Code Is Law (2025) Movie Script

(bright music)
- There is an
absolute crime epidemic
in the cryptocurrency space.
(bright music)
If a founder just calls the
police when a hack occurs,
they're really just wasting
valuable time by doing so.
They call me in to
get that money back.
(bright music)
It's best that I
remain anonymous.
You don't always know who's
doing the attacking out there.
It is incredible that if
you do turn on the news,
you see breaking news,
someone stole $450
from the cash register
of the local 7-Eleven,
and on the same day,
someone stole $25
million from a protocol
and you'll never hear about it.
(bright music)
When someone steals money,
there is a time sensitivity
to figuring out who did that.
Time really
matters in this case.
They're gonna hide,
they're gonna disappear.
(bright music)
People think
it's not really real
because it's internet
money or whatever.
This is real money.
It's real theft,
it's real criminals.
It becomes, catch me if you can.
(gentle music)
- My guest today is Griff Green.
Who's the-
actually I can call you
the representative
of the DAO, right?
- I mean, since it's a
decentralised organisation,
I guess anybody's
a representative of it.
I'm definitely in it and
I know it pretty well.
Honestly, we were not prepared
to be the largest
crowd-fund ever.
(bright music)
I see $160 million in this
thing as a huge honey pot,
and I don't want
it to get attacked.
(bright music)
I was originally a
chemical engineer,
and I didn't really
like that profession.
When 2009 came around
and layoffs came, I was
like, pick me, pick me.
I really wanted to
live my ultimate truth,
and discover what the
truth is in the world.
And it's just feels
like we're controlled
by so many stories.
How you're supposed to live,
put your money in the bank.
I didn't trust the banks,
and I just felt that like
there's so much
to see in the world.
I can explore other areas
and see what I like.
(bright music)
This is the last time
I will be seeing Seattle
skyline at sunset.
(bright music)
Goodbye Seattle.
(bright music)
I just lived in a van for
a while and it's great.
I went full on hippie, right?
I'm rejecting society, I'm
selling everything I own.
You go to a vegetarian like,
yoga camp,
and you're gonna meet
people that are like me.
I was living off
physical gold and silver,
and my buddy was
storing it under his bed
and he would cash it out,
and then wire money to me
wherever I was in the world.
(bright music)
Because I didn't want to
contribute to the banking system
that was causing so
much pain in the world.
(bright music)
Especially post 2008,
there was just bad vibes,
real bad vibes.
(bright music)
When I went to Thailand
and had a Thai massage,
oh my god, I was blown away.
I loved it,
I loved it.
So, I became a
massage therapist.
(bright music)
I actually had
really nice clientele.
It's like $200 a massage,
but my wrists were
starting to hurt (laughs)
and also I was not
making that much money.
(upbeat music)
I saw a Trace
Mayer video in 2011,
and I think Bitcoin
was around $5
and I was like,
this stuff is so cool,
it's like super
cheap to transact.
(upbeat music)
And then it had with it,
this like, anarchist vibe,
and so I traded
$1,500 worth of gold,
and $1,500 worth of silver
for $3,000 in Bitcoin.
(upbeat bright music)
Then Bitcoin was going
up like 200%, 300%.
Just like, what is this stuff?
This is crazy.
And I ended up with 24K
and I was like, my God, I could
live off this for two years.
(upbeat music)
And the more I read, the
more value aligned I was.
(gentle music)
The biggest problem with
banks is the top-down control.
They can freeze my accounts,
they can take the
money that's in there.
You know,
it's not really my money.
If I send a Bitcoin
transaction to someone,
they're gonna get it.
No one can stop it,
it's decentralised.
There's no one person or
one group that you can go to
and say,
turn off your computers,
and the Bitcoin will go away.
(gentle music)
I was obsessed.
Bitcoin hijacked my brain,
and I just couldn't think
about anything else.
So, I ended up breaking
up with my girlfriend,
because she was always
wanting my attention
and all I wanted to do was
learn more about crypto.
(gentle music)
- Bitcoin is definitely
the original currency,
you can send and receive money,
that's it.
And then Ethereum is very much
seen as its main competitor.
- Ethereum was created
so that we could
build smart contracts.
A lot of smart contracts
work like a vending machine.
You send money in and
you get something out,
and they have certain rules.
(gentle music)
You'd have to use Ether,
the currency of Ethereum,
to make a smart
contract do something,
whatever it's programmed to
do, like a vending machine,
but a vending
machine for anything.
- And once they're on Ethereum,
what makes them unique,
is that they're no longer
under the control
of the developer.
(rising music)
- [Green] I was looking
into companies in crypto,
and Slock.it had someone
who was very tight in
the Ethereum space,
with a lot of legitimacy,
Christoph Jentzsch.
- Hi, my name is Christoph.
- [Green] I was
sending countless emails
to Christoph saying, please
let me work for Slock.it.
- Griff Green contacted us.
He said, I love what you're
doing, I would like to join.
For me, he looked like
a funny hippie
who loves life and enjoys it.
- And eventually he replied,
he was like, sure, you
can come work with us.
I was like, oh my God,
it's so cool.
- We came up with the
idea of Slock.it,
and Slock.it standing
for like, smart lock,
or to Slock something
with like the new wallet.
That means,
to lock something up,
which you could
open by a payment.
With Ether or an
Ethereum channel,
I could give the machine
something like a bank account,
so it could receive payments
completely independently.
The humble lock or Slock.
A Slock can be used with
an Ethereum contract
to open anything.
For example,
this Slock powered door,
can provide access to an
office or rental apartment.
I founded it together with
my brother and Stefan Tual,
at the end of 2015.
- And in the beginning
we just had the idea.
- As any startup,
you need money.
I tried to look at
the phone book,
called every VC
I could find there.
Some of them gave me an
appointment to pitch it,
everybody hated it.
Like there are other smart
door locks out there,
what's better with yours?
Well, we are decentralised.
Okay, what benefit does
this have for the customer?
Well, it works without us.
Okay, it was like, they
didn't get it at all.
Like the VCs,
no interest, didn't get it.
Only the ecosystem
around Ethereum
could understand the
value of such a thing.
So, maybe let's go into
raising from the ecosystem.
They're not VCs,
so how to do it?
So, this is how it started.
- So, that's why we
created the DAO.
DAO is a Decentralised
Autonomous Organisation.
- The DAO was a venture
capital fund, more or less.
- Simply a smart
contract on Ethereum,
where you could
send Ether to it,
and then you would get a token,
just like a vending machine.
The more tokens you have, the
more voting rights you have.
And all of the money that was
sent to create those tokens,
stayed in that DAO,
in the smart
contracts of the DAO,
it didn't go anywhere else,
and the token holders
had control of it.
(bright music)
- The most important key
and that's the name of
Decentralised
Autonomous Organisation is,
there is no hierarchy.
And this decentralised approach
means all decisions have to be
made by all the token holders.
(bright music)
(bright music)
- This was the decision
to note this global DAO.
This was aligned with the
spirit and the ecosystem.
Nothing like this
has happened before.
I will show you
today how this D,A,O,
a Decentralised Autonomous
Organisation will work.
We will do a presale,
we'll do a fundraising,
like a crowdfunding,
and that's where
we need your help.
And very importantly,
you control the funds.
(slow dramatic music)
- In DAO there's a
saying that code is law,
- Code is law.
- Law is code, code is law.
- The idea of code is law,
really encapsulated the DAO.
We're building a new
legal structure with code.
(bright music)
If there's not a line of code
that says you can do this,
then you can't do it.
- There's a strong
idea of code is law
or, once the rules are set, they
aren't changeable anymore.
The downside is, if you build
something truly decentralised,
something that's truly unknown,
then that also means that
there's no one who can fix it
if something is broken.
- So, you need a developer.
So, someone who could help
me with writing the tests,
and setting everything up,
there was so much work to do.
- Hey, I'm Lefteris.
They... hired Lefteris.
and then it was the five of
us to start the DAO.
Me and Griff, we are
quite different people.
(bright music)
Griff is extremely
excited about everything and
he brings a smile to the room.
I'm extremely technical.
I like to be alone and
code in a dark room.
Everything that had to do with
code, it was passing through me.
Because it was a
very small startup,
they had raised
no other funding.
They were expecting
to get paid by the DAO.
This was the first time that
anybody does such a thing.
(bright music)
- We had creators
for technical checks.
- I knew Christoph because I
worked with him at Ethereum,
and one day he came
up to me and said,
"Hey, do you want to be
creator for the DAO?"
I was excited, I thought
it was a great idea.
(tense music)
- We already had
platforms to crowdfund,
but they were not the same
as having a
decentralised venture fund.
You could be a VC,
without any financial barrier.
As a young 18-year-old trying
to do startups in Portugal,
I had very little
access to capital.
So, I just loved the idea.
(tense music)
- Everyone in Ethereum was
excited about our project.
- In the beginning, not many
people are using Ethereum.
2016 there were no applications,
there was nothing
to do on Ethereum.
The DAO was the first
really interesting
investment opportunity.
- We had about
5,000 people in Slack,
and I did feel a lot of pressure
and urgency to finally release.
And they're like, why are
we not starting?
What is holding us back.
I was always saying
the smart contracts
are not really done yet.
What's missing?
I just wanna have another look,
another look,
test, one more test.
Going after me and saying,
work faster,
release it, release it.
(tense music)
And I remember,
the point of no return.
I was sitting there and said,
well what are we
doing here right now?
Like this is exploding,
this is going viral
before it even started.
What am I doing here?
Is this safe?
What can it lead to?
(dramatic music)
This is now the last
moment that I could say,
stop, I'm not doing this.
If I don't do this now,
I cannot stop it anymore.
- We had everyone looking
at these contracts,
but no one had a formal training
in smart contract audits,
because there were no
smart contracts to audit.
- So, writing smart contracts
is very different from
writing normal software.
If you write a normal
app and there's a bug,
you just go ahead,
fix on a server,
deploy a new version,
be done with it.
But deploying a
smart contract means,
it can never ever
be changed again.
This is the final version.
Plus, it's available for
the whole world to use.
Everybody can read it,
it's completely public.
And usually
developers would say,
it's almost impossible
to write perfect code.
So, your attack scenario
is immense.
(alarm beeping)
It took a lot of, for me,
overcoming fear,
saying, well,
I can somehow handle this.
At some point I just
had to push the button,
well, there's nothing
more I can do.
I have looked at it
a thousand times,
I feel like there's
nothing more I can do,
so let's release it.
(rhythmic music)
Then money was flowing into it.
(rhythmic music)
And this is then when
the narrative changed.
(bright music)
We thought, well, we need
a little bit of money
for having maybe 5 or 10
people for one or two years,
it would be 5 million.
- And that would be
definitely sufficient
to build a product
we want to build.
- And then the first million
came in, we are like happy.
It works pretty quickly,
the second million so,
that was quick.
But well, we expected
the money to come in,
especially in the beginning.
So, then it was 5 million,
10 million.
- I was watching it,
calling my other two friends
and saying that we
really need to do this.
Like I was pitching
it to them,
because like, the amount
of money was spectacular.
- Now 20 million,
it rose so quickly up.
And we put a few
hundred ETH in there,
which was a few thousand euros,
and it was all that we had.
- I thought we would get 30,
and I was by far the most
optimistic member of the team.
We had $30 million within
the first few days.
- 30 million, 50 million.
- When they grow to
that amount,
I thought, oh my god, what
am I part of now?
- Yeah, I think 90
million was the point,
I had a meeting in Berlin,
I felt so uneasy about it.
There were people there,
congratulating me,
it was a huge success.
I didn't feel like,
happy at all.
- [Green] Christoph, when we
raised a hundred million dollars
he actually physically
vomited when he found out.
- He got scared.
Just because we didn't expect
those high numbers there.
- Man I was stoked.
Oh my God, are you kidding me?
It was like, it was a success
out of my wildest dreams.
I couldn't even believe
that much money existed.
At the time I was
living in Seattle,
just hunkering down
there with some friends,
and paying like,
$300 in rent,
and all of a sudden
my project is raising
a hundred million dollars.
(tense music)
- The DAO ended up with
$160 million worth of Ether,
and that was a point where,
it got kind of spooky
for everybody,
you know, who was in there,
because nobody knew
what would happen.
- But yet, it kept going up.
(upbeat music)
People got so excited
about the DAO's success
that they started buying Ether.
- [DAO Member] And then the
Ether price went also out.
So this was almost a quarter
billion dollars worth of ether.
- Everybody could see that,
this is going to be
the next big thing.
- It was super,
super exciting.
We were investors.
We could call
ourselves investors.
- Everybody wanted to
talk about it.
(slow dramatic music)
I just actually
hated this situation,
because it was too much
responsibility for me.
I was just a young
father of young kids.
I was not a business guy,
a manager of huge
amounts of money.
I was not...
It was not me.
Almost like a depression, like
I would not talk to anybody,
I was just hiding in my home.
- I didn't get scared 'cause
I'm not a software developer,
but Christoph,
and Lefteris, and Simon,
they were scared
outta their minds.
They've written code
before with bugs, you know?
They know,
they know there's bugs.
They just don't
know what they are,
but they know
that there are bugs.
(tense music)
- The more and more money
that is secured by the
code that you have written,
the more uncomfortable
you start feeling.
The code that secures
the smart contract
could have vulnerabilities.
It could be that,
there is something that
we didn't think about.
- We had this enormous
stress of,
we just did the largest
crowdfunding in history.
- With so much money at stake,
it's just really scary.
- This is like a huge target
for any attacker.
- Felt exciting and dangerous.
So, we maybe got a sense that,
okay, that's very big, and
what if something's wrong?
Which, funny enough, didn't
take long to appear.
It took like just a few days,
after the money was in, that
this attack started to happen.
(tense music)
- I woke up, checked on the
Slack, because that was my job.
You know, you go to sleep,
you look at the Slack,
you make sure everything's cool.
You wake up, look at the Slack,
make sure everything's cool.
This is about six
in the morning,
and everything was not cool.
(slow dramatic music)
(notifications pinging)
You could see how
much money it had,
and then you refresh the page
and then it starts
to have less money.
I'm looking and like, oh my
god, it is being drained.
Thousands of dollars was being
drained every couple of minutes.
It shouldn't be possible, I
knew instantly it was a hack.
(tense music)
I called everyone that I could,
but Simon was the
only one who answered.
I told him, gotta get
ahold of Christoph, ASAP,
like get him,
like go to his house,
whatever, you know?
Knock on his door.
- I just called Christoph,
and at that time
he was still sleeping
so I just had his
wife on the phone.
I said, okay, maybe it would
been good to wake him up.
- So, my wife was waking me up
and saying, my brother Simon
is calling, it's really urgent.
So okay, I was waking up,
we're looking at
the transactions.
My first thought was,
oh, someone is just
taking out his money.
And then I looked
deep into it.
Well no, he's taking
out more than he put in.
And then I realised, this
is not what I anticipated,
this is absolutely a hack,
and he's draining
millions of dollars per hour.
My thought was, there's no
way to fix this, that's it.
The DAO's over, completely over.
(tense music)
- I go to the office,
sitting down and then
somebody came to me,
hey, have you seen what's
happening on the DAO?
Suddenly you see all
of these transactions,
and how the
money's draining out.
Everybody panicking,
and selling,
and everything's going crazy.
But at the same time, it was
completely, like confusing.
Nobody had an idea
what was happening.
(slow dramatic music)
- So, the first thing
that we used to look at,
was the price of
ether in the morning.
I dove right into the forums
because it was tanking a lot.
- So, I crafted this message
that said:
So, around $15 million
every hour was being
drained out of the DAO.
- There is no way to stop this.
We have no control, we
don't have any admin keys.
We cannot upgrade the code.
We got into the chat
with Stephan asking like,
let's fix it,
and no, that's not fixed,
DAO is over.
He was not believing it like,
no, the DAO is over.
You can make a blog post,
that's it.
(slow dramatic music)
Over.
I was so stressed, that
I just needed to lay down.
There was a bedroom
next to the office,
I was just laying on the bed.
- The amount of stress
that was on this man's
shoulders was out of control.
He was losing it a little
bit, let's just be real.
He needed to relax.
I'm a masseuse so I'm like,
well hey,
let me give you a massage
and calm you down.
- And he just came to me
and tried to calm me down.
There was still no, like
end of this in sight,
and I was giving
everything I could.
- Rubbed his arms and his
shoulders a little bit,
just to like, get him
to relax, because man,
it was a... it was one of the
toughest days of his life.
(tense music)
- Nobody including myself,
had seen this vulnerability.
- All the eyes that looked
at it, had not seen this.
It became obvious what
it was quite early on.
(code pinging)
- The DAO hack was
actually very complicated.
- It is like, saying I want
my money out,
that's the function.
The bug in the code,
was that he did not just
take his money with him,
but way more than this.
Just pretending to just
take his money out,
but in a way, that the books
were not updated correctly,
so he could do it again, and
again, and again, and again.
- So, we're talking
literally about,
two lines being flipped
in the wrong order.
You flip them around,
the system is safe,
you flip them this way around,
the system is not safe.
(tense music)
- So, he recalled the
same function
many, many, many times.
You just look at it
and can't do nothing.
I thought, well this just
continues until it's empty.
So, we can make some
meetings, we can discuss it
and even during the meetings
the money got drained.
It's like a very weird feeling
like we are discussing here,
and the DAO is
getting drained
at a rate of $50
million dollars per hour.
(tense music)
- It was happening
for several hours,
it felt like an eternity.
- At that moment he stopped.
- About 70% was still
left inside the DAO,
and then it just stopped,
and there was silence.
No one knew why
he stopped, right?
He could have continued that.
- We have no idea,
why did the hacker stop?
The price of Ether
started to crash.
By the end of it all the hacker
took around 30% of the funds
that DAO was holding,
which ended up to be
about $50 million dollars.
- $50 million missing
out of the smart contract.
Now, this money was gone
and nobody knew where it is,
and who did it.
(brooding music)
- I decided to sell
all my DAO tokens
for a third of their value.
Because they were
heavily, heavily deflated
because of the attack
that had just happened.
That bright future of investors
that we were counting on,
had just 'poofed' in a second.
(tense rhythmic music)
I was somewhat
disillusioned with myself,
but I was also angry 'cause
I lost money (laughs)
and I made my
friends lose money.
- Christoph and
Slock.it were devastated.
This new endeavour
that helps everybody
now turns out to
be a disaster.
- For me it was the relief
that this part of
my life is now over.
But then of course the
shock, people losing money.
I thought I would, I dunno
if I would go to jail,
or if my name
was ruined forever.
Nobody would hire me again as
a developer after this bug.
(tense music)
- There was a community
that actually felt that the
DAO hack wasn't a hack at all.
They were following code is law,
and a bug in the code,
well that's a
loophole in the law.
- There were people
in the community
who started saying that
he did nothing wrong,
and that he just followed the
rules of the smart contract.
That intentions do not matter,
that the code is the law.
I thought that these
people are stupid.
- We did say so, we pushed it
on our website, code is law.
And that's how
all the Ethereum
applications have been built.
There was no room
for legal discourse,
and so, I fully understood
the voices who were saying,
well, code is law.
What just happened happened,
and there's no reason
to talk about a solution
because that's
what the code said,
and he just executed
code as it's supposed to.
I think the hacker, those
who lost money due to him,
they can sue him,
and that's good reason.
He acted like, against the
intent of this contract.
But there were people
saying no, shouldn't happen.
There are no lawyers or law
enforcement involved, no police.
You would think,
if you build something,
and you lose $50 million of
some other people's money,
you would get a lawyer.
And we didn't,
and there was nobody suing us.
- But the fact of the matter
is a lot of people were hurt.
Real people are hurt.
Code is not law, code is code.
Everyone was like, all of a
sudden in a constant fight,
and it just destroyed
our culture.
- I think it's safe to
to call it a tragedy
of epic proportions for the DAO.
And I know that
the last 24 hours
have been a wild
ride for us spectating.
You can only imagine how
difficult it has been
for the team behind the DAO,
in particular,
our man Griff Green.
Where are you at right now?
- I'm at, in Mittweida Germany,
actually at Christoph's
mom's house,
based in Mittweida
for now until,
well, we were hoping
to work for the DAO,
but unfortunately that
doesn't seem very likely now.
(gentle music)
- Must have been
a very rough last 24 hours.
(gentle music)
- When I saw the hack, I was
first, of course shocked.
I have no idea how we
can fix the situation,
and I lay on the ground
taking a deep breath.
And I did pray to God,
and know that he can
help me through this.
In that moment, I really
did not see the exit.
But I've God at my side,
ask my wife,
I owe it to them,
to at least give
everything I can
to fix whatever I can fix,
and after I've done
everything I can,
then I, at least,
know it's over.
(gentle music)
- After the
initial feeling of shock,
so I just thought, okay,
what can we do,
in order to fix this?
- Griff was actually excited.
He wasn't happy about it.
He's just always a happy
person, but it was like, action.
(upbeat music)
- I was enthused.
I mean it was a tragic thing,
but like there was
so much to do.
I was energised by the
opportunity to
really take action.
Even though it was horrible,
it was one of the best
times of my life actually.
Once the hack stopped, I mean
first off that was scary.
We didn't know when it
was gonna start up again,
or if it would.
We know that 70% of the
money that's left in the DAO,
over a hundred million
dollars, is still at risk.
We have to figure out how to
save it, how to get it out.
Then the urgency started.
'cause then it was like, well
we can maybe do something.
If he got something out, the
rest of it is still there.
Let's try to figure
out how he did it.
- It was all action.
I honestly don't know
what I was feeling.
It was just movement.
I couldn't think outside of,
what are we doing right now?
(upbeat music)
Lefteris, he was instantly
focused on
how do we actually
recreate the hack?
Can we recreate it, so we can
rescue the rest of the funds?
- You need to be able to
replicate what the attacker did.
I had to be completely alone.
I just had to sort
everything out,
focus on the code,
and figure out if there
is anything that we can do
in order to save whatever
remains inside of the DAO.
- Lefteris, lemme just say,
incredible, incredible work,
yesterday and today, just
coming up with attacks.
I don't think he left his
computer for 20 hours straight,
just attacking, the dedication.
But we were able to
recreate the attack,
and figure out what happened.
(tense music)
(keyboard clacking)
- I managed to replicate the
attack within a few hours.
That meant that anybody else
could do exactly what I did,
and do a copycat attack
on the DAO at any moment,
and drain the rest of the funds.
- There is a bug,
and anyone in the
world could repeat
what the DAO hacker just did.
Luckily, we were able to
be one of the first
people to recreate it.
- And then immediately,
was the question
what do we do with it?
Like, should we attack
the DAO in the same way?
Just imagine, you're seeing
a hundred million dollars
laying in front of you.
You know it belongs
to someone else,
but everybody can take it.
If you are honest, you
should think to yourself:
I can take it and
give it to the police,
and they can try
to find the owner.
If I don't do it,
someone else might do it.
So, this was the
weird situation.
(tense music)
- What if we start
attacking the DAO?
Is that okay?
Is that legal?
(tense music)
- Slock.it wanted to stay
out of any such thing,
because there are a
lot of legal questions.
- So, then the so-called
Robin Hood Group formed,
they have all my support,
but we could also not
do it as a company,
and that's where now
Griff came into play.
- It's kinda like black ops,
you know?
We weren't stealing
from the rich
and giving to the poor.
We were stealing from this
vulnerable smart contract,
and making sure
that it would get back
to the DAO token holders.
But it's catchy, and we're
gonna steal a bunch of money,
and give it back to the people.
(tense music)
We had to bring in a rag-tag
group of hackers, right?
So, of course Lefteris
was there.
We also invited Fabian.
They actually had a
lawyer in my kindergarten,
and he told me like,
dangerous, you can't do this,
and this is like you
shouldn't do, la la la.
But there was no
other choice really,
because that money
could have been gone
within hours after that,
and luckily enough
there were other people
that thought the same,
but we were a very
small group of people.
(tense music)
- Are we the same as the
DAO hacker if we do this,
like, are we gonna go to jail,
even if we have the
intention of giving it back?
- Is it a crime?
We had so many questions,
and no one could actually
provide answers to them.
There was a lot of
pressure from the community
to do something.
- We have to figure out
how to protect the
rest of this money,
and make the best
outcome that we can.
(tense music)
Fabian, Lefteris, and I
were all getting together.
They started running drills,
and seeing how fast they
could hack test DAOs.
(tense music)
- We were repeating
the same attack,
over and over on
copies of the DAO,
trying to understand how can
we make it as fast as possible.
- You see all these
ones and zeros,
and numbers going
across the screen.
It's literally looks like
the matrix, you know?
We're day and night working,
nonstop.
I have 37 different slack chats
that I need to answer tonight,
and I'm so sorry to everyone.
I don't sleep man, and
that's how we all are.
Lefteris has been analysing
this code for 48 hours straight.
I just, I mean I don't
know if he slept at all.
(tense music)
- There was a second
attack happening.
If we don't do something,
they will take all the
money out of the pot,
and we have to act very quickly.
- We were afraid,
and by we meaning me,
because I had to
push the button.
The moment that
we decided that okay,
it's time to do it, I
just pressed the button.
(upbeat music)
- First one person
started, then we started,
then seven, eight other
DAO hackers
started attacking the
DAO all at the same time.
(upbeat music)
And when those other
attacks started happening,
we knew what to do, 'cause we
were already trained up on it.
- This was a race.
There were more
copycats coming up,
and they were attacking
the DAO, and draining it.
We had to drain the DAO faster,
and save as much of
the funds as we could.
(upbeat music)
- We started with just like
a hundred thousand dollars,
that we would take out
in every transaction.
And when we didn't
see any issues,
we upped it to 300,000,
and then we upped
it to a million dollars.
So, our second
hack was pretty quick.
(upbeat music)
It was a war room, you know,
and they call it war
room for a reason.
It is chaos, it is brutal.
There's no time to eat,
there's no time to go to the
bathroom, you just have to go.
We were able to take
around $95 million,
but there was still a lot of
other hackers going at it.
One of 'em got
around $3 million,
and then there were
a lot of smaller ones.
There were actually
a lot of people
trying to hack the DAO in
that moment, that got nothing.
- By the end, once it was
over, we were really happy,
and immediately
we were wondering,
okay, now what do we do?
- It was a very intense moment.
I was happy that it
was over. (laughs)
(soundtrack boom)
- I decided to not speak
about it in public.
(ominous music)
I was really afraid of
any repercussions.
I didn't want anything bad to
happen to me or to my family.
- There is
absolutely a fear that,
oh my god, we have control
of a hundred million dollars.
The easiest hack,
doesn't have to do with
smart contracts at all.
It's called the wrench attack.
When someone comes to
your house with a wrench,
and says, "gimme all your
money", right?
(ominous music)
Actually, everyone made
us out to be heroes.
So like, oh thank god the
Robin Hood Group did it.
Everyone trusted us,
and felt confident that
we are the good guys,
and then we started
doing the accounting,
and figuring out how to
give everyone's money back.
(tense music)
- I had been learning
about hacking
since I was eight or nine.
Just the fact that I
didn't care enough,
to even do the slightest
review on this code
prior to pitching this to
my friends actually hurt me.
So, I was gonna start
hacking stuff myself.
I started looking into
all the other projects,
and I started trying to break
them before anyone else did.
Hacking is not inherently bad.
To me, hacking is very
much like lock picking.
The thing that I get from it
is more, like solving a puzzle.
Sometimes it used
with nefarious intents,
sometimes it's not.
That's the distinction
between a black hat,
and a white hat hacker.
Black hat hackers in the crypto
space actually steal money,
versus a white hat hacker,
which is someone that
has good intentions,
to save funds from being stolen.
You're trying to exploit it,
before someone else does.
(tense music)
- I got fully into
looking at Ethereum.
At the time, the DAO hack
was a year and a half old.
There were still plenty of
discussions that were happening
about the code is law
aspect in an attack.
The DAO was
the first of its kind,
and it ended in a disaster.
But people were
still interested in
decentralised organisations.
They wanted to
participate in them,
they wanted to create them.
That wasn't affected
by what had happened.
- And one of the major trends
that we started seeing was
DeFi, decentralised finance.
Picking up the
financial instruments
that we could
find in Wall Street,
and making versions
to be put on top of Ethereum.
What we're changing with DeFi,
is that,
we don't need to
trust a third party.
You are not trusting humans.
It doesn't stop on weekends,
and it's all code.
It's all smart contracts
that live on Ethereum.
So, DeFi has become really big,
and with it, Ethereum.
(upbeat music)
We now have protocols that
are at 10 figure mark,
billions of dollars being
deposited into them.
- But the term protocols is
used in decentralised finance.
Protocol or set of rules,
for say, swapping assets
or borrowing and lending,
which isn't going to be
controlled by a company.
(upbeat music)
For the average Joe, they've
got some crypto assets,
which, up until decentralised
finance are effectively idle.
When DeFi comes along,
suddenly you can put
these assets to work.
- I was just reaching
out to projects,
to help them figure out
if they could have
any vulnerabilities.
Me, and a couple more people
started offering these services.
We started charging for them,
and we've secured funds in the
order of dozens of billions.
Black hat hackers
have been innovating.
So, black hats have more and
more tools at their disposal,
and the white hat
hackers do the same,
to actually stop the
attacks in their tracks.
(tense music)
- I started speaking
to Dillon Kellar,
who was the founder,
and author of the
Indexed Finance Protocol.
- The idea was to give
people a way to invest
in the cryptocurrency
space as a whole,
rather than specific assets.
In traditional finance,
people invest in index funds
because it's a more stable way
to get exposure to the
economy as a whole,
without having to invest
in particular assets.
Where the S&P 500 tracks
some of the top 500 assets
in the stock market,
Indexed Finance was
supposed to track,
some of the top
performing assets
in the cryptocurrency space.
(brooding music)
- Smart contracts underpin
the Indexed Finance protocol.
They perform the tasks
that humans would
be expected to do,
in order to keep
these things running.
I'd spent a bunch of
time working in banking,
and I agreed to help out
with explaining stuff.
- It's really rare to
have somebody show up
in your community like that,
and be so interested
in your protocol,
that they're willing
to just help you.
I asked him if he
would quit his job,
and work on the project.
He had a stable job,
and a wife, and a house that
he had to pay a mortgage on.
- It's weird to say that,
working on something that
replicates an index fund
is an exciting thing
to do, right?
But it was, to me,
that eventually I turned
around and said, tag me in.
Before the Indexed Finance
Protocol went live,
there were security audits.
To hunt out vulnerabilities,
the code was presented
to two security researchers,
who have a reputation
in the field.
One of them is Daniel Luca.
(gentle music)
- I was one of the people
that audited the code,
before it was impossible
to change the rules.
I spent two weeks
checking out the code,
spending time with Dillon,
trying to understand if it
can be exploited in any way.
(tense music)
I'm the last person
that checks the code
before people start adding
tens of millions
of dollars in it.
(tense music)
You should always be afraid.
(tense music)
We did discuss a critical
part of the code.
We weren't initially
super sure that it's safe.
There are some parts in code
that if that goes wrong,
if it doesn't work well,
the system is manipulated,
and the whole thing explodes.
(tense music)
I check the same 10 lines
of code for two, three days,
'cause it seemed like
maybe something was there.
Dillon said that he thought
about it quite a lot,
and he thinks everything's fine,
and I agreed to it.
(tense music)
- I'm super happy
to have Dillon on the podcast,
as it's currently
one of the fastest rising
projects in the DeFi space.
- Then about an hour,
I think like $30,000
had been deposited.
Suddenly, my heart
just started racing,
so, I was so,
I was like, oh man, what if-
What if I messed something
up in the contracts?
I got it audited, but you
know, I really need to be sure,
so-
'Cause I hadn't launched
anything previously
that had actually held any
significant amount of money.
(tense music)
- When people started
depositing money,
I suddenly got
really worried about,
how well I had written the code.
I went back and
looked at all of the code,
trying to reassess it,
but as it kept growing, it
turned more into excitement.
(bright music)
It went from being like a few
tens of thousands of dollars,
to pretty quickly,
getting into the millions.
(bright music)
- The Assets belonged to
thousands of individual people.
The average value across
those wallets was, $2500.
- At its peak,
it had about $70
million in the protocol,
and that felt good.
It's also scary.
- The worm appears in your mind,
like this is a lot of money.
(bright music)
I think I was just doing
what anyone does
around 7:00 PM in
the UK in October.
(bright music)
We'd gone out and
picked up a takeaway.
We'd sat down,
we'd put stuff on a plate.
The dog was sitting next to us,
(bright music)
and my phone completely
detonated next to me.
(bright music)
(phone buzzing)
They were messages,
just question marks,
and links to transactions,
and it's just, what is this?
(music impact)
It's dawning on me, within
three or four seconds.
Something has just
gone drastically wrong.
(phone buzzing)
All that I was looking at,
at that moment was,
an attack that,
was resulting in 12 and a
half million dollars gone.
(phone buzzing)
I felt blind panic.
(tense music)
I stood up like a shot.
I had food on my lap
just crash to the floor,
(plate smashing)
broke the plate.
It's terror heroin.
(phone buzzing)
(phone buzzing)
(tense music)
This gut wrenching,
sickening feeling.
(dog eating)
I was maybe three
steps out of my chair,
and I was making
a call to Dillon.
(ominous music)
Couple of rings,
5, 6, 7 interminable rings.
(ominous music)
- It was around noon,
and I was just hanging
out in my living room.
(ominous music)
I had recently gotten
a bit of an interest
in playing around
with electronics,
trying to take apart a
DVD player to take
a laser out of it.
(ominous music)
I didn't have my phone with me.
Eventually I heard
the phone ringing,
so I went into my room.
(ominous music)
(phone buzzing)
And, I saw Laurence
was calling me.
(tense music)
(phone buzzing)
We didn't usually
have phone calls and
mostly talked over text so,
when I saw that he was calling,
it's kind of immediate panic.
(tense music)
- He finally picks up, but
at that point, you know,
my voice is already
breaking over the phone.
Indexed has been attacked.
Those were the only
words that we shared.
(tense music)
- It was 10:00 PM,
I was scrolling through Twitter,
and I saw a tweet
that something happened
to Indexed finance.
I messaged Dillon right away.
(tense music)
- The discord server,
where everyone was conversing
had just completely detonated.
(tense music)
Everyone, question marks,
links, what is going on?
What's happening?
(tense music)
I had said, no,
the assets are not safe.
The reaction from everyone was,
the fury, and anger,
and disappointment
that you would expect.
(tense music)
This is actually
quite hard to re-live.
I was receiving death
threats, nearly immediately,
and at a pretty heavy rate.
(tense music)
I spent hours just shaking,
while trying to at the same
time, work on a response.
We started forming
what we call the Indexed
Finance war room.
(tense music)
(keys clinging)
- I was trying to just
suppress the immediate panic
that I was feeling.
Daniel and I were
trying to understand,
exactly how the
attack had happened.
(tense music)
- This was the...
single hack that happened
to something I audited,
but it's not the right time to
start doubting yourself then.
I spent about four hours
from 10:00 PM to 2:00 AM,
going through everything.
It was not a normal hack.
(tense music)
- Just trying to load the
transaction on my browser
caused my computer to freeze,
because there were
thousands of transactions.
(tense music)
(software clinging)
- There was a lot of
frustration in the war room.
Also the lack of sleep
after a few hours,
but there's a lot of adrenaline
that keeps you going till we
had some kind of breakthrough.
(tense music)
- This attack involved
buying huge amounts
of a particular asset,
way over what would be
economically sensible.
(tense music)
The way that the
attack was executed,
introduced a price glitch.
The protocol is assuming that,
people that are
interacting with it,
are going to be rational.
If you flood the contract
with these irrational actions,
the whole thing's just
thrown completely into chaos.
(tense music)
- I already had looked into
this particular
aspect of the code,
and I had failed to
identify the
vulnerability there.
(tense music)
I should have caught this.
(tense music)
He was able to steal
about $16 million.
(tense music)
- So, theft from all
of the users
that have deposited
assets into this protocol,
these assets are now gone.
They were now sitting in a
wallet controlled
by an attacker.
(tense music)
- I was the only person who
wrote the smart contracts
and so, it's on me to
get that right.
(atmospheric music)
I didn't want Laurence or
anyone else to be blamed for it.
I posted on Twitter saying,
"I have to personally take
responsibility for this one.
I fucked up.
I'm extremely sorry to everyone
who lost money because of a
mistake I made 363 days ago.
I haven't thought
of this function
more than a handful of
times this entire year,
and now people have lost about
$16 million because of it."
(rising music)
(tense music)
- People tend to contact me
when there is a
big hack happening,
because of the experience
that I have had dealing with
the DAO and the aftermath.
(tense music)
So, since Laurence
was a friend of mine,
we ended up in a war room
together in order to,
try and figure out
what is happening
and how we can probably help.
(tense music)
It felt quite personal to me.
(tense music)
It became obvious quite early
that the hacker was smart,
but didn't know how
to cover their tracks.
- The attack itself told us
a couple of things about
who we were working with.
As a piece of engineering, it
was incredibly well-crafted.
(tense music)
The other thing it told us,
was the attack address
had been constructed
in such a way,
as to include a hate symbol.
(tense music)
- And then looking at the
smart contract that he used
to actually perform the attack,
there was the N word just
sprinkled all throughout it.
(tense music)
- I think at that point
we worked out that,
they weren't to
be reasoned with.
(tense music)
It was about seven
in the morning.
I finally, you know, crawled
up the stairs into my bed,
and I put my head
down on the pillow.
And I realised at that point
that there was one person
that I hadn't heard from,
and it was someone that I'd
actually been speaking to,
in some depth for the
last couple of weeks.
(tense music)
I did this, I just went...
that motherfucker!
I was like,
he hasn't said anything.
I've heard people from things
that I hadn't
spoken to in two years.
Where the fuck
is Umbral Upsilon?
And I opened up to the
conversation tab with this guy,
username Umbral Upsilon.
(tense music)
(phone clings)
And all of the chat had
been deleted from his side,
and I was like, immediately up.
I was just like,
fuck this right? (laughs)
Back to my machine.
(tense music)
Just in a rage, like an
absolute second wind,
I'm sitting there going,
right, you,
I'm finding everything
about you now.
(tense music)
So, this collaborator
had been speaking to
both Dillon and myself
for the last couple of weeks.
(tense music)
- He was trying to make
a bot for the protocol,
to automate certain actions.
We were actually pretty
excited about that,
because having a
developer show interest
in what you're working on, and
offer to help is pretty rare.
- A couple of days
prior to the attack,
he had been paid 2000 US
dollars as a half upfront,
for producing this code,
and conversation
ceased at that point.
The assumption was that,
he was, just going off and
finishing writing his code.
Normally, you consider the idea
of someone who's
performing an attack
as just being a
faceless adversary.
(tense music)
I think the moment
that I realised
that his side of the
conversation was gone,
in my guts, I knew.
It's you, how do I prove it?
(tense music)
I started just talking to
people, asking questions,
and shortly thereafter
I received a message
from a white hat,
saying there's an address
that's tied to this account,
a Twitter user with
the handle ZetaZeroes.
(ominous music)
This is our first
point of contact,
that's demonstrably
connected to the attack.
I didn't think through,
really what it was
that I'd sent him,
because I was exhausted.
(ominous music)
I just wanted to
appeal to him to say,
you know, well done, there
should be a bounty for this,
but it should not be the entire
amount that you've stolen,
these are not Indexed
Finance's funds to give,
they belong to the user.
- We told him if
he took 10%
and sent the rest back,
we, the team aren't gonna
come after you any further.
He would've made $1.6 million.
(ominous music)
He did not take that offer.
- Over the next day or so, we
started digging a lot harder,
and we started
gathering a lot more clues,
as to the identity
of our attacker.
We updated the
terms of the bounty.
(ominous music)
You have until 5:00 PM
tomorrow to return funds,
or we will involve
law enforcement.
(ominous music)
Shortly after we
posted these updates,
the ZetaZeroes' Twitter
account became active.
What followed was a storm
of about a dozen tweets,
that were completely indignant.
You have been out-traded,
I have outmanoeuvred
you at every turn.
This is a skill issue,
tough luck.
A rephrasing of code is law.
If the code permitted
it, I'm allowed to do it,
and laws be damned.
(tense music)
- When he quoted
the code is law idea,
and tried to garner
support about this,
just like back with the DAO,
there were people
who supported the idea.
(tense music)
- People lionising him,
and cheering him on for what
he'd done, calling him a king.
(soundtrack boom)
- I personally felt the echoes
of the DAO calling back,
and as if a ghost that we beat,
like put in an ancient tomb,
and put it there in order
for it to stay hidden,
suddenly had come
up with a vengeance.
(atmospheric music)
- Code is law is
essentially saying,
that laws shouldn't exist,
but you have to
have consequences
for people hacking projects.
You're never gonna have
software that's perfect.
You can't have something
that's separated from society,
where there are no laws, and,
where any action is permissible.
- Normally, when DeFi
acts happen,
the attacker effectively
disappears into the void.
Between our own
investigative work,
and the help of others
that were chipping in
with things that they knew,
we had started noticing
a bunch of pieces.
We had lots of threads
to start pulling at,
to find an identity.
The thinking here was,
pulling up threads and
the attacker will realise
that the game is up,
and be coerced
into returning funds.
(tense music)
I was looking for
this conversation
with Umbral Upsilon, the guy
who I had been speaking to,
and I noticed that there's
been a name change.
The user is now
known as Bogholder.
(tense music)
- Someone saw
the name Bogholder,
and recognised this person,
and they are associated
with a different username.
That username was mtheorylord.
We just searched
for the username,
and looked for profiles
on different websites
and we found one on Wikipedia,
that had posted
some small changes
to various Wikipedia pages.
And one of those was to
a competition called,
"Reach for the Top".
It was a Canadian trivia show
for high-school students.
(tense music)
The nature of this edit
that had been made,
was that, "Reach for the Top"
has a section called
Notable alumni.
It includes names
like Steven Harper,
previous Prime
Minister of Canada.
And the edit that user
mtheorylord had made,
five years prior to this,
was a name.
Andean Medjedovic.
Next to his name was the
two word descriptor,
notable mathematician.
- I think it showed that
this person was
hilariously arrogant
and full of themselves,
to go and edit a
Wikipedia article
to call themselves a
notable mathematician.
So, at this point we started
getting pretty excited.
- I was like, I fucking
nailed him to a wall. (laughs)
I genuinely at that point,
like I ran around the park,
because I was like,
yeah fuck yeah! (laughs)
(tweet clings)
I posted a tweet,
"Are Canadian prisons any good?"
(tweet pings)
This was meant
as a message that,
we knew where he was.
We searched the name
Andean Medjedovic,
we saw a search
result on Google,
for, what was pretty
clearly a personal website.
It was down, but Google
Archives, most websites,
you can still look
at the website,
and see what was
on it before.
- It had an email
address for him,
and importantly at the bottom
it included a sentence,
that said that he'd also... was
interested in cryptocurrency,
and other decentralised
technologies.
Pro, one of the co-founders
of Indexed Finance
sent an email to this address,
saying, "You have been caught,
the game is up,
but I will offer you
50,000 US dollars,
in order to return the tokens."
The response that Pro
received was a line that said,
sounds like a plan,
send it to this address,
the address that we had
originally paid $2,000 for work,
performed on the arbitrage bot.
This connected Andean
Medjedovic to Umbral Upsilon.
(slow dramatic music)
- Now we had a direct link.
I couldn't really believe
that he had done that.
- It's surprising he
made a blunder like this.
Careless, sloppy, stupid.
(ominous music)
At this point I am euphoric.
This does not happen in
cryptocurrency hack cases.
It felt deeply
personal at this point.
He's holding the
assets that he's stolen,
but we are holding
his full identity.
At this point, I feel like
surely he's gonna give up.
I mean, we know who he is.
We told him the
offer is expired,
and the attacker who, at
that point, we had not named,
had until midnight to return
100%, all of the funds
that he had taken,
or else we were going to
publish that information,
and reach out to
law enforcement.
(ominous music)
- At this point we are thinking
that the attacker is a highly
educated mathematician,
you know, mid-twenties,
intelligent.
Sloppy, but intelligent.
The math work was impressive
that we found on his website.
It sounds very impressive
to be the kind of guy
who can do blindfolded chess,
but we'd found him,
and the thinking
was at this point
that he would've just crumbled.
- This wasn't gonna be
nearly as bad as we thought.
We'd be able to give
everyone their money back.
(suspenseful music)
- The response came quickly
from the ZetaZeroes account.
- He reacted by complaining
that we were doxxing teenagers.
Doxxing is when,
you publicly expose
someone's information.
- We thought,
this isn't a teenager,
there's no way
this is a teenager.
And I think a seed of doubt
had started to
appear at that point,
that, wait,
have we got this wrong?
(tense music)
With a couple of hours to go
before that deadline passed,
we received a message that
said, the website's back up.
There was a link to a CV.
We opened it up,
and we are looking
at a date of birth,
that makes this
kid 18 years old.
(dramatic music)
He was significantly
younger than we thought.
- On one hand I thought,
even if he's 18, he is
still very intelligent,
and he is doing hacks on
protocols for
millions of dollars,
and he's responsible
for his actions.
But, on the other hand, it
also means that he's a kid.
I wanted to give him
another opportunity
to get out of this, without
destroying his life.
(tense music)
I sent him a text message
to his phone number
that was on his resume.
(atmospheric music)
(messages clinging)
- The message that
was received was,
effectively a series
of laughing emojis,
and the words, good luck.
- Just seeing that
he was laughing at,
the attempt to
get him to back off.
- We were clearly
dealing with someone
who was not willing to
negotiate or return things,
and so the options
that we had left,
armed with an identity, was to
take it to the legal system.
(message clinging)
At the same time that we
were thinking about this,
Andean was clearly
thinking the same thing.
There was one final rage
post that came from him,
that said that he was willing
to defend himself to the death
on this point of code is law,
and that he was
looking to assemble
the most elite team of crypto
lawyers to defend this.
- We spoke to our
attorney Jason Gottlieb.
(atmospheric music)
Jason emailed Andean, imploring
him to give the money back.
- A week later he
received a response email
from another attorney,
(message clinging)
(atmospheric music)
who had referred to Mr.
Medjedovic as his client.
- His lawyer replied,
essentially saying that
that wasn't gonna happen.
- Over the course of the
next couple of weeks,
we set about filing
a case in Canada.
It would be one of the first
pieces of settled case law,
that finally established once
and for all, code is not law.
Just because there was a
method for someone to walk in,
and take everything does
not necessarily mean
that was okay to do.
(tense music)
The case after it was
filed was assigned
to a Canadian judge,
Judge Justice Fred Myers.
What we needed to
do was to get the assets
that had been stolen into the
custody of a neutral party.
- That's difficult in this case,
'cause unlike in
a normal lawsuit,
you can't just order a
bank to freeze the assets.
You need the
consent of the person
who has the assets already.
- Medjedovic did turn up to
a hearing with the judge.
(tense music)
He did not turn the camera on.
He did not speak.
But he was told by the judge
that if he did not
participate in the process,
that he would be
held in contempt of court.
(tense music)
One of the things that I
found I think most upsetting...
Oh, I dunno where
this came from.
I think one of the things
I found most upsetting was,
looking at this guy's history,
and his research interests,
and the work that he'd done,
was the similarities
between the two of us.
I was also a pure mathematician
at an undergraduate level,
and the kind of stuff that
he'd been doing research on
was the same kind of stuff
that really tickled me when
I was an undergraduate.
We both started doing
Ethereum development.
We share a middle name.
It's weird to call
someone an adversary,
but I think that's
probably quite close
to what I'd call him.
(gentle music)
The things that we know
about him educationally,
are very impressive.
- We found an article
that was about him
when he was 13,
saying that he was about
to graduate high school.
He graduated high
school really early.
He finished his master's
shortly after that.
He was just very
advanced for his age.
(relaxed music)
- It wasn't the biggest hack.
There were bigger DeFi hacks,
but it was the DeFi hack where
we actually caught the guy,
and he tried to
invoke code is law.
The code is law proponents
had finally found someone
who would take on the flag
and try to fight their fight,
because, up until that point
it was mostly theoretical.
But now they had an actual
human who was identified,
and was trying to use their idea
as a legal defence in court.
- He was issued with a
warrant for his arrest.
This could be
potentially the first time
that a DeFi hacker is taken
into the court of law,
to test whether code is
law, or whether law is law.
(relaxed music)
- Justice Myers said that,
what Andean was doing was,
asserting a difference
between the law as it stands,
and his view of the
world, that code is law.
- The court appointed people
to go to his parents' house
and look for any computers
that he might've
used in the attack,
to try to seize the assets.
- He had left the premises
and he had taken all of
his devices with him,
which effectively meant
that there was no option
to recover the assets.
But it also suggested
to us for the first time
that Andean is on the run.
We do not know where he is.
We cannot move forward.
He is in the wind, somewhere.
The protocol pretty
quickly crashed,
and,
the project was dead.
(relaxed music)
- It's an upsetting end
to a saga that's peaked
when we identified him.
Believed that this was it,
this was where we fully
established that
code is not law,
and once you're identified,
that's it.
- People are getting more scared
of the consequences
that code is law... has.
(tense music)
- The DAO hack eight years ago,
is like the real,
first origin of this.
The code creates the
rules and that's the law.
- DeFi projects
hold billions of dollars.
People lose money in
the tens of millions,
sometimes hundreds of millions.
- This was a
multi-million dollar exploit.
- Days later,
perhaps a week,
the next thing will be
attacked, and the wheel turns.
- The size of
the rewards are insane.
We did become
desensitised over time.
- Today the biggest
hack on DeFi yet,
$600 million in assets stolen.
- DeFi hackers see it as,
they have done nothing wrong.
Code is law.
- So, the black
hat hackers are super villains
in this whole story.
(dramatic music)
- We've had yet another
turbulent week
in the DeFi space,
with four projects being hacked
or exploited on the same day.
Let's dive in.
- There are two
types of DeFi protocols,
ones that have been hacked,
and ones that are
going to be hacked.
- You can't stay
ahead of the hackers.
They're always going
to be smarter than you.
They're always gonna
spot vulnerabilities
faster than you can.
- It's this ever
present phantom of attacks.
- We can never
actually be truly safe.
- Yeah, we need to put
in more and more energy,
just to stay alive.
- The hacker
can just say that,
they used the system
as it was created.
- The court argued
that the hackers
were not guilty of
receiving stolen goods,
because they interacted
with openly available
smart contracts,
according to how
the code was written.
- Usually no
way to convince them
to give the money back.
(dramatic music)
- So, my name is Ogle.
It's a pseudonym I go by online.
I'm essentially like a
white hat recovery expert,
for people who've
had their money stolen.
When a protocol has been
stolen from, they call me in,
to try and as a team work
to get that money back.
I can say that I've
meaningfully contributed
to recovering $450 million
in the past year and a half.
My dad was a career criminal,
and he was in and out of
prison for most of my life,
and my background was one
that was surrounded by crime
and I didn't like that,
and so I feel like I'm righting
a wrong in some ways.
(atmospheric music)
I love to fight, like a lot.
I like to like test
strength of mind,
strength of arms,
whatever it is.
(hands scraping)
Whenever you're
doing any kind of
white hat hacking or recovery,
you're really battling some of
the smartest people out there
and, you get to see
who's better.
(bright music)
DeFi protocols,
it seems to me, are hacked
virtually every day.
The way that people
thought about it was,
oh, I got stolen from,
move on to the next.
And I thought to myself,
does it have to be that way?
Maybe there's an opportunity
to bust these guys.
If you are able to
identify who someone is,
there's pressure
you can put on them.
For lack of a better phrase,
you're manipulating people.
You're white hat hacking people.
Once that started to work,
I would just be thrown into
rooms every two or three days.
Hey, can you please help us?
We have an attacker, we
think we know where he is at,
but we don't know
how to talk to him,
we don't know how
to get the money back,
can you help us with this part?
We kept having successes.
The Curve Finance hack,
which was actually
four hacks in one,
which was almost $70 million,
and a lot of other ones
between the 25, 30,
$35 million range.
The largest single hack
that I've been
called in to help with,
was the Euler finance hack.
They were hacked by someone
who was able to steal,
almost $200 million
of their assets.
You know,
not like the biggest hack
that's ever occurred in
crypto, but it's up there.
Top 10 or so.
We had enough information
that we could write a message
that would cue it in
the attacker's head,
oh wait,
they might know who I am.
He felt like he bit off way
more than he could chew.
There wasn't a lot of sleeping,
there was a lot of worrying.
There was a lot of running.
After a lot of communications
with the attacker,
they returned all of the
money to Euler finance.
This was definitely an
historic return of money.
The way that I try to
approach these situations,
is in the spirit of the crypto
space being decentralised.
I say, hey Mr. Hacker,
give all this money back
and you're gonna be clean.
You can walk away.
You can still brush your
teeth in the morning,
in your privacy of your
own home, no jail time.
No one likes the
government coming in
and dealing with things
in crypto generally.
(haunting music)
Code is law does make sense.
I mean, I get it.
The argument from
the point of view
of people who don't like
code is law is saying,
look, the spirit of the
code was not followed,
but the argument from the other
side is saying, maybe not,
but the letter of the code was,
'cause otherwise
I couldn't do it.
I actually think
it's a fair argument.
If you leave a
hundred dollar bill
on a table and you walk away,
you also shouldn't be
surprised if someone steals it.
The fact that you screwed up
by leaving it there
is your problem.
- You might imagine
that a white hat
is somebody who is going
to find the black hat,
and then immediately
ring the police.
Decentralised finance,
it has a wild west aspect to it.
You can imagine you've
got a frontier town,
and the black hats and the
white hats are the outlaws
that are living on
the edge of the town.
They're frontier people.
They see themselves as a
little bit outside of the law,
and their values are
rooted in decentralisation.
So, they hate the sheriff more,
than they hate each other.
(haunting music)
- The goal is not to
get them arrested.
The goal is not
to ruin their lives.
The goal is to get
the money back.
When you're going
after an attacker
and they don't believe
you know who they are,
there's a lot of grandiosity,
and they're like, screw you,
whatever, you can't do
anything to me.
Or whenever you
tell them their name,
it's like a switch
flips immediately,
and it happens every time.
Well, not every time.
(haunting music)
I was not involved
in the recovery
for the Indexed Finance case,
but I watched it from afar.
It's just very atypical.
Even the strongest of people,
you have fear inside of
them that you can awaken,
or you're just a psychopath,
and so you simply
don't feel the fear
because you get off on the fact
that people are chasing you.
You get off on the fact that
people know who you are,
and they can't get you.
It becomes catch me if you can.
So, someone like Medjedovic,
this is a person
who's going to fight this
if they were to be caught.
You want to come to it prepared
if you're a prosecutor.
(haunting music fades)
(gentle atmospheric music)
- It's been a year and a half,
since we last heard
anything about Medjedovic.
The court case
is still inactive.
There are other known attackers
that have been utilising
the code is law defence.
One of them is
Avraham Eisenberg.
(brooding music)
- Avraham Eisenberg strikes
me as the person who
to the fullest believes
that code is law.
In the case of Mango Markets,
Avi was able to
do what he called
a highly profitable
trading strategy,
otherwise known as an exploit,
and was able to steal,
or take, or,
legally remove, in his case
is what he considers it to be,
$110 million.
- Sometimes the code does
exactly what was intended.
It's just what was intended
isn't what anyone wanted.
Some selection of people
just don't like seeing
other people make money,
is what it is.
- It just always comes back
to this code is law thing,
and the vast majority of
people get away with it,
and most people aren't even
that mad about it in crypto.
(brooding music)
- He put on his Twitter,
"What are they gonna do,
arrest me?"
I routinely deal with
law enforcement.
I remember hearing
from a couple of agents
who read that as a challenge.
He was surprised arrested
down in Puerto Rico,
getting off of an aeroplane.
- These accusations,
if he is proven guilty
in the court of law, do carry
potential for prison time.
The deposition quoted
Eisenberg's own Twitter account,
in explaining how the
FBI tracked down his role
in this particular crime.
- Avraham Eisenberg represents
the first major case,
that US law enforcement
agencies see
as an opportunity
to set precedent.
Their eyes are
on the bigger fish.
They're looking
for their Andeans,
they're looking
for their Avrahams.
(atmospheric music)
(post beeps)
- So, I just found out
that KyberSwap was hacked,
for,
48 million.
Someone sent, roughly $2 million
to one of the addresses
that was under the control
of the Indexed hack, hacker.
(atmospheric music)
- It would appear that
this is a move designed to
broadcast that
he's active again,
and he's just done
something else.
(atmospheric music)
Yeah, it looks like,
Andean Medjedovic is back.
- He was aware when he made
the transfer to that address,
that he's gonna create
this strong connection
between the two hacks.
(gentle music)
He did it for the attention,
for the spotlight.
If he's a good hacker, he
shouldn't get any attention.
That's what a good hacker is.
He is something else.
(post beeps)
(gentle music)
It does...
remind me that I made a mistake,
that bears heavily with me.
(gentle music)
I could have done better.
He kind of needs to play
this out as it is right now,
being the bad guy
and keep doing exploits.
That's his identity right now.
(gentle music)
And if Indexed wasn't hacked,
at all,
his life would be different.
My life would be different.
(gentle music)
- A message was
sent to the Kyber team,
and it's been a couple
of days since then
and there hasn't been any word.
And that's a certain
type of arrogance.
- They seem
to love the attention,
he just likes the chaos,
and just wants to tease them,
while the world looks on.
Oh God damn,
That Kyber
hacker's got balls
God damn, God damn
- It's really frustrating to me,
because it makes you think
that nothing is safe and
this is the Wild West,
which is like the
total opposite of what
everybody that is
building in this field,
is trying to go for.
(gentle sombre music)
- He definitely
wasn't the smartest
when he left
clues the first time,
but now he's
embracing that persona.
(gentle sombre music)
- Someone on Twitter posted
the KyberSwap
protocol had been hacked,
and I just said, if you
guys need help, let me know,
and that was it.
I found myself with the
founders of KyberSwap,
and a couple of
security experts,
trying to help them with
what to say to the attacker.
It became really confusing.
It's like, what in the...
who are we dealing with here?
- This is probably
the strangest message
I've ever seen a hacker
send to a protocol.
- It is the wildest,
it is six out of six
on the unhinged scale.
- That's right.
(laughs)
- The Kyber hacker
went a step further,
and is actually
demanding to take control
and ownership over
the Kyber protocol
and the company itself,
which is definitely a first.
(gentle sombre music)
(post pings)
(tense music)
- The guy essentially said,
I'm gonna take over the company,
the executive team,
you're all gone.
I'm gonna take care
of all the workers.
He really thought this was
like a plausible response.
And even if the team did say,
okay, fair enough, you
can have the company,
that it wouldn't be
looked at as blackmail?
(tense music)
- This makes no sense.
This is not possible to
happen. Yet...
he plays this out
for his audience,
who are a lot of internet trolls
who would call him a hero,
and that code is law, is
what he's fighting for.
Nobody should be allowed to,
do so much harm
without any repercussions.
- It makes you wonder, are you
dealing with someone crazy?
They want to control everything,
and they feel like they
can control everything,
and they will not
ever be caught.
And maybe they won't,
maybe they won't, who knows?
But maybe they will.
(tense music)
- And I thought that,
the way that the next few years
would play out for my life
was legal wrangling,
going to court.
I thought that,
Medjedovic would
be in court first,
and that would
subsequently be precedent
for Eisenberg
to be put on trial.
And it looks like that's
actually flipping,
Medjedovic is probably
watching the Eisenberg case,
quite closely.
(ominous music)
- The outcome
of the Avi Eisenberg case
is gonna be very
important I believe.
- Alleged Mango Markets
exploiter Avraham Eisenberg
is working to negotiate bail
following his first New York
court hearing, Thursday.
- He's willing to put
a lot of resources
into defending himself to prove
his case that code is law.
If he does that,
this changes everything.
(tense music)
- We're beginning to see the end
of the code is law defence.
The naive belief that if
you argue code is law,
that this is somehow
going to save you
or rescue you from
the coming onslaught
of the United States government.
Andean should be scared.
He can't really
escape from the story.
(dramatic music)
- Every so often,
I'll get a message from
someone that I trust.
We believe he's in x
country at this point,
or he might be here,
he might be there.
I would bet that if he
finds something else
that has a vulnerability in it,
he is going to exploit
it for his own gain.
If you've done something twice,
and you haven't been caught,
what's to stop you
from doing it again?
(dramatic music)
If I ever have to look him
in the eyes in a courtroom,
and then watch
him be sentenced,
I don't know how I'd feel.
(dramatic music)
I felt morally obliged
to chase this down.
It also opens a really
weird Pandora's box.
The genesis of
the idea for crypto
was an independent
financial network,
but my take of it, is that,
that means moving
away from banks.
It doesn't mean moving
away from the ecosystems,
but as we start
sentencing people,
it does feel like
something's getting lost.
(dramatic music)
- I'd like for him to be caught,
for him to understand
that he can't just do
these things with impunity.
(dramatic music)
I want this industry
to be taken seriously.
We need to have a culture that
doesn't have so
many elements where,
people are trying to
say that... code is law.
- I don't want this precedent.
We wanted to create
a parallel system,
and if we are going back
to the justice system,
we kind of lose all of that.
Code is law, is a way
to express that
we're creating our
own justice system.
We have this
decentralised system
because we don't agree
with most of the laws
that already exist and
we wanna create our own.
If we go back and we accept,
a single,
or even a group of countries
that decide our fate,
we lose the initial values,
and ideas that made
us start everything.
(dramatic music fades)
(ominous music)
(gentle atmospheric music)