Canadian National Charged With Stealing Approximately $65 Million in Cryptocurrency From Two DeFi Protocols

An indictment was unsealed today in federal court in Brooklyn charging Andean Medjedovic with wire fraud, computer hacking and attempted extortion for stealing approximately $65 million in cryptocurrency from the KyberSwap and Indexed Finance decentralized finance (DeFi) protocols, which are sophisticated financial platforms residing on cryptocurrency blockchains.  Medjedovic is also charged with laundering the proceeds of the theft.  He is currently at large.

John J. Durham, United States Attorney for the Eastern District of New York; Antoinette Bacon, Supervisory Official of the Justice Department’s Criminal Division; Harry T. Chavis, Jr., Special Agent in Charge, Internal Revenue Service Criminal Investigation, New York (IRS-CI); James E. Dennehy, Assistant Director in Charge, Federal Bureau of Investigation, New York Field Office (FBI); and William S. Walker, Special Agent in Charge, Homeland Security Investigations New York (HSI) announced the indictment.

“As alleged, the defendant executed a highly sophisticated scheme to exploit two decentralized finance protocols and steal tens of millions of dollars’ worth of cryptocurrency from investors,” stated United States Attorney Durham.  “My Office remains at the forefront in prosecuting cutting-edge cases involving new and emerging technologies, demonstrating our commitment to protecting all financial markets, including the digital assets markets.  Criminals like the defendant who take advantage of new technologies to harm investors will be held accountable no matter where in the world they carry out their schemes.”   

Mr. Durham expressed his appreciation to the United States Securities and Exchange Commission’s Crypto Assets and Cyber Unit for their valuable assistance during the investigation. 

“This was a sophisticated fraud that exploited vulnerabilities in ‘smart contracts’, resulting in the theft of millions of dollars in cryptocurrency,” stated IRS-CI New York Special Agent in Charge Chavis.  “It’s alleged that Medjedovic executed a hack that stole nearly $65 million in crypto between two schemes, leaving liquidity pool investors in the red.  In investigating this case, IRS-CI New York’s Cyber group worked closely with its federal partners while leveraging resources from IRS-CI’s Cyber Attaché at Europol and the J5 Cyber Group. Even with the complexities of DeFi, we tracked down who is responsible for this large-scale theft, and he is now a wanted man.”

“Hackers can at times be painted in a flattering light by pop culture, some admiring their skills and acumen. They’re stealing money that isn’t theirs, and they’re breaking the laws of this country. We allege Andean Medjedovic violated several of those laws, and he, along with all the other cyber criminals who believe they’re untouchable, will face justice,” stated FBI Assistant Director in Charge Dennehy.

“These charges are a result of HSI New York’s determination to disrupt Andean Medjedovic’s alleged sophisticated far-reaching transnational cybercrime and seek justice for the millions of dollars syphoned from financial platforms,” stated HSI New York Special Agent in Charge Walker.  “Our global reach, experience and extensive knowledge of the cyber domain allow us to rapidly develop investigations into bad actors who seek to exploit the cryptocurrency market. Our federal partnerships across the globe made this investigation a success to include support from the HSI attaché offices in the Netherlands.”

KyberSwap and Indexed Finance were developers of automated market-making services called “liquidity pools” that allowed users to swap cryptocurrency tokens with each other.  The liquidity pools were managed by computer code called “smart contracts” and relied on investor contributions of cryptocurrency.  As alleged, Medjedovic used manipulative trading to exploit vulnerabilities in the KyberSwap and Indexed Finance smart contracts. These manipulative trades enabled Medjedovic to drain approximately $65 million in cryptocurrency that belonged to investors from the KyberSwap and Indexed Finance liquidity pools.

The KyberSwap Exploit

As alleged in the indictment, in 2023, Medjedovic planned and executed a scheme to exploit vulnerabilities in the KyberSwap protocol.  KyberSwap was a DeFi protocol and developer of liquidity pools on several public blockchains, including the Ethereum and Arbitrum networks. Liquidity pools use user-contributed cryptocurrency to facilitate trading and market-making in cryptocurrencies. The KyberSwap liquidity pools were managed by computer code or “smart contracts” called automated market makers or “AMMs,” which set prices in the KyberSwap liquidity pools.

In November 2023, Medjedovic exploited vulnerabilities in the KyberSwap computer code to drain the KyberSwap liquidity pools.  Medjedovic used hundreds of millions of dollars in borrowed cryptocurrency to create artificial prices in the KyberSwap liquidity pools.  Medjedovic then calculated precise combinations of trades that would cause the KyberSwap AMM to “glitch,” in his words, allowing him to steal tens of millions of dollars in cryptocurrency from the liquidity pools. In total, Medjedovic stole approximately $48.8 million in investors’ cryptocurrency from 77 KyberSwap liquidity pools on six public blockchains.

Following the exploit, Medjedovic attempted to extort the developers of the KyberSwap protocol, as well as KyberSwap’s investors and the members of the de-centralized autonomous organization or “DAO” that governed the KyberSwap protocol.  Medjedovic demanded control of the KyberSwap protocol and the KyberSwap DAO in exchange for which he would return approximately 50% of the cryptocurrency that he had stolen.

Medjedovic also attempted to launder the proceeds of his theft, including through “bridge” protocols used to transfer cryptocurrency from one blockchain to another, and through a cryptocurrency “mixer” used to conceal the source of digital assets. After one bridge protocol froze several of his transactions, Medjedovic agreed to pay an undercover law enforcement agent posing as a software developer approximately $80,000 to circumvent the bridge protocol’s restrictions and release approximately $500,000 in stolen cryptocurrency.

The Indexed Finance Exploit

As alleged in the indictment, Medjedovic committed a similar exploit of the Indexed Finance DeFi protocol.  Indexed Finance liquidity pools are referred to as “index pools,” and function similarly to a mutual fund or exchange-traded fund in traditional finance.  Instead of holding a basket of traditional equities, the index pools held an index of digital tokens contributed by users.

In October 2021, Medjedovic used manipulative trading to exploit two Indexed Finance liquidity pools on the Ethereum network.  Medjedovic used hundreds of millions of dollars in borrowed cryptocurrencies to distort a process called “re-indexing,” which was used by the Indexed Finance smart contracts to add a new token to the liquidity pools.  Medjedovic used the borrowed cryptocurrency to engage in manipulative trading to cause the Indexed Finance smart contracts to set artificial prices during the re-indexing process.  He then stole approximately $16.5 million in investor cryptocurrency from the liquidity pools.

Beginning after the Indexed Finance exploit, in or around 2022, Medjedovic conspired with another person to launder the proceeds of his illegal conduct through cryptocurrency exchange accounts that were opened using false information, and by using a cryptocurrency mixer.  Among other things, Medjedovic maintained a step-by-step playbook for moving large amounts of cryptocurrency through the mixer, which he titled a “moneyMovementSystem.” In other documents, Medjedovic discussed circumventing “know your customer” or “KYC” procedures and using cryptocurrency exchange accounts opened with false KYC information for “hacks and cashing out.”

The charges in the indictment are allegations and the defendant is presumed innocent unless and until proven guilty.                    

The government’s case is being handled by the Office’s Business and Securities Fraud and National Security and Cybercrime Sections, with the Justice Department Criminal Division’s National Cryptocurrency Enforcement Team (NCET). Assistant U.S. Attorneys Nick M. Axelrod and Andrew D. Reich of the Eastern District of New York and NCET Trial Attorney Tian Huang of the Criminal Division’s Fraud Section are prosecuting the case with assistance from Paralegal Specialists Liam McNett and Madison Bates.  SEC Enforcement Attorney Daphna A. Waxman, formerly a member of the NCET, provided significant assistance.

Valuable assistance was provided by the Justice Department’s Office of International Affairs.  The Office thanks the Netherlands’ Public Prosecution Service and the Dutch National Police’s Cybercrime Unit in The Hague and United States Customs and Border Protection, New York Field Office.

The Defendant:

ANDEAN MEDJEDOVIC
Age: 22
Canada

E.D.N.Y. Docket No. 24-CR-529 (NGG)