A 22-year-old Canadian man, Andean Medjedovic, is facing federal charges in the U.S. for allegedly exploiting smart contract vulnerabilities in two decentralized finance (DeFi) protocols, KyberSwap and Indexed Finance, fraudulently obtaining around $65 million from investors between 2021 and 2023.
The indictment (PDF), unsealed in a New York federal court accuses Medjedovic of taking advantage of the vulnerabilities and allegedly borrowing massive amounts of digital tokens, then using them to carry out “deceptive trades.”
These trades manipulated the smart contracts into incorrectly calculating key financial metrics. As a result, Medjedovic was able to withdraw millions of dollars in investor funds at inflated prices, effectively wiping out the value of their investments.
Prosecutors further Medjedovic of attempting to cover his tracks through a sophisticated money laundering operation. He allegedly used various techniques, including swap transactions, “bridging transactions,” and a digital currency “mixer” to obscure the origin and ownership of the stolen funds. He is also accused of using fake and borrowed identities to open accounts on cryptocurrency exchanges.
According to the DoJ’s press release, Following the KyberSwap exploit in November 2023, Medjedovic allegedly attempted to extort the victims. He proposed a bogus settlement, demanding complete control of the KyberSwap platform and its governing decentralized autonomous organization (DAO) in return for half of the stolen digital assets.
Medjedovic now faces a five-count indictment including wire fraud, unauthorized damage to a protected computer, attempted extortion, money laundering conspiracy, and money laundering. If found guilty on all counts, he could face up to 20 years in prison for each charge except the computer damage charge, which carries a maximum 10-year sentence.
The final sentence will be determined by a federal judge. The investigation involved multiple agencies including the IRS, Homeland Security Investigations, and the FBI, with international cooperation from authorities in the Netherlands.
This case goes on to show the ongoing risks associated with DeFi platforms and the vulnerabilities that can be exploited by malicious actors. It also underlines the increasing focus of law enforcement on cryptocurrency-related crimes and their commitment to pursuing those who attempt to profit from these schemes.