back most of what you

4:25

stole changes

4:27

the fact that you did steal it on

4:31

this episode of Hacked.

4:35

Thanks for sitting

4:38

down with me, Lorenzo. It's

4:50

good to have you back. Thanks for having me. So

4:53

you've been covering the story since the US Department

4:55

of Justice announced this arrest

4:58

and I want to start with the person at

5:00

the heart of all this.

5:02

Who is Shakib Ahmed? What

5:04

do we need to know about him for this story to make sense?

5:07

Yeah, so Shakib Ahmed is

5:09

or was, we

5:11

should probably say

5:13

someone who worked in cybersecurity.

5:16

He worked at a couple of

5:18

small companies, small cybersecurity companies,

5:21

Optiv and Red Balloon. Red

5:24

Balloon in particular is a startup here in New York.

5:27

And he worked for Amazon, I think

5:29

Amazon AWS in particular

5:31

as a security engineer. He had all

5:34

the necessary skills to do

5:36

a hack to perform cyber attack

5:39

and steal money, which is what

5:41

he's accused of. And

5:43

just to start, if I forget

5:46

to say alleged, we should

5:48

assume that everything I say about Ahmed

5:50

is alleged based on what the feds

5:52

are accusing him of. So

5:55

in short, he was a cybersecurity

5:57

engineer and he...

5:59

specific knowledge about

6:02

how to exploit systems,

6:04

how to exploit smart contracts and

6:06

things like that. At least that's what the Fed say.

6:09

To be honest from his LinkedIn, it's

6:11

not clear that he specifically had knowledge

6:14

about smart contracts and cryptocurrency. But

6:17

a lot of the skills that you have

6:19

as a cyber security researcher engineer

6:21

translate relatively well to

6:24

smart contracts. At the

6:26

end of the day, it's all the way to the world

6:28

that you find bugs in,

6:29

that you find flaws in, and you

6:32

figure out how to exploit those

6:34

flaws. Yeah, I want to talk a little bit more

6:36

about the difference between exploiting

6:39

smart contracts and more traditional server-side

6:41

kind of software. But

6:43

as you said, importantly, these are just

6:46

charges, they haven't been proven

6:48

in court. But broadly speaking, what is the Department

6:51

of Justice alleging he did, 10,000

6:53

foot view? Yeah, so the DOJ is simply

6:56

accusing the Department of Stealing around

6:59

$9 million in crypto from a cryptocurrency exchange,

7:03

which the DOJ doesn't name. But because

7:05

of the dates of the attack

7:08

and the description of the exchange and the money

7:10

stolen, it's clear that it was a crema,

7:13

like a company from abroad

7:15

that operates

7:16

a cryptocurrency exchange. Which

7:21

it's basically like what Coinbase or Gemini, Binance,

7:26

all these companies provide, essentially

7:28

a platform to exchange money for crypto

7:31

or some crypto for some other kind of crypto

7:33

and things like that.

7:35

And the DOJ says that he exploited this

7:39

platform in July of

7:41

last year. And he

7:43

then proceeded to try to launder

7:46

the money. He also was in

7:48

touch with the cryptocurrency

7:50

exchange. There was a little

7:53

negotiation going on. And

7:55

he agreed to return almost

7:58

all of the money he kept like.

7:59

only 1.5 million in crypto.

8:03

He also agreed to tell

8:05

them about the flaws that

8:07

he allegedly exploited in an

8:11

attempt to presumably

8:13

in an attempt to be like, okay, I'm a good guy. I'm

8:15

going to help you fix this flaws so nobody

8:18

else exploits them. Yeah,

8:21

I want to talk a little bit about

8:24

the timeline of the negotiation that took place

8:26

there because I think it's pretty important to whether this

8:28

was a black hat, white

8:29

hat, gray hat type thing. But

8:31

before we get to that,

8:33

I want to dig a little bit more into how this hack worked.

8:36

I read, I think it's a 15 page sealed

8:38

indictment. The middle like third of

8:40

it really digs into that hack. The rest of

8:42

it's pretty readable. I think I read that middle

8:44

section four or five times just trying

8:46

to like,

8:47

grok how this hack

8:50

actually worked. You've got fees

8:52

for contributing to a liquidity pool. You've

8:55

got these tick accounts. You've got flash

8:57

loans. It's a lot.

8:59

Can you help me make a little bit of sense

9:02

of what are they accusing? He actually did. How

9:04

did this hack allegedly actually

9:06

work?

9:07

Yeah, so it's a little complicated. And to be honest, I

9:09

am also not sure about

9:12

all the details and all those like sort of buzzwords

9:14

that are common in crypto, but are really

9:17

not common outside of crypto. Yeah.

9:20

So the understanding is that essentially, Ahmed

9:22

allegedly found flaws

9:25

in the exchanges

9:27

smart contract. And he tricked

9:29

the smart contract into believing that he was providing

9:32

more liquidity, meaning more crypto

9:35

to

9:36

the liquidity pool. And

9:38

when people contribute crypto

9:41

or liquidity to this pool, they get

9:43

some fees. They got some sort of like

9:46

reward for contributing to the liquidity

9:48

pool. So he essentially tricked the

9:50

exchange, the smart contract into

9:52

believing, quote unquote, that he had provided

9:55

more money, more crypto that he had. And

9:57

so he cashed out on that.

9:59

In terms of the flash loans, took

10:02

out 21 flash loans. My understanding

10:04

of the flash loan is that it's essentially a loan

10:08

in cryptocurrency that doesn't actually have collateral

10:11

because it's done very quickly. And

10:15

so he was able to do that without actually

10:17

giving

10:19

any cryptocurrency, if

10:21

that's my understanding. The

10:23

indictment actually says so that he performed

10:25

at least 21 flash loans and

10:28

used them to generate falsely inflated fees

10:31

from five separate liquidity pools. So I

10:33

think it's a similar attack to the first one

10:35

that we described. It's

10:38

essentially he found a way to

10:41

trick the exchange

10:43

into giving him more cryptocurrency

10:45

that he was owed, that he was actually supposed to

10:47

get.

10:52

This episode of hacked is brought to you by

10:54

delete me. I host a podcast

10:56

about security stuff. So privacy naturally

10:59

matters to me. Meanwhile, I'm

11:01

hanging out all day on an internet rife with

11:04

data brokers. They're these big corporations

11:06

that crawl the web searching for information

11:08

to build a profile about you. They

11:10

find it from public records, self-reported information,

11:12

social media, buying it from other data

11:14

brokers. They then package it all up to create

11:17

profiles with your personal information.

11:20

Things like your social security number, birthday, information

11:22

about your relatives, past and recent addresses.

11:25

They package that all up and then they monetize it.

11:28

I don't love that.

11:29

And that's why I use delete me.

11:31

Delete me keeps your personal information

11:33

safe. I signed up and the way it

11:35

works is once you've completed your sign

11:37

up for delete me, they send you a welcome

11:39

email so you can get started right away. You

11:42

log in, find your delete me personal

11:44

profile page. You tell them exactly what information

11:46

you want scrubbed and their privacy experts

11:49

take it from there. If you want 20% off

11:52

all consumer plans, congratulations

11:54

as a hacked listener, we're going to hook you

11:57

up. Just use the promo code hack20.

11:59

That's one word, all

12:02

caps, HACK and then the numbers

12:04

2-0 for 20% off. Go

12:06

to joindeleteme.com slash HACKED

12:09

and use that promo code HACK20 for 20%

12:11

off.

12:13

Keep your personal info private

12:15

with DeleteMe. When

12:18

do you have insight into your compliance, security,

12:20

and risk postures? If it's right

12:22

before an audit, you are in the same boat

12:25

as many other organizations. With

12:27

DRADA, a G2 leader in cloud compliance

12:29

software, you'll have continuous monitoring

12:31

and visibility into your risk, security

12:34

controls, and audit readiness for

12:36

standards like SOC 2, ISO 27001, GDPR, HIPAA,

12:38

and more. DRADA

12:43

can streamline compliance for over 14

12:45

frameworks and even automate the custom frameworks

12:47

and controls you create

12:50

to meet your organization's unique security

12:52

needs. With more than 75 native integrations

12:55

and a risk management solution, you'll have a

12:57

tool that will scale with you.

12:59

Countless security professionals from companies like

13:01

Notion, Lemonade, and Bamboo

13:04

HR have shared how crucial it has been

13:06

to have DRADA as their trusted

13:08

compliance partner. Listeners

13:10

of HACKED can get 10% off DRADA

13:13

and waived implementation fees at DRADA.com

13:16

slash partner slash HACKED. Startmail

13:19

is a privacy-first email service that keeps your inbox safe. With

13:24

over 330 billion emails

13:26

sent daily, email continues to be an

13:28

essential part of our lives. But sending email is structurally

13:31

unsafe. It's like sending a postcard. Anyone

13:34

who delivers the post can read your message or make

13:36

a copy of it. Startmail

13:38

will never stop sending emails.

13:40

It's a way to

13:42

keep your inbox safe. Startmail

13:48

will never serve you as a text or inbox

13:50

with state-of-the-art security. It blocks all

13:52

tracking pixels and warns you every time you click

13:54

an external link. It protects you from phishing

13:57

attempts and keeps your personal data safe.

13:59

It provides world-class encryption to protect

14:02

your confidential messages from interception.

14:05

And it allows you to create unlimited

14:07

aliases to protect your inbox from spam. So

14:10

when you need to sign up for something with a temporary email

14:12

address or get through a paywall,

14:15

that's maybe not just a paywall, it's an authentication wall,

14:17

you can create an alias for your email and

14:19

just

14:20

use that. It goes away in a

14:22

matter of time and you don't have to worry about getting spammed

14:25

constantly. Check it out. Startmail.com.

14:29

That's Startmail. S-T-A-R-T-M-A-I-L.com.

14:38

There's

14:40

only one line in the whole document that really

14:43

warrants a little bit of explanation that they

14:45

don't really provide. And it sounds like

14:49

this smart contract has two different types

14:51

of accounts. Normal accounts, like I think they

14:53

call them position accounts, and then

14:55

almost an admin style tick

14:57

account.

14:59

And with that tick account, he

15:01

was able to fudge, I think,

15:03

the rates that got paid out, like

15:06

the fees that got paid out

15:08

for loaning the system money. What's

15:11

unclear to me is how he was able

15:14

to get a normal account

15:16

to imitate that admin style account.

15:19

What the vulnerability on the smart contract

15:21

was that let him do that, I

15:24

guess, kind of, yeah, that little subterfuge,

15:27

that little imitation.

15:28

Yeah, I mean, my intuition here is that

15:30

the smart contract had some sort of bug that allowed

15:33

him to pretend that he had an admin account

15:36

and act as an admin, whereas he was

15:38

just a regular user. So he allegedly

15:42

figures out this vulnerability in the smart contract,

15:45

uses this flash loan vulnerability

15:47

to pump a bunch of money out, take out

15:49

these inflated fees, return

15:52

the loan and walk away with $9 million

15:55

in cryptocurrency.

15:56

He then launders that.

15:59

The feds alleged that Ahmed

16:02

then proceeded to launder the

16:04

stolen crypto, which is a pretty standard

16:08

technique, pretty standard thing to do after

16:10

he steal crypto. You try to launder

16:13

it and essentially hide your

16:15

tracks cuz as all

16:19

the listeners know, cryptocurrencies

16:22

are all based on blockchain technology,

16:24

which the main feature

16:27

of it is that all the transactions are recorded,

16:29

they are recorded forever, they're immutable.

16:32

So anything you do on the blockchain is recorded,

16:34

any movement of the crypto

16:37

is right there. And so this

16:39

makes it relatively easy for the feds to

16:41

find or at least follow the money. Finding

16:44

who did it is one thing because the blockchain

16:46

is not, the users are

16:48

not necessarily identified there. You

16:51

can see the flow of money, but you may not know who did

16:53

it, but you can see the flow of money. Sometimes

16:55

it leads to a person cuz at the

16:57

end of the day, you got some cryptocurrency,

16:59

you may want to cash it

17:02

out and not just keep it there. So

17:05

what he did or what he allegedly

17:07

did was to do a series of transactions

17:09

to launder it. They were all pretty

17:11

standard. He swapped some tokens

17:14

from others, so some cryptocurrency from other

17:16

kinds of cryptocurrency. He used

17:18

bridges, which are technology,

17:21

some sort of blockchain technology that bridges

17:24

from one blockchain to another. So

17:26

you can go, for example, from the Bitcoin

17:28

blockchain to the Ethereum blockchain and exchange

17:31

Bitcoin into Ethereum directly. He

17:36

also transferred some of the crypto and

17:39

or exchanged it rather into Monero, which

17:41

is a relatively well known and pretty

17:44

anonymous cryptocurrency. It's one of

17:46

the few cryptocurrencies that are actually much

17:49

harder to track. It's unclear

17:51

actually if the law enforcement is able to track

17:53

it at all, and it was specifically

17:56

designed to be very hard to

17:58

track. So this was a smart move.

17:59

on his part. The

18:05

rest, clearly, the rest of the flow of the money is

18:10

traced to him and traced to the hack.

18:30

Because

18:40

they didn't need to do that for the indictment, and it

18:43

will come up later in the case.

18:45

That would be my bet, because clearly

18:47

they were able to go from

18:50

this anonymous person that stole

18:52

the cryptocurrency and laundered it to

18:54

actually identifying this person.

18:57

And that's the first step before

18:59

they are able to look at

19:00

his search history. Because

19:03

I imagine that once they identified him, however

19:05

they were able to do that, then they just

19:08

got a search warrant, went to Google,

19:11

and asked Google what happened with the

19:13

Google around those days. And

19:16

they struck gold because they found out that just

19:19

a couple of days after the hack, he

19:22

was Googling stuff like DeFi hack,

19:24

which stands for Decentralized

19:27

Finance. He

19:29

Googled

19:30

stuff like, why

19:32

expensive crypto hacks are the cost of doing

19:34

business? He

19:37

also searched for

19:40

embezzled. He searched for

19:42

DeFi hacks FBI, DeFi

19:44

hacks prosecution, and I'm quoting from the

19:48

indictment here. He Googled for wire

19:50

fraud, which is, I guess, ironically

19:53

the crime

19:55

that he was indicted for. He

19:58

also allegedly searched for how to prove Malay. And

20:00

then he also searched for how

20:03

to get citizenship

20:06

in other countries. Even visited a website

20:09

that, like a blog titled 16 countries where

20:11

your investments

20:13

can buy your citizenship. So

20:17

not only was searching for terms

20:20

that suggest that

20:22

he was sort of trying to figure out how much

20:25

trouble he was in, but also

20:27

then he moved on to, okay,

20:30

what can I do about this? He probably realized

20:32

that it was in trouble. I mean, it's hard to believe

20:34

that he did not know that what he was doing was a crime,

20:36

but we'll see

20:38

what him and his lawyer argue. I

20:41

can imagine a universe, and this is me speculating,

20:44

but I can imagine a universe in which he

20:46

claims that he found those flaws and

20:49

maybe he was worried that they

20:52

could be exploited by

20:54

somebody else. So he decided to exploit them

20:56

and then get in contact with the target,

21:00

which is something that actually has happened in

21:03

the world of crypto and Web3. But

21:06

in any of those cases, it's really hard for

21:08

prosecutors, especially, to really believe

21:11

that these people actually

21:13

were just sort of white hats, looking

21:15

for flaws and trying

21:18

to alert the targets on how

21:20

to fix these flaws. We

21:23

can get into it a little bit later more

21:25

if you want, but yeah, this does happen.

21:28

It does happen. There's even some companies that

21:31

have talked about it publicly, about

21:33

how they noticed there was a bug

21:35

in the smart contract. And because smart

21:37

contracts live on the blockchain as well, and

21:40

so they're completely basically open source and anyone

21:42

can read them, they were

21:44

worried that somebody else could steal

21:46

the money. Or in some cases, they even saw

21:48

that someone started stealing the money, and so they stole

21:50

it back or they stole it first and

21:54

then contacted the target. So

21:56

I think there is a universe in which Ahmed and

21:58

his lawyer...

21:59

I would argue that that's what it did, but

22:05

even in that case, I don't think the law doesn't care. I

22:10

don't think the law cares about the intent of

22:13

doing something like this.

22:16

At the end of the day, you're stealing

22:18

money, you're hacking a smart contract and a

22:20

company, and that's kind of

22:22

all that matters in a case like this. Yeah,

22:25

let's talk about that a little bit of policing

22:27

defense, and yet it doesn't

22:29

sound like

22:29

this is the first time that argument

22:32

has been made. We don't know that's what they're going to argue,

22:35

but it feels like it's going that way. So

22:37

in the days after this hack happens,

22:40

Shakib is Googling the series of terms, and

22:44

then the crypto exchange crema sends a message publicly

22:47

on the blockchain to the hacker, to which

22:49

allegedly Shakib responds,

22:52

starting some kind of a dialogue, almost a

22:54

negotiation, to give back some portion

22:57

of this stolen $9 million.

23:00

Take me through that, and

23:02

a little bit about why a person

23:04

in this situation might offer to do that.

23:07

Yes, I think this is an important step because in

23:11

that universe that I was talking about before, I

23:13

think one of the key things would be for him to

23:16

have reached out to the cryptocurrency

23:18

exchange proactively. Sure. I think it's going

23:20

to be much harder to argue that that was his intent

23:24

because he didn't do it. So

23:26

the exchange made the first step, took the first

23:29

step, they

23:31

posted on the blockchain, basically pleading

23:34

for the hacker to return the money, which

23:36

is super common. This happened

23:39

more times than I can count and more times than I can,

23:41

they have even written

23:43

about. But this has become a very

23:45

common technique because a common strategy,

23:47

rather, because it's actually worked

23:50

a few times. Perhaps

23:52

the most well-known case

23:55

of a hacker that returned all

23:57

the stolen crypto

23:59

was...

23:59

the Poly Network hack in 2021.

24:04

In that case, the hacker or hackers

24:07

stole 600 million dollars in

24:09

crypto. That was the

24:11

valuation at the time. The

24:13

Poly Network started a negotiation that

24:16

was, in this case, all on the blockchain. So

24:18

everyone could follow it. And it was pretty bizarre. They

24:21

called the hacker, like, dear hacker,

24:23

dear white hat, please return

24:25

the money. And eventually they did. The hackers

24:28

returned all the money. Whereas

24:30

in this case, going back to Ahmed and

24:32

Cramma, Cramma posted

24:35

the message on the blockchain, then Ahmed sent

24:37

an encrypted email to the exchange.

24:40

So we don't know exactly, or rather

24:42

the indictment doesn't show us the

24:44

whole dialogue. Basically,

24:47

Ahmed is allegedly emailed

24:50

Cramma and started a dialogue. And

24:52

he agreed to return

24:56

most of the money. Around $8

24:58

million, he kept something like $1.5 million. The

25:03

exchange in their message

25:06

reaching out told

25:08

Ahmed, if you return the

25:10

money, we're not gonna press charges. You

25:12

might like, well, you're gonna avoid prosecution.

25:17

Which it's definitely a promise that they

25:20

cannot make because that's how the law

25:23

works. But somehow

25:25

Ahmed was convinced by this. He

25:28

returned most of the money. He told him that he was gonna

25:30

keep some. And in return, he was gonna tell

25:32

them the flaws. So the

25:34

indictment doesn't use these words. But this

25:36

seems like Ahmed was sort

25:38

of like trying to set this up as

25:41

some sort of like bug bounty. More

25:43

traditional, I found these flaws. Give

25:46

me a bug bounty and you

25:49

can fix them. And

25:52

the amount of money that he got is

25:55

a lot. But the bug bounty is for

25:57

blockchain and Bitcoin and Web3. crypto

26:00

projects can be very high because some

26:03

of these smart contracts contain

26:05

a lot of money,

26:08

a lot of liquidity, a lot of crypto

26:11

that's worth millions and millions, if not

26:13

hundreds of millions of dollars. So a lot

26:15

of these companies see back

26:17

bounties of like even $10 million as

26:19

something that is worth it because it will

26:22

save you from losing much, much more. And

26:25

so long story short, Kramer and

26:27

Aachem made the negotiate and eventually

26:29

Aachem

26:29

had returned some of the money.

26:32

And that's kind of how

26:34

it ended, at

26:36

least between them, as far as we

26:38

know. I mean, you used a really interesting word

26:41

there, which is negotiation. In

26:44

most cases, I know

26:47

you can't speak to all bug bounties, but is

26:49

it a negotiation? Because that seems relevant

26:51

to me. I found a vulnerability

26:54

and pay me some money for it is different than I

26:56

found a vulnerability and now we're going to

26:58

negotiate over whether it's worth two and a half million, 1.8

27:00

million, 1.5 million. That

27:03

sounds a little bit more like a hostage

27:05

situation. Yeah,

27:06

exactly. I mean, obviously the listeners

27:08

here know about like a bug bounty usually just

27:11

works like this. The company whose

27:14

software is, we're

27:16

talking about sets a

27:18

set of publishers, a set of rules,

27:20

a set of limits

27:22

and boundaries for

27:25

where people can look for bugs. And

27:29

they establish a very clear list of rewards

27:33

for the type of bugs that people find.

27:35

I think there may have been some cases where the

27:38

impact of the bug was so high that the company decided

27:40

to give the person more money. But

27:43

this is really, it's not what happened

27:45

here. It's completely different. Like in this case,

27:49

the person stole the money so they exploited

27:51

the bug. Usually in bug bounties you don't

27:53

exploit the bug. At least maybe you

27:55

do a proof of concept, but you don't

27:57

hack into the servers of Facebook, to

28:00

show them that you found a bug. So

28:03

yeah, I think the hostage situation is a

28:05

great way to look at it. I didn't think about it that way,

28:08

but yeah, it's essentially, you can

28:10

imagine someone stealing a car

28:12

and saying, hey, I have your car. Just,

28:16

I found it, it was unlocked and

28:18

I ran away. But now it's been a couple

28:20

of days and how about I return it

28:22

to you? You give me, I don't know, $5,000 and we forget about all this.

28:29

And again, that's something that would work either

28:31

in the real world outside of the Internet.

28:35

But yeah, this is what happened here and I

28:37

don't think, I haven't checked

28:39

this, but I don't think Crema had a bug bounty

28:42

program. So this

28:44

is really, I don't think anyone can call

28:46

this a bug bounty in

28:49

good faith. It's clearly, this

28:51

was a cyber attack, this was a theft.

28:54

And then

28:56

the hacker somehow

28:58

hoped that by returning some of the money, they

29:01

could get away with it,

29:03

which he didn't or they didn't.

29:06

It does raise the question of whether or not,

29:08

how do I put this? Whether or not Crema honored

29:10

the arrangement. And again, it's an agreement

29:13

made kind of at gunpoint a little bit, so you

29:15

couldn't really blame them for making

29:17

the deal and then immediately turning around and turning

29:19

him in. But you do wonder how the feds

29:21

got onto the case and whether

29:23

or not Crema was involved in

29:25

it. Yeah, I'm not a legal expert,

29:28

but I think that

29:29

it doesn't matter. In a case like this, it doesn't matter

29:32

if Crema presses charges,

29:34

because presumably some of the users

29:36

on the exchange are Americans. And

29:39

so those are actually victims as well. So

29:42

even if Crema doesn't press charges, the DOJ

29:44

investigates because there's a bunch of Americans who

29:46

have lost quite a lot of money potentially.

29:49

So we don't know how many users

29:52

were affected or if

29:55

it was just like money that

29:57

Crema owned. But essentially,

29:59

if there's

29:59

a- theft and the

30:02

DOJ can get involved even if Crema does

30:05

a press charger or

30:06

decides not to press chargers. That's

30:09

my understanding at least.

30:11

Like basically what I'm saying is that

30:13

when Crema promised this, they were

30:16

either lying or they didn't know how these

30:19

things work. That makes sense. Even if they were honest,

30:21

I don't think they realized that that's not how it works.

30:24

Well, it's an easy promise to be able to

30:26

make. It's like, sure. Whether or not

30:28

we make these, whether or not we refer

30:30

this on the law enforcement is relevant

30:33

to, but ultimately distinct from whether or not law

30:35

enforcement decides to push it. Yeah, and I think that

30:37

you suggested this. They

30:39

were trying everything they could to get the money back

30:42

because as we were discussing,

30:44

the blockchain doesn't forget.

30:46

And also cryptocurrency transactions

30:49

are usually irreversible. And

30:53

so once the crypto is gone,

30:56

you really need to get it back. It's not

30:59

like a bank that has some sort of insurance.

31:02

So, pleading with the hackers

31:04

to get the crypto back is the easiest way

31:06

to solve the problem and get

31:08

the money back for your user or customers.

31:13

This story partially caught

31:15

my attention because the government referred to it as

31:18

a first of its kind. And

31:20

I think what they mean when they say that is that

31:22

it is the first charges laid

31:24

concerning the hack of a specifically

31:26

decentralized crypto exchange. I

31:29

think that's what they mean when they say it's a first.

31:32

Is that your sense of it? How was it a first?

31:34

And as a journalist who has covered these kinds of stories,

31:37

how is it also maybe familiar? That's

31:40

interesting. I forgot that they claimed that it was

31:42

a first case.

31:45

I mean, I don't really understand why they call it the first

31:47

case because a lot

31:49

of smart contracts have been exploring the past.

31:52

Maybe nobody has gotten caught yet.

31:55

But I don't see how this is different from exploiting

31:58

the Pauli network or...

31:59

Ronin, which was like

32:02

that sort of video game where

32:05

the North Koreans stole a lot of crypto. So

32:09

yeah, it's strange. I don't know exactly

32:11

why they called it the first. It's

32:14

also like only in the title of the

32:16

press release. It hasn't really been

32:18

explained. So

32:21

yeah, honestly, I don't know exactly what the DOJ meant

32:23

here. It's

32:25

a little unclear. I

32:30

wonder if it has to do with charges being laid

32:32

against an American, but

32:35

it does seem like a pretty in the weeds distinction.

32:40

Yeah, I mean, maybe you're right that it's because it's a decentralized

32:42

exchange rather than a coin-based sort of

32:44

exchange. I don't see how

32:45

that distinction is very, very relevant to most

32:48

of the public, to

32:49

be honest. centralized exchanges, especially ones using

32:52

like big liquidity pools governed

32:54

by smart contracts versus the older

32:56

order book style. This

32:58

whole tech really lives and dies

33:01

by the quality of the smart contract. And

33:04

some smart contracts are upgradable.

33:07

But my understanding is once they're deployed,

33:10

once they're out in the world and people are using them, they're

33:13

either immutable or much harder

33:15

to change than server-side software.

33:18

Does this style of decentralization

33:21

make fixing vulnerabilities in a design

33:24

just a lot

33:25

harder when it comes to things

33:28

that deal with money? Yeah, absolutely.

33:33

I don't know. Maybe this shows my bias on

33:36

my opinion on cryptocurrencies and Web3

33:38

and all this stuff. But to me, it's ridiculous

33:41

that you're

33:43

essentially

33:45

resting the future

33:47

of a lot of money that comes from

33:49

people who at the end of the day are investors. Not

33:52

all of them are millionaires or billionaires.

33:55

A lot of them are small investors who

33:57

have read about crypto on some

33:59

matter.

33:59

some newspaper and

34:02

they've seen the returns that some people

34:04

have made and they decide to put maybe

34:06

all their savings in it.

34:09

And all that money is, you know,

34:12

that's the safety of that money depends on code

34:15

that is completely open source. It

34:17

is public. And as you say, in many

34:19

cases it's immutable because the

34:22

developers don't even realize the risks, especially

34:25

a couple of years ago or even last year when

34:27

crypto was still really

34:30

when most cryptocurrencies

34:33

were incredibly valuable

34:36

and were growing in value constantly.

34:38

There was a lot of interest, not

34:41

only from investors, but from developers to create

34:44

new financial products, basically new crypto

34:46

projects, new anything, you know,

34:49

web3games, anything

34:52

that you can think of. And so there was sort of a rush.

34:54

There was a gold rush to cash

34:56

in. And so a lot of people that had even

34:59

limited, to be honest, even limited the software development

35:01

knowledge, launched projects, put

35:04

these smart contracts online, didn't even

35:06

get an audit or just

35:09

hoped or didn't even realize

35:11

that this is how it works. Your code is out there.

35:13

If someone finds a flaw, then

35:15

there is nothing you can do to stop it. And

35:18

because cryptocurrency

35:21

transactions are almost immediate,

35:23

I mean, Bitcoin is a little slower and, you know, they're

35:25

not like technically immediate, but they're

35:28

pretty quick. And so if you're not

35:30

monitoring what happens on your network, you're

35:32

not going to find out. There are security companies

35:35

now that offer threat intelligence

35:37

and monitoring

35:39

of this kind of attacks. But at the end of the day,

35:41

these are just, or some

35:43

of these are just, you know, regular

35:46

transactions. And it's

35:48

really hard to tell whether someone is moving $9 million

35:51

in crypto because they're just moving them, or

35:54

it's because they're stealing them. So,

35:57

yeah, someone a couple of years ago, compare

36:01

the smart contract with the mission

36:03

critical code. He was telling

36:05

me that you could actually compare it

36:07

to the code that's used in an

36:10

F-35 or to launch a satellite

36:12

in space. It's code that you really

36:14

have to get right. One thing is

36:16

to launch, I don't know, threads, for example,

36:18

Facebook launch threads. There are

36:20

some bugs in it. Sure.

36:25

Maybe some of them are embarrassing or can

36:28

have different kinds of impacts. By

36:30

the end of the day, it's a social media network.

36:33

You find the bugs, you fix them and

36:35

life goes on. Here, if there are

36:37

bugs, if you

36:39

get unlucky, if the bad people find

36:42

those bugs, then all of a sudden you're

36:44

out of nine million dollars or six hundred million

36:46

dollars or who knows how many million dollars. So,

36:48

you know, to me, it's still crazy that

36:51

we're

36:52

resting

36:55

the faith of all this money on code

36:57

that it's not only public, but a lot

37:00

of times unfortunately developed by people that

37:02

don't really understand security and don't understand the risks

37:04

involved. I appreciate you taking

37:06

the time to chat with me about this, Lorenzo. It's a very

37:09

interesting one. I think we'll be following it. My pleasure.

37:30

This is 3C Body Shop, here to share

37:32

Gerard's real experience getting his car fixed

37:34

after he was in an accident. I drove over

37:36

something on the road on my way to work really

37:38

early in the morning and it ruined my car. They took

37:41

care of everything. They dealt with my insurance

37:43

and they got me a rental card right away

37:45

while mine was being fixed. When I got it back, it

37:47

blew me away. It was absolutely beautiful

37:50

like it just rolled off the assembly line.

37:52

I'm Gerard from Delaware and I would absolutely

37:55

recommend 3C Body Shop.

38:00

When you download the Kroger app, you

38:02

have easy access to savings every

38:04

day. Get the most out of weekly sales

38:06

and receive personalized coupons to save on your favorite

38:08

items, all while earning one fuel

38:10

point for every dollar spent. Kroger

38:13

makes it easy to save while you shop, whether

38:15

it's in-store or online, so you get

38:17

the most value out of every trip, every

38:19

time. Download the Kroger app now

38:21

to save big on your next purchase. Kroger, fresh for everyone.

38:25

Must have a digital account to redeem offers. Restrictions

38:27

may apply. See site for details.