It was “like pressing the cappuccino button on a coffee machine”. And these were “public functions” using the Platypus code as it was published. This Thursday, October 26, Mohamed M., the main defendant in the Platypus case, pleaded the technical flaw and called on his judges to acquit him of criminal charges by presenting himself as an ethical hacker without malicious intent.
This 20-year-old young man with a shaved head and dressed entirely in black is being prosecuted for fraud, money laundering, breaching and remaining in an automated data processing system. He and his brother Benamar, suspected of money laundering alone, were arrested in February 2023 following an investigation carried out by the Central Office for the Fight against Crime Linked to Information and Communication Technologies (OCLCTIC).
A few days earlier, the Platypus Finance platform had deplored a major hack. The latter was initially valued at the equivalent of 9 million dollars, a sum ultimately reduced to a little more than six million, the balance having been recovered. At the helm, Mohamed, a self-taught computer enthusiast, explained how he was able, by programming a series of instructions, to siphon funds from the platform.
Emergency withdrawal clause
A first flash loan on the decentralized finance protocol Aave V3 initially allowed him to deposit 44 million USDC, a stable coin pegged to the US dollar, on Platypus Finance. These funds had been used as collateral to borrow 41.7 million USP, another token. This money was intended to be exchanged with the stable coins presented in the platform’s liquidity pool. In the meantime, the emergency withdrawal clause had been activated, making it possible to repay the initial flash loan while keeping control of the cryptos obtained on Platypus.
“My initial intention was to recover these endangered funds,” Mohamed explains to the judges. According to the defendant, partial exploitation of the flaw would have attracted the attention of malicious hackers, such as those from North Korea who make their money from poorly secured crypto platforms. “So your objective was to empty all the funds?” asks the prosecutor, Sophie Gschwind. “That’s it, so that we can then return them,” replies Mohamed. But by asking for a bonus of around 10%, the scenario envisaged.
However, this program was derailed in the minutes that followed. Because of the seven smart contracts launched, only three could be executed, including two failures. For the first, “I forgot to put a line of code for sending to my wallet, so the funds remained blocked in the contract,” explains Mohamed. That’s a little more than the equivalent of $6 million, which is still inaccessible for the moment.
$250,000
The second smart contract ultimately sends the funds to Aave, which will return the cryptos to Platypus. Only the last one allows the young man to recover the equivalent of a million dollars in crypto-assets, ultimately allowing him to get his hands on around 250,000 dollars. But “we are not dealing with a computer attack, nor a scam,” assures his lawyer, Seydi Ba.
“We presented you with analogies, this is what happened: he came to the bank, he asked for money and we told him, here it is,” he adds . And the lawyer sums up the matter as a loan which “has not yet been repaid”. “It is not because the smart contract allowed money to be taken that it could do so,” retorts the platform’s lawyer, Fanny Le Magadure.
“He was perfectly aware of what he was doing,” she continues. And if he had been an ethical hacker, we don’t see why he needed to make the money disappear,” sent in particular to a mixer before landing on a Ledger key. “An ethical hacker would have stopped at the first smart contract and would not have taken as many precautions to hide his tracks,” also believes Sophie Gschwind, for the prosecution.
“Huge” damage
“His intention was to siphon off Platypus’ liquidity pool, to make a big move to take all the funds,” summarizes the prosecutor. Before calling on the judges to sentence Mohamed to five years in prison, the maximum incurred, three of which are suspended. Because be careful of believing that this file “is only virtual money”, she finally points out to the judges.
An allusion to the “enormous” damage of this affair, to be compared with the claims of Platypus Finance. The company estimated its shortfall at 144,000 euros. Above all, she requested one million euros for her damage, a sum that could be revised upwards by almost seven million euros in the event of it being impossible to seize the crypto-assets still blocked in the smart contract. The decision will be made on December 1.