Full Report
Andean Medjedovic, a 22-year-old Canadian, was responsible for stealing tens of millions of dollars' worth of cryptocurrency from two platforms in 2021 and 2023, according to U.S. prosecutors.
Analysis Summary
# Incident Report: $65 Million Crypto Platform Exploitation and Theft
## Executive Summary
A U.S. federal indictment charged Canadian national Andean Medjedovic for exploiting vulnerabilities in two Decentralized Finance (DeFi) platforms, KyberSwap and Indexed Finance, resulting in the theft of approximately $65 million between 2021 and 2023. The attacker used complex transactional manipulation to withdraw funds at artificial prices, followed by extensive money laundering efforts, which ultimately led to his identification and subsequent indictment through cooperation with an undercover agent.
## Incident Details
- Discovery Date: Indictment unsealed Monday (Date not specified, but after November 2023 theft and Feb 2024 contact).
- Incident Date: October 2021 (Indexed Finance) and November 2023 (KyberSwap).
- Affected Organization: KyberSwap and Indexed Finance.
- Sector: Cryptocurrency/Decentralized Finance (DeFi).
- Geography: Perpetrator based in Canada; platforms targeted globally.
## Timeline of Events
### Initial Access
- Date/Time: October 2021 (Indexed Finance); November 2023 (KyberSwap).
- Vector: Exploitation of smart contract vulnerabilities/complex swap actions.
- Details: Medjedovic allegedly overwhelmed the platforms’ systems by borrowing large sums of digital coins to conduct manipulative trades.
### Lateral Movement
- Details: Funds were laundered through several external cryptocurrency exchanges (allegedly using fake/stolen identities) and mixer services to obscure the origin of the stolen assets.
### Data Exfiltration/Impact
- Details: Total theft amounted to $16.5 million from Indexed Finance (Oct 2021) and $48.4 million from KyberSwap (Nov 2023). Victims’ investments in the protocols were rendered "essentially worthless."
### Detection & Response
- **Detection**: The perpetrator was detected after communicating with an undercover agent regarding laundering further stolen funds. The FBI, DHS, SEC, IRS, and international partners (Netherlands police) investigated.
- **Response Actions**: Medjedovic was charged via a five-count federal indictment. He allegedly attempted to extort KyberSwap post-attack.
## Attack Methodology
- Initial Access: Exploiting protocol vulnerabilities via complex, manipulative token swaps.
- Persistence: Laundering steps executed over time to obscure funds post-theft.
- Privilege Escalation: Not explicitly detailed, but manipulation suggests leveraging protocol design flaws to gain unauthorized monetary control.
- Defense Evasion: Utilizing mixer services and opening accounts with fake/stolen identities to hide the source of funds.
- Credential Access: No specific credential theft mentioned; primary access relied on exploiting DeFi logic flaws.
- Discovery: Attacker conducted planning, including researching flights out of Canada.
- Lateral Movement: Moving funds across multiple external exchanges and utilizing mixers for obfuscation.
- Collection: Identifying high-value targets (KyberSwap, Indexed Finance) and planning the timing of the attack several months in advance for KyberSwap.
- Exfiltration: Withdrawing investor funds at artificially inflated prices.
- Impact: Significant financial loss to the platforms and investors.
## Impact Assessment
- Financial: Approximately $65 million stolen ($16.5M + $48.4M). Costs related to criminal investigation and remediation are implied.
- Data Breach: No specific data breach mentioned, but financial assets were directly stolen.
- Operational: Disruption to the targeted DeFi protocols.
- Reputational: Significant negative impact on user trust in KyberSwap and Indexed Finance.
## Indicators of Compromise
- **Network indicators**: Attempts to interact with known cryptocurrency mixer services; communications with an alleged undercover money launderer (defanged contact).
- **File indicators**: Files found on the suspect's computer detailing travel plans and attack preparation.
- **Behavioral indicators**: Sending extortion/settlement demands to KyberSwap administrators after the attack; self-doxxing via communication with a friend ("accidentally doxxed myself").
## Response Actions
- **Containment**: Funds were traced across various exchanges and mixer services, leading to the identification of the suspect.
- **Eradication steps**: Legal action initiated via a federal indictment. The suspect allegedly paid an undercover officer to help bridge funds off blacklisted platforms.
- **Recovery actions**: Recovery status of the $65 million is not specified, but legal proceedings are underway.
## Lessons Learned
- DeFi protocols remain susceptible to sophisticated economic/transactional exploits, not just code bugs.
- Attacker communications and overconfidence (self-doxxing, talking to reporters) can serve as critical investigative leads.
- Cross-jurisdictional and multi-agency cooperation (FBI, SEC, IRS, Netherlands Police) is vital for tracing sophisticated crypto theft and laundering operations.
## Recommendations
- Implement continuous security audits focused not only on code vulnerabilities but also on economic attack surfaces (flash loans, governance mechanisms).
- Enhance monitoring for unusual borrowing patterns and large-scale token sales that deviate from standard protocol usage.
- Develop stronger internal procedures for handling extortion attempts, potentially involving law enforcement immediately.