Gone in 60 seconds is a thing of the past. With the world moving towards digital assets and cryptocurrency, “Gone in 12 seconds” seems to be the new norm for digital heists. The U.S. Department of Justice arrested two siblings for attacking the Ethereum blockchain and siphoning $25 million of cryptocurrency during a 12 second exploit. Hailing from Boston and New York respectively, Anton Peraire-Bueno, 24, and James Peraire-Bueno, 28, stand accused of a litany of charges including conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering. According to an unsealed indictment on Wednesday the brothers mixed their “specialized skills” from their education at MIT with their expertise in cryptocurrency trading to exploit “the very integrity of the (Ethereum) blockchain,” said U.S. Attorney Damian Williams. The brothers meticulously planned the exploit scheme for months “and once they put their plan into action, their heist only took 12 seconds to complete,” he added.

“This alleged scheme was novel and has never before been charged.”

Through the Exploit, which is believed to be the very first of its kind, Peraire-Bueno brothers manipulated and tampered with the process and protocols by which transactions are validated and added to the Ethereum blockchain.

The MEV Conundrum from Ethereum Blockchain Exploit

According to the indictment, the Pepaire-Bueno brothers initiated their scheme in December 2022, targeting specific traders on the Ethereum platform through what investigators term a "baiting" operation. At the heart of the indictment lies the concept of MEV-Boost, a software tool utilized by Ethereum validators to optimize transaction processing and maximize profitability. MEV, or maximal extractable value, has long been a subject of controversy within the cryptocurrency community, with proponents arguing its economic necessity and critics highlighting its potential for abuse. They exploited a critical flaw in MEV-Boost's code, granting them unprecedented access to pending transactions before their official validation by Ethereum validators. Leveraging this loophole, the siblings embarked on a sophisticated campaign targeting specific traders utilizing MEV bots. The indictment elucidates the modus operandi employed by the accused duo. The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. By establishing their own Ethereum validators and deploying bait transactions, they enticed MEV bots from these traders for their illicit scheme. Subsequently, through a series of meticulously orchestrated maneuvers, including frontrunning and transaction tampering, they siphoned off $25 million of cryptocurrency from unsuspecting victims – all in just 12 seconds. Following the successful execution of their nefarious scheme, the brothers allegedly laundered the ill-gotten gains through a network of shell companies. Converting the stolen funds into more liquid cryptocurrencies such as DAI and USDC, they attempted to rebuff attempts of victims and Ethereum representatives to recover the stolen cryptocurrency. Following their arrest on Tuesday, the brothers are set to appear in federal courts in New York and Boston to face charges. If convicted the brothers face a maximum sentence of up to 20 years in prison for each count. Deputy Attorney General Lisa Monaco lauded the Justice Department’s prosecutors and IRS agents, “who unraveled this first-of-its kind wire fraud and money laundering scheme.”

“As cryptocurrency markets continue to evolve, the Department will continue to root out fraud, support victims, and restore confidence to these markets.”

Cryptocurrency Heists and Convictions Growing Every Day

The news of the arrest comes on the heels of another crypto heist from Sonne Finance, the cryptocurrency lending protocol. The team at Sonne Finance is offering an undisclosed bounty to a hacker responsible for a $20 million theft on Tuesday evening. Sonne Finance facilitates lending and borrowing without intermediaries like banks. The theft, tracked by blockchain security companies, involved digital coins like ether and USDC. Developers paused all markets and later detailed the attack in a postmortem, offering a bounty for the return of funds. They detected the attack within 25 minutes, with some users preventing $6.5 million theft. The hacker has since been exchanging stolen cryptocurrency for bitcoin and others. Law enforcement focus on crypto theft has intensified in 2024, with notable convictions including a $110 million theft from Mango Markets resulting in up to 30 years in prison and sentences for individuals involved in crypto scams and market manipulation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.