Canadian math prodigy allegedly stole $65M in crypto

201 comments

·April 14, 2025

AlexanderTheGr8

I followed this case when it happened. It was $16M at the time, not sure how it became $65M now. I suppose it doesn't matter - any number above $100k probably grants the same punishment*

Interesting side-note : the people he took/stole from - they offered him 10% if he returned the rest. He said no in a tweet trolling them.

Contrary to the opinions in this thread, I think he was smart to run away. Remember that he did this from Canada, not the US. Countries don't have the same extradition treaties with Canada that they do with US.

If he had stayed, he would almost certainly be convicted. No court can possibly understand "code is law". Courts' job is only to interpret the law, not make the law. And the law was not written for crypto. You cannot fit a square in a circle without distortion.

What I think would have happened is the courts, rather than introducing novel precedent, would have preferred to just rely on existing case law and declare him a criminal.

Another interesting side-note : the judge presiding the case made a public comment asking the guy to come back to Canada promising him a fair trial. The guy didn't show up - maybe he didn't receive the message.

Overall, even with the benefit of hindsight, we still can't be sure if he was smart to exploit this or not. Forced to live in a few countries but with a lot of money.

* It's because (1) laws were designed when numbers were lower (no one had $16M to steal); (2) humans can't visualize big numbers (individually, $16M is just as big as $65M in my head)

amit9gupta

He did not steal anything. He beat the fund (Indexed Finance) at their own game.

He has not stolen anybody's password, has not modified DeFI code - simply executed a set of financial transactions according to the rules (expressed as DeFI smart contracts) and profited from it.

Indexed Finance is an unlicensed investment firm. The promoters knew the risk ( decentralized finance) and now they want to blame someone who outsmarted them at their own game.

InsideOutSanta

This. If you believe in cryptocurrencies, you can't run to the courts when people use them as designed, even if they didn't use them as intended.

If you end up using the legal system to remediate undesired transactions, what's the point of cryptocurrencies in the first place?

thinkingtoilet

> what's the point of cryptocurrencies in the first place?

So far, to execute illegal transactions and using the lack of regulations to exploit the financially illiterate.

hinkley

Money laundering.

oh_my_goodness

Who's using a ledger system for illegal transactions?

__MatrixMan__

The point of cryptocurrencies is to reward people who make hardware available for in-public multiparty computation. The point of that is to be able to create rulesets and expect that they'll be followed within the confines of the system.

It's bonkers to me that the only rulesets people care to implement on such a platform are just reflections of money as we know it. How unimaginative. I wish we'd make something new rather than translating something old--bugs and all--into a new language.

BobbyJo

Hardware availability is a use case of cryptocurrency, but not the point. The point is a decentralized accounting system that no single party can manipulate, for good or bad. You can apply that to hardware availability, digital game economies, supply chain accounting, etc. but the point of crypto is more abstract than any of that.

oh_my_goodness

Guessed translation: "The point of cryptocurrencies is to reward the people who do cryptocurrency infrastructure."

That's the point for them. It's not the point for anybody else.

throwpoaster

Let's do it! What's the idea?

BlackFly

You'll need a stronger defense than that in court because courts absolutely create and deal in gray areas where technical fine lines exist.

What you need to argue is that the the smart contracts were valid contracts that the creators intended to and had opportunity to understand and that their creation was their act of negotiation of a position. It isn't really a stretch, but with amounts like this probably more diligence would have been due than that. Calling it theft is ridiculous on the other hand.

Brybry

In the indictment[1] he's not charged with theft.

He's charged with:

1) wire fraud (the smart contracts/swap exploit)

2) unauthorized damage to a protected computer (running the exploit on the ethereum network)

3) attempted hobbs act extortion (contacting kyberswap to attempt to gain control of kyberswap in exchange for return of some of the crypto)

4) money laundering conspiracy

5) money laundering (knowingly laundering the proceeds of the previous, including paying an undercover agent to help bypass a blacklist to do so)

[1] https://www.justice.gov/usao-edny/media/1388036/dl?inline

Calwestjobs

it can be said that laws are social contract

CursedSilicon

The entire idea of crypto is "I wasn't supposed to be the one holding the bag!"

hx8

Funny, I thought the whole point was to hold on to the bag as long as you can. Think back to the first time you heard about btc or eth, and how much return a modest investment would have made. It's the people that sold early that lost out.

hinkley

Musical chairs except you don’t want to get a chair.

jstanley

> If you believe in cryptocurrencies, you can't run to the courts when people use them as designed, even if they didn't use them as intended.

If you believe in cash, does that mean you can't run to the courts if someone steals your cash?

If your security proves insufficient to prevent a theft, that doesn't mean the theft was legal! It just means your security was insufficient.

That security can be enforced by mathematics instead of courts is definitely a benefit of cryptocurrency, but when it goes wrong courts still matter.

InsideOutSanta

>If you believe in cash, does that mean you can't run to the courts if someone steals your cash?

No, because the point of cash isn't to circumvent government control of the financial system. If you build a whole system just to decentralize financial control and avoid government influence but then appeal to the government as soon as you don't like what happens, you're doing something wrong.

koolba

> If you believe in cash, does that mean you can't run to the courts if someone steals your cash? If your security proves insufficient to prevent a theft, that doesn't mean the theft was legal! It just means your security was insufficient.

Stealing someone’s private key and then using it to steal their assets is very different from exploiting edge cases of get rich quick schemes.

crote

The problem here is that those crypto contracts aren't designed to be security. They are intended to be contracts.

It's like opening a bank account, and the contract says "You can only access your own money in the vault. Everything you can access is yours to use as you see fit." On your first visit the manager brings you into a vault with hundreds of cash-laden tables. He shows you to an empty table, and says "Here's your table. Enjoy!".

Are you allowed to take money from the other tables? Clearly the contract says you can, but surely that can't be what they intended? Is it theft to "break their security" by walking over to another table, or is it just a hidden perk of the contract you signed?

dandanua

@crote

> Are you allowed to take money from the other tables? Clearly the contract says you can, but surely that can't be what they intended?

If their entire business model is based on giving a service that allows you to store your money in safety without any government dependency, while in reality they allow everyone else to take your money, then they deserve whatever happens to them.

analog31

Money is a technology. Its purpose is whatever use you want to put it to.

Like any technology, a money system can be designed so that it works well enough for a small set of intended purposes, and poorly for all other purposes. Moreover, its uses can be constrained by laws.

I think an open question is whether existing laws related to money or property apply to cryptocurrencies. For instance, "theft" and "fraud" cover a lot of things, without specifically listing all of them.

If it's ambiguous whether such laws apply to crypto, then sure, someone could use the legal system to settle the matter. In fact, using the legal system to remediate undesired transactions could be as good a use of crypto as any, if "anything goes."

vonneumannstan

>you can't run to the courts when people use them as designed, even if they didn't use them as intended.

I doubt that will hold up in court. The exact thing could be said about computer networks and hackers exploiting them.

null

[deleted]

Aurornis

> He did not steal anything. He beat the fund (Indexed Finance) at their own game.

As popular as this idea is online, it doesn’t work that way in the courts.

Intent matters in issues of the law. The “finders keepers” rules don’t apply in legal matters in the real world.

If someone logs into their bank and notices that changing the account number in the URL lets them withdraw from other people’s accounts, no court is going to shrug it off and say that it’s the bank’s fault for not being more secure. Likewise, finding a vulnerability in a smart contract doesn’t automatically give someone the right to any funds they collect from exploiting it.

We all know the “code is law” arguments about smart contracts are just marketing bluster. The lawyers do, too.

Hizonner

The intent of the whole underlying system is that the intent of all the parties be described by code of the smart contracts. Which are intended to be composable, intended to be used in unanticipated ways, and intended to operate independent of any human oversight. The system is also intended to avoid all ambiguity by enforcing the contracts exactly as described by the code... and to provide certainty of transactions and prevent them from being undone after the fact.

Everybody involved knows all of that, and claims it as a positive feature of the system. At least until they find out that it's actually hard to write bug-free code.

There may indeed not be a legal "meeting of minds" (although there very well also may)... but from an ethical point of view, everybody involved knowingly signed up for exactly that kind of risk. And honestly it would be good public policy if the law held them to it. Otherwise you get people trying to opt out of the regular legal system up until it's inconvenient.

There'd be more of a case if he'd exploited the underlying EVM implementation. But he didn't. He just relied on the "letter" of a contract, in an environment that everybody had sought out because of unambiguous to-the-letter enforcement.

ipsento606

> If someone logs into their bank and notices that changing the account number in the URL lets them withdraw from other people’s accounts, no court is going to shrug it off and say that it’s the bank’s fault for not being more secure

When you open a bank account, there is an actual contract and regulatory framework that governs how you use the account. A URL parameter is an implementation detail that no more alters the contract than a broken lock on a vault would alter the contract.

But when you interact with a smart contract, the smart contract is the contract. What you are allowed to do is defined by what the smart contract lets you do. You don't need to open an account, agree to T&Cs or sign any other sort of contract to interact with the smart contract.

If the smart contract is not the contract, how would you propose we can determine what the real contract is?

mjr00

The big difference is that those are centralized systems owned by corporations, and accessing them in a way which you're not supposed to, such as by changing a bank account number or exploiting a zero day, is a crime.

With DeFi it's different; the code is public and decentralized. There was no unauthorized access to anything here. From my reading of what was done, it was essentially taking advantage of the poor trading strategy of Indexed Finance.

I'm not going to pretend to be a lawyer, but I don't see a lot of parallels between this and e.g. using SQL injection to obtain unauthorized access to a system.

ajb

I'm not a lawyer either, but I suspect the technical structure is not determinative. Contract law has certain features. These technical constructs purport to enable contracts to be written and executed such that subsequently the courts cannot but find that what the code did is final and there is no possible legal reconsideration. Clearly, this is the prior expectation of the parties, but whether it is the case under all circumstances is a function of contract law (and other applicable law) not the technical constructs. The code is not what will finally be determinative.

To give an analogy, it's like writing code in a high level language and saying that it will prevent side channels such as spectre. But such side channels are a function of the hardware, not the high level language. The hardware in defi is ultimately the law, not the servers.

stouset

The entire point of cryptocurrency contracts is supposedly that “code is law”. Running to the courts as soon as someone does something you didn’t intend only highlights that people don’t actually believe this.

ceejayoz

We've known this since Ethereum forked in the DAO debacle.

darepublic

The code is law thing is a grey area. But I am open to the idea that this young man did not break any rules, just found flaws in the system. In the same way that card counting should not be against the law just because it resulted in the house being disadvantaged. These things should be addressed with patches to the rules, not legal action.

Calwestjobs

be careful with card counting, most casinos do "business" in such way that there is NO advantage for player. no matter what player does.

so all american youtube sagas about doing card counting in PRESENT time are fraud to dupe people into thinking that it is possible to card count. NOW TODAY.

StanislavPetrov

Card counting is still possible (albeit a bit harder) in the present day - the mathematics are the same. Most casinos use more decks and don't deal as deeply into the shoe, but it is still entirely possible to gain a statistical edge over the house, which is why casinos will still ban you from playing blackjack if you are playing with an advantage(counting, varying your best sizes greatly based on the count, sitting out and watching until the deck gets deeper, ect). They will never ban you from games like Roulette, where you there truly is no way to gain an advantage over the house regardless of what strategy you use.

Cthulhu_

The company and its customers knew what they were getting into; to get protections from the law and guarantees, financial institutions need to get licensed and comply with all the rules, regulations and law. Of course, this includes providing transaction data to the relevant parties to help them detect tax evasion and money laundering.

Aurornis

> to get protections from the law and guarantees, financial institutions need to get licensed and comply with all the rules, regulations and law.

That’s not how the law works.

If someone breaks the law or doesn’t comply with regulations, that’s a separate issue. It doesn’t entitle a third party to steal their funds.

If you were to rob a drug dealer, you couldn’t argue that they weren’t complying with the law and therefore you were free to take it. You would both have broken laws.

archontes

Define theft.

If you write a contract and give it to a lawyer with the instruction, "Anyone who satisfies this contract gets this money." And someone satisfies the contract to the lawyer's -but not your- satisfaction, and the lawyer sends the money, did the third party steal from you?

echoangle

Is that how it works legally? If you hack into computers using a zero day, did you also just access the computer according to the way it was programmed? Just because you can do it technically doesn’t mean it’s not fraud/something else.

cherryteastain

If that's not how it works, where's the line for what is fraud and what is not? Once you move away from the "code is law" principle, companies have the perverse incentive to define fraud as "any transaction that results in negative PnL for me", which is exactly what happened here.

dan-robertson

Isn’t, in the US system, the definition of fraud built up through a combination of legislation and case law from previous ‘grey area’ cases? I think most laws tend to have some balance between what is easy to define/understand and what is desirable to allow/disallow.

echoangle

„Code is law“ isn’t a thing. Go tell a judge that your hacking is legal because the code allowed it. That’s not something that’s allowed by law.

freejazz

What does one have to do with the other? Fraud is "intentional deception to gain an unfair or illegal advantage, often resulting in financial or legal harm" what does that have to do with code? What could code even do about fraud?

sksxihve

Code is law went out the door with the ethereum hardfork after the dao hack.

Calwestjobs

(realizing that im so old. if this is what i totally forgot, what else of this magnitude of signifince i do not remember anymore. that i was part of/ was involved/ it affected me.)

stefan_

Funny, because it would never have happened if it was court ordered.

programjames

Next we're going to learn that winning Poker Bots with an "all in" strategy is defrauding the competition.

crispyambulance

He should have taken the significant and generous 10% bounty the first time around. He now has to face law suits by well-funded finance firms.

DangitBobby

It seems like he simply faces a very wealthy existence in countries that don't give a shit about US laws.

knodi123

Assuming he can get his hands on the tokens and then convert them to local currency. Not impossible, but it's worth noting that he still hasn't managed.

nikhizzle

So which one is it? Code is contract and he should get to keep the money. Or crypto is governed by laws outside of crypto and so he violated the “spirit” of the code and hence is a criminal?

It seems like right now the crypto industry makes the decision to their convenience on a daily basis.

intrasight

Purity goes out the window when there's real money involved. And means that in cryptocurrency, you only own what the government grants that you own.

It'll be interesting how this gets resolved by Canadian courts.

And this is rich: “A bad actor not brought to justice and held to account for one act of fraud will surely commit another”

null

[deleted]

programjames

It seems absolutely bonkers to me that someone would write a smart contract that lets them bleed $50m without automatically stopping after they lose the first $1/10/100k.

criddell

Code is contract and disputes are handled by the courts. There's no such thing as a purely extrajudicial contract, is there?

null

[deleted]

hinkley

In the real world locks are meant to keep honest people honest and slow down the dishonest people until someone notices and stops them.

There’s a world where crypto could be sold the same way, but the sycophants drowned that out for long enough that we aren’t in the Trough Disillusionment now so much as the Trough of Open Mockery.

Gunax

There definitely some hypocrisy, but it might work differently in the law.

As devs, we might claim that 'code is the law' but my guess is that the law does not care. That is, one cannot overwrite property laws by a few lines of code.

Consider how disclaimers work--we are increasingly putting limitations on what rights you can contractually forfeit.

This will be interting to watch.

jxjnskkzxxhx

We have laws, yes.

gosub100

HN

Canadian math prodigy allegedly stole $65M in crypto

Canadian math prodigy allegedly stole $65M in crypto