Nearly $13M stolen from Abracadabra Finance in crypto heist
40 comments
·April 8, 2025rdtsc
pavel_lishin
Is immunity from prosecution something a private company can even offer?
They can certainly offer to not call the police, but if a serious crime were committed, the police don't need to have the victim cooperate.
rdtsc
> if a serious crime were committed, the police don't need to have the victim cooperate.
That's what I remember as well, but thought maybe it's different in different countries, or there is some other kind of cleverness behind the offer. Otherwise, it makes them look kind of silly.
glitchc
Depends on what serious means here. In financial/wire fraud, the police often need support from the victim to collect sufficient evidence. If the victim does not cooperate, the case could be dropped due to lack of evidence.
Murder is typically more serious.
toast0
The investigating agency could get subpoenas to compel the victim to provide evidence. But it's usually not done when the victim doesn't want to cooperate.
some_random
The police in general are so far behind on their ability to prosecute crypto/cyber crimes for so many reasons that in practice they would basically never be interested in prosecuting without victim cooperation. Not to mention that in theory this would retroactively make the crime totally definitely above board ethical hacking which is not a crime in any jurisdiction as far as I know.
wmf
Avi Eisenberg returned most of the money he manipulated from Mango Markets and he was still prosecuted and convicted.
metalman
ok lets lay this out, somebody claims that some big complicated numbers that they had and claimed to be valuable, got removed by somebody else, useing a lot more smaller less complicated numbers worth essentialy nothing, and now are seeking the help of someone else with presumably, slightly more, uncomplcated numbers to retrieve the big complicated numbers,from the whoever it is that has them now, in return for a smaller share of said large and complicated numbers.
some_random
It would give them immunity and more importantly make it far easier to liquidate the now totally legal and above board funds.
rdtsc
Hmm, maybe but it would have to be come from the prosecutor's office, of whatever country has the best chance of catching the hacker, and the hacker has to be believe it.
some_random
Nope, because it's not like a normal immunity deal it's the company retroactively granting "authorization for third party testing" which makes the hack no longer a crime.
janmo
Not surprised something like this happened, one of the persons behind Abracadabra had been outed as being Michael Patryn, Co-founder of QuadrigaCX.
https://www.reddit.com/r/CryptoCurrency/comments/sdsp0i/shoc...
some_random
Crypto being stolen from exchanges happens so often and in such large quantities that $13M seems like nothing, which doesn't seems like a good sign for the industry.
beeflet
Not your keys, not your coins. It is never a sound idea to leave a large amount of cryptocurrency on an exchange. I don't think this will fundamentally change from Mt. Gox
jandrese
One of the few upsides of Crypto is that it provides a constant reminder of why we have banking regulations. Anytime says regulations are onerous or slow down the process and are outdated you can point to our current day poorly regulated crypto markets and show them what it could be like instead.
pixelpoet
And on the flip side, crypto reminds us why governments and gold stockpiles might not be the most trustworthy stockpiles of wealth either: https://www.politico.eu/article/gold-germany-conservatives-s...
perdomon
I was hoping for more information about the nature of the attack. All I saw was that 'funds must be deposited before they can be withdrawn' and 'Tornado Cash' was used for the deposit.
Does anyone have more details about how (or if) Tornado Cash was involved/used in this attack?
danielvf
Tornado Cash was essentially irrelevant to the attack. Just a way the attacker worked to hide themselves.
The attack was able to happen as a result of two separate bugs.
First, a user was able to use something as collateral with a price that could be manipulated. This allowed them to make the collateral to instantly manipulated to appear worth less than the amount borrowed, allowing it to be liquidated.
The second bug was that they had code that should not allow a user to do a series of interaction with the contract that end in bad debt for the user, however since they were able to liquidate their own bad debt from inside the series of interactions, the liquidation cleared out the bad user debt, and moved it to bad protocol debt. This made it so the whole process was checked at the end of the transaction, the user debt looked fine.
Or I could be slightly wrong - it was an usually gnarly attack.
dealbreaker
Usually these hacks are always from insiders. Sometimes the entire team plans this months and years ahead.
danielvf
Maybe it's just semantics, but to me hacks and rug pulls are different things.
Team backdoors in code to steal funds tend to be obfuscated, and access to run them locked down. This is quite different than a hack that exploits "well intentioned" code. I think very few actual exploits are by the team - there's just much easier ways to steal funds than leaving a bug open in the world for a long period of time that anyone could find and use.
mdhb
Which one was it? A rug pull or the North Koreans?
belter
Those are the use cases for Crypto :-)
schlauerfox
I'm going to put this here in case I'm right someday: Chia Permuto.
belter
Just on time: "Justice Dept. Disbands Cryptocurrency Enforcement Unit" - https://www.nytimes.com/2025/04/08/us/politics/doj-disbands-...
insane_dreamer
At this point, it might be fair to say that anyone with significant crypto holdings who isn't storing them offline instead of in some third-party "vault", is an idiot.
aaroninsf
Filed under tHe FuTuRe Of FiNaNcE
mring33621
Completely unexpected!
knorker
At this point the "real cryptocurrency economy has never been tried" sound an awful lot like "real communism has never been tried".
beeflet
Does this constitute a "real economy"? Where are the goods and services being traded? It's all just speculation and worthless "web3" stuff like NFTs. It's not any more a real economy than the counter-strike skins economy or the baseball cards economy.
There was a "real crypto economy" back in the days of the silk road. So I would say that the real cryptocurrency economy has been tried, and it was doing alright until they got busted by the feds. But the reason we don't have a crypto economy today is that drug dealers got drowned out by the more popular get-rich-quick schemers.
knorker
Your point is a good one. I don't think it invalidates what I said, since my still valid message would get lost if I hedged it with "except (more or less) organized crime".
But I agree that Silk Road was an economy. Just like slave trading and other human trafficking is an economy.
We do still have an illegal cryptocurrency economy. It's more tilted towards the ransomware economy than drugs, though. So it's not just pyramid schemes.
But I'm sure crypto drug kingpins and murderers like Ross Ulbricht are still out there. In fact recently I listened to a money podcast that investigated if hitmen paid in cryptocurrency on the dark web were a real thing. I can't find it now, but the answer was that most are scams, but yes actually there's a nonzero number who will kill the person.
But back to my point: Most people talking about the cryptocurrency utopia (though most have given up on that, instead shifting to "it's a store of value!"), when they (de facto) say "real cryptocurrency economy has not been tried" mean the non-traditionally-criminal economy. So I also don't think that what I said was wrong. It depends what you mean by the word "real". :-)
earthnail
This comment made my day.
o11c
There's a major difference:
Crypto is often undermined by insiders pretending to be outsiders.
Communism is often undermined by outsiders pretending to be insiders.
curtisszmania
[dead]
edwardoelliott6
[dead]
ranger207
Add it to the list: https://www.web3isgoinggreat.com/
> as sourced back to a product it calls “cauldrons”
Then, the magician said "Abracadabra!" and poof! the money is gone.
> The company also offered a bug bounty to the hacker of 20% of the stolen funds.
Would that give them immunity from prosecution if they ever catch him. If not, what's the upside for the hacker to return anything back?