On February 16, 2023, the decentralized finance platform Platypus had the equivalent of 8.3 million euros siphoned off one of its “pools”, a shared cryptocurrency reserve available to investors wishing to trade digital assets. That day, Mohammed M. took advantage of an error in the code to withdraw all of the assets, without offering the slightest consideration.
Hacks of this type are not a rarity in this sector of decentralized finance, which proposes to automate operations concerning cryptocurrencies such as buying, selling or lending using blockchain technologies, eliminating the need for a human intermediary. Because the other side of the coin is that the slightest flaw in the writing of the programs which govern the operation of these services, the “smart contracts”can be exploited to steal funds.
It was a phone call from the cryptocurrency exchange Binance that put investigators from the Central Office for Combating Crime Linked to Information and Communication Technologies on the right track. In the space of a few days, they managed to analyze the financial flows and identify two brothers, Mohammed and Benamar M., arrested on February 24 in Aubervilliers (Seine-Saint-Denis). Mohammed M. is then indicted for accessing and maintaining an automated data processing system, fraud and money laundering, while his brother is accused of receiving stolen property.
The defense of the “ethical hacker”
Eight months later, on October 26, at the Paris court, Mohammed M. does not dispute the facts but claims to have acted in good faith. He presents himself at the bar as a “ethical hacker” having wanted “recover endangered funds from the Platypus platform to return them later”. He thus hoped to get one ” prime “, paid by the company,“around 10% of the total amount”.
This 22-year-old self-taught man, without a diploma or training but with a strong taste for IT and the world of cryptocurrencies, claims to have found the flaw by chance, in “seeking to understand how the protocol worked”. By observing the way in which the Platypus loan system is structured, he then observes an error in the source code of the “emergency withdrawal” function. And it is this flaw, by a sleight of hand with another cryptocurrency platform, that he then thinks he can exploit.
First there were several unsuccessful attempts. Following a mistake on his part, the equivalent of 7.8 million euros remains blocked in a wallet that is now completely inaccessible to anyone. But he ultimately manages to extract the equivalent of 263,000 euros in cryptocurrencies, which he sends to a wallet over which he has control. This loot is then quickly disseminated: part of the funds is exchanged and distributed between different wallets, another is sent to an anonymization service (what we call a “mix”), a last one, the equivalent of 12,000 euros, is transferred to his brother, Benamar M.
You have 35% of this article left to read. The rest is reserved for subscribers.