The U.S. Attorney for the Southern District of New York has arrested two brothers – Anton Peraire-Bueno and James Peraire-Bueno – for carrying out a scheme that “exploited the very integrity of the Ethereum blockchain.”
Prosecutors and the U.S. Department of Justice (DOJ) and agents at the Internal Revenue Service (IRS) accused the brothers of stealing $25 million worth of ether within 12 seconds, through a scheme they executed and plotted for months
In an unsealed indictment, the DOJ detailed how they executed the attack, searching online for “how to carry out” the exploit and “ways to conceal” their involvement with it. They also reportedly created a document that laid out a plan with four stages – The Bait, Unbinding The Block, The Search and The Propagation.
The Peraire-Bueno brothers used approximately 529.5 ETH to set up 16 validators on Ethereum, which they used in the April 3, 2023 attack to front-run Maximal Extractable Value (MEV) bots and steal millions in crypto.
Last year, Unchained reported that the Ethereum network had slashed a rogue validator for stealing funds from MEV “sandwich bots” and distributing the stolen funds to three different wallets. At the time, some users even applauded the move, given that MEV bots are designed to fron-run transactions themselves in search of additional revenue.
The attack was possible due to a relayer vulnerability which was patched by developers shortly after. Interestingly, at the time, Flashbots product lead Robert Miller said the user behind the attack had reached out to him and other developers to “disclose details on a unique block equivocation strategy that should be mitigated.”
In exchange for disclosing the details on April 21, 2023, the attacker requested that he be referred to as “low-carb-crusader.” He proved that he was behind the previous exploit with a signed message from an externally owned account (EOA) and disclosed details of a strategy where a proposer could gain a structural advantage against an MEV-boost relay.
The Flashbots team assembled a war room to mitigate the issue, and rollout out a patch to the mainnet a few hours later.