> if a serious crime were committed, the police don't need to have the victim cooperate.
That's what I remember as well, but thought maybe it's different in different countries, or there is some other kind of cleverness behind the offer. Otherwise, it makes them look kind of silly.
Depends on what serious means here. In financial/wire fraud, the police often need support from the victim to collect sufficient evidence. If the victim does not cooperate, the case could be dropped due to lack of evidence.
The investigating agency could get subpoenas to compel the victim to provide evidence. But it's usually not done when the victim doesn't want to cooperate.
The police in general are so far behind on their ability to prosecute crypto/cyber crimes for so many reasons that in practice they would basically never be interested in prosecuting without victim cooperation. Not to mention that in theory this would retroactively make the crime totally definitely above board ethical hacking which is not a crime in any jurisdiction as far as I know.
ok lets lay this out, somebody claims that some big complicated numbers that they had and claimed to be valuable, got removed by somebody else, useing a lot more smaller less complicated numbers
worth essentialy nothing, and now are seeking the help of someone else with presumably, slightly more, uncomplcated numbers to retrieve the big complicated numbers,from the whoever it is that has them now, in return for a smaller share
of said large and complicated numbers.
Hmm, maybe but it would have to be come from the prosecutor's office, of whatever country has the best chance of catching the hacker, and the hacker has to be believe it.
Nope, because it's not like a normal immunity deal it's the company retroactively granting "authorization for third party testing" which makes the hack no longer a crime.
Ah that's interesting. So it's like someone stealing from them, and them saying, ok bring part of it back and we'll retro-actively tell the police/customers that we gave your the money as payment for "testing our security".
I guess that could work if no customers are affected. If customers want to get their money and it's all there for everyone, it's all good. But if it isn't, it would be awkward to tell them "we don't have your money, we bought this expensive security audit for $10M and now you only get 20% of your deposit back".
Interestingly enough, they are sort of taking the side of the hacker then against the customer. Customers can go to the police and they'd laugh at them "you put your money in Abracadabra, and now you complain that, poof! your money is gone, as if by magic? Did we get that right?"
Yup that's exactly it, but since it's all happening on the blockchain everyone knows exactly what's happening when companies offer these kinds of "bug bounty rewards".
Nope. Financial crime absolutely does not work like that. Just the part of this where they supposedly manipulated the price of some asset used as collateral could well be market abuse.
Until law enforcement brings a case to court and secures a win, this is in fact exactly how it works. I'm not saying that it's right or good, but bullshit "bug bounty" payouts are pretty well established in the crypto ecosystem at this point and to the best of my knowledge the only case of anything like it resulting in a conviction is Joe Sullivan being convicted for covering up a data breach at Uber with such a scheme.
Well Avraham Eisenberg was convicted of manipulation in the Mango Markets case[1] spite of such a deal. I believe his sentencing is tomorrow so we'll know then whether or not the deal[2] affected his sentence but it didn't affect his conviction.
There is a general belief among a lot of crypto folks that "if it's on chain, it's fair game" and you can make these kind of deals etc but as far as I can see, there's absolutely no basis for that in law. If law enforcement/regulators start to take actions they can do so for any case they suspect of being market abuse irrespective of whether the parties agreed some kind of deal. That is certainly my read of both the US and UK/EU regulations, which are the two cases I'm aware of. Neither of them have any sort of carve out to allow participants to make a bilateral arrangement to give someone a post-hoc waiver for some act that would otherwise be considered abuse.
Crypto being stolen from exchanges happens so often and in such large quantities that $13M seems like nothing, which doesn't seems like a good sign for the industry.
Not your keys, not your coins. It is never a sound idea to leave a large amount of cryptocurrency on an exchange. I don't think this will fundamentally change from Mt. Gox
One of the few upsides of Crypto is that it provides a constant reminder of why we have banking regulations. Anytime says regulations are onerous or slow down the process and are outdated you can point to our current day poorly regulated crypto markets and show them what it could be like instead.
I was hoping for more information about the nature of the attack. All I saw was that 'funds must be deposited before they can be withdrawn' and 'Tornado Cash' was used for the deposit.
Does anyone have more details about how (or if) Tornado Cash was involved/used in this attack?
Tornado Cash was essentially irrelevant to the attack. Just a way the attacker worked to hide themselves.
The attack was able to happen as a result of two separate bugs.
First, a user was able to use something as collateral with a price that could be manipulated. This allowed them to make the collateral to instantly manipulated to appear worth less than the amount borrowed, allowing it to be liquidated.
The second bug was that they had code that should not allow a user to do a series of interaction with the contract that end in bad debt for the user, however since they were able to liquidate their own bad debt from inside the series of interactions, the liquidation cleared out the bad user debt, and moved it to bad protocol debt. This made it so the whole process was checked at the end of the transaction, the user debt looked fine.
Or I could be slightly wrong - it was an usually gnarly attack.
Maybe it's just semantics, but to me hacks and rug pulls are different things.
Team backdoors in code to steal funds tend to be obfuscated, and access to run them locked down. This is quite different than a hack that exploits "well intentioned" code. I think very few actual exploits are by the team - there's just much easier ways to steal funds than leaving a bug open in the world for a long period of time that anyone could find and use.
At this point, it might be fair to say that anyone with significant crypto holdings who isn't storing them offline instead of in some third-party "vault", is an idiot.
Does this constitute a "real economy"? Where are the goods and services being traded? It's all just speculation and worthless "web3" stuff like NFTs. It's not any more a real economy than the counter-strike skins economy or the baseball cards economy.
There was a "real crypto economy" back in the days of the silk road. So I would say that the real cryptocurrency economy has been tried, and it was doing alright until they got busted by the feds. But the reason we don't have a crypto economy today is that drug dealers got drowned out by the more popular get-rich-quick schemers.
Your point is a good one. I don't think it invalidates what I said, since my still valid message would get lost if I hedged it with "except (more or less) organized crime".
But I agree that Silk Road was an economy. Just like slave trading and other human trafficking is an economy.
We do still have an illegal cryptocurrency economy. It's more tilted towards the ransomware economy than drugs, though. So it's not just pyramid schemes.
But I'm sure crypto drug kingpins and murderers like Ross Ulbricht are still out there. In fact recently I listened to a money podcast that investigated if hitmen paid in cryptocurrency on the dark web were a real thing. I can't find it now, but the answer was that most are scams, but yes actually there's a nonzero number who will kill the person.
But back to my point: Most people talking about the cryptocurrency utopia (though most have given up on that, instead shifting to "it's a store of value!"), when they (de facto) say "real cryptocurrency economy has not been tried" mean the non-traditionally-criminal economy. So I also don't think that what I said was wrong. It depends what you mean by the word "real". :-)
> as sourced back to a product it calls “cauldrons”
Then, the magician said "Abracadabra!" and poof! the money is gone.
> The company also offered a bug bounty to the hacker of 20% of the stolen funds.
Would that give them immunity from prosecution if they ever catch him. If not, what's the upside for the hacker to return anything back?
Is immunity from prosecution something a private company can even offer?
They can certainly offer to not call the police, but if a serious crime were committed, the police don't need to have the victim cooperate.
> if a serious crime were committed, the police don't need to have the victim cooperate.
That's what I remember as well, but thought maybe it's different in different countries, or there is some other kind of cleverness behind the offer. Otherwise, it makes them look kind of silly.
Depends on what serious means here. In financial/wire fraud, the police often need support from the victim to collect sufficient evidence. If the victim does not cooperate, the case could be dropped due to lack of evidence.
Murder is typically more serious.
The investigating agency could get subpoenas to compel the victim to provide evidence. But it's usually not done when the victim doesn't want to cooperate.
The police in general are so far behind on their ability to prosecute crypto/cyber crimes for so many reasons that in practice they would basically never be interested in prosecuting without victim cooperation. Not to mention that in theory this would retroactively make the crime totally definitely above board ethical hacking which is not a crime in any jurisdiction as far as I know.
Avi Eisenberg returned most of the money he manipulated from Mango Markets and he was still prosecuted and convicted.
ok lets lay this out, somebody claims that some big complicated numbers that they had and claimed to be valuable, got removed by somebody else, useing a lot more smaller less complicated numbers worth essentialy nothing, and now are seeking the help of someone else with presumably, slightly more, uncomplcated numbers to retrieve the big complicated numbers,from the whoever it is that has them now, in return for a smaller share of said large and complicated numbers.
It would give them immunity and more importantly make it far easier to liquidate the now totally legal and above board funds.
Hmm, maybe but it would have to be come from the prosecutor's office, of whatever country has the best chance of catching the hacker, and the hacker has to be believe it.
Nope, because it's not like a normal immunity deal it's the company retroactively granting "authorization for third party testing" which makes the hack no longer a crime.
Ah that's interesting. So it's like someone stealing from them, and them saying, ok bring part of it back and we'll retro-actively tell the police/customers that we gave your the money as payment for "testing our security".
I guess that could work if no customers are affected. If customers want to get their money and it's all there for everyone, it's all good. But if it isn't, it would be awkward to tell them "we don't have your money, we bought this expensive security audit for $10M and now you only get 20% of your deposit back".
Interestingly enough, they are sort of taking the side of the hacker then against the customer. Customers can go to the police and they'd laugh at them "you put your money in Abracadabra, and now you complain that, poof! your money is gone, as if by magic? Did we get that right?"
Yup that's exactly it, but since it's all happening on the blockchain everyone knows exactly what's happening when companies offer these kinds of "bug bounty rewards".
Nope. Financial crime absolutely does not work like that. Just the part of this where they supposedly manipulated the price of some asset used as collateral could well be market abuse.
Until law enforcement brings a case to court and secures a win, this is in fact exactly how it works. I'm not saying that it's right or good, but bullshit "bug bounty" payouts are pretty well established in the crypto ecosystem at this point and to the best of my knowledge the only case of anything like it resulting in a conviction is Joe Sullivan being convicted for covering up a data breach at Uber with such a scheme.
Well Avraham Eisenberg was convicted of manipulation in the Mango Markets case[1] spite of such a deal. I believe his sentencing is tomorrow so we'll know then whether or not the deal[2] affected his sentence but it didn't affect his conviction.
There is a general belief among a lot of crypto folks that "if it's on chain, it's fair game" and you can make these kind of deals etc but as far as I can see, there's absolutely no basis for that in law. If law enforcement/regulators start to take actions they can do so for any case they suspect of being market abuse irrespective of whether the parties agreed some kind of deal. That is certainly my read of both the US and UK/EU regulations, which are the two cases I'm aware of. Neither of them have any sort of carve out to allow participants to make a bilateral arrangement to give someone a post-hoc waiver for some act that would otherwise be considered abuse.
[1] https://www.justice.gov/archives/opa/pr/man-convicted-110m-c...
[2] This has info about the money he returned in what him and Mango thought was a bounty/settlement type thing https://blocktribune.com/avraham-eisenberg-seeks-leniency-in...
Not surprised something like this happened, one of the persons behind Abracadabra had been outed as being Michael Patryn, Co-founder of QuadrigaCX.
https://www.reddit.com/r/CryptoCurrency/comments/sdsp0i/shoc...
Crypto being stolen from exchanges happens so often and in such large quantities that $13M seems like nothing, which doesn't seems like a good sign for the industry.
Not your keys, not your coins. It is never a sound idea to leave a large amount of cryptocurrency on an exchange. I don't think this will fundamentally change from Mt. Gox
One of the few upsides of Crypto is that it provides a constant reminder of why we have banking regulations. Anytime says regulations are onerous or slow down the process and are outdated you can point to our current day poorly regulated crypto markets and show them what it could be like instead.
And on the flip side, crypto reminds us why governments and gold stockpiles might not be the most trustworthy stockpiles of wealth either: https://www.politico.eu/article/gold-germany-conservatives-s...
I was hoping for more information about the nature of the attack. All I saw was that 'funds must be deposited before they can be withdrawn' and 'Tornado Cash' was used for the deposit.
Does anyone have more details about how (or if) Tornado Cash was involved/used in this attack?
Tornado Cash was essentially irrelevant to the attack. Just a way the attacker worked to hide themselves.
The attack was able to happen as a result of two separate bugs.
First, a user was able to use something as collateral with a price that could be manipulated. This allowed them to make the collateral to instantly manipulated to appear worth less than the amount borrowed, allowing it to be liquidated.
The second bug was that they had code that should not allow a user to do a series of interaction with the contract that end in bad debt for the user, however since they were able to liquidate their own bad debt from inside the series of interactions, the liquidation cleared out the bad user debt, and moved it to bad protocol debt. This made it so the whole process was checked at the end of the transaction, the user debt looked fine.
Or I could be slightly wrong - it was an usually gnarly attack.
Usually these hacks are always from insiders. Sometimes the entire team plans this months and years ahead.
Maybe it's just semantics, but to me hacks and rug pulls are different things.
Team backdoors in code to steal funds tend to be obfuscated, and access to run them locked down. This is quite different than a hack that exploits "well intentioned" code. I think very few actual exploits are by the team - there's just much easier ways to steal funds than leaving a bug open in the world for a long period of time that anyone could find and use.
Which one was it? A rug pull or the North Koreans?
Those are the use cases for Crypto :-)
I'm going to put this here in case I'm right someday: Chia Permuto.
Just on time: "Justice Dept. Disbands Cryptocurrency Enforcement Unit" - https://www.nytimes.com/2025/04/08/us/politics/doj-disbands-...
At this point, it might be fair to say that anyone with significant crypto holdings who isn't storing them offline instead of in some third-party "vault", is an idiot.
Filed under tHe FuTuRe Of FiNaNcE
Completely unexpected!
At this point the "real cryptocurrency economy has never been tried" sound an awful lot like "real communism has never been tried".
Does this constitute a "real economy"? Where are the goods and services being traded? It's all just speculation and worthless "web3" stuff like NFTs. It's not any more a real economy than the counter-strike skins economy or the baseball cards economy.
There was a "real crypto economy" back in the days of the silk road. So I would say that the real cryptocurrency economy has been tried, and it was doing alright until they got busted by the feds. But the reason we don't have a crypto economy today is that drug dealers got drowned out by the more popular get-rich-quick schemers.
Your point is a good one. I don't think it invalidates what I said, since my still valid message would get lost if I hedged it with "except (more or less) organized crime".
But I agree that Silk Road was an economy. Just like slave trading and other human trafficking is an economy.
We do still have an illegal cryptocurrency economy. It's more tilted towards the ransomware economy than drugs, though. So it's not just pyramid schemes.
But I'm sure crypto drug kingpins and murderers like Ross Ulbricht are still out there. In fact recently I listened to a money podcast that investigated if hitmen paid in cryptocurrency on the dark web were a real thing. I can't find it now, but the answer was that most are scams, but yes actually there's a nonzero number who will kill the person.
But back to my point: Most people talking about the cryptocurrency utopia (though most have given up on that, instead shifting to "it's a store of value!"), when they (de facto) say "real cryptocurrency economy has not been tried" mean the non-traditionally-criminal economy. So I also don't think that what I said was wrong. It depends what you mean by the word "real". :-)
This comment made my day.
There's a major difference:
Crypto is often undermined by insiders pretending to be outsiders.
Communism is often undermined by outsiders pretending to be insiders.
[dead]
[dead]
Add it to the list: https://www.web3isgoinggreat.com/