19-year-old Euler hacker hesitated for 3 weeks in the face of 200 million dollars

Original Title: “HE STOLE $200 MILLION. HE GAVE IT BACK. NOW, HE'S READY TO EXPLAIN WHY”
Original Source: Coinage
Original Author: Zack Abrams
Original Editor: Zack Guzman

On March 13, 2023, a hacker stole nearly $200 million worth of cryptocurrency from a popular lending platform—Euler Finance—in just 18 minutes, marking the largest theft of the year. Just three weeks later, he reversed the transaction and returned everything he had stolen.

Since the hacking incident, the mastermind behind the operation has come forward to explain his perspective on the event, claiming he never intended to keep the money.

Coinage spoke with the self-proclaimed hacker, a young Argentine named Federico Jaime, whose account is supported by other significant evidence. This is his story.

Image Source: Instagram @federicojaimeok

On a cool March night in Rome, around 3 a.m., Federico stood outside a bar waiting for friends and talking to God. The 19-year-old Argentine had been searching for something over the past month, but he hadn’t found it yet. He wondered why.

“Oh my God, if all my projects are completed in a month, why not this one?” he looked up at the sky, thinking. “Why can’t I hear what I used to hear?” He still had a few hours before he could return to the hotel.

When he finally got home, he couldn’t sleep, as usual. So, he decided to get to work.

Federico’s prayers were almost immediately answered, perhaps prophetically. He discovered a vulnerability in the code of a cryptocurrency lending program he had been searching for. He immediately set to work exploiting his discovery.

“When I work, I work like an artist, a writer,” Federico later told me in English, his second language, over the phone. “To awaken the muse, lack of sleep is a good thing.”

For the next two days, Federico couldn’t sleep. When he finally woke up in a hospital bed in Italy, his net worth had increased by $200 million, but he felt a curse branded on his back.

Image Source: Instagram @federicojaimeok

The cryptocurrency world relies on transparency. Every transaction—sending money to friends, buying NFTs, taking out loans—is public, and transactions are irreversible. Applications running on the blockchain (known as smart contracts) are also public; anyone can check the code for themselves.

As interest in cryptocurrency surged over the past few years, the entire decentralized finance (DeFi) application industry also rose, allowing cryptocurrency investors to swap tokens, obtain loans, leverage bets on price movements, and earn interest. Currently, about $45 billion in cryptocurrency is committed to DeFi protocols; in the fall of 2021, that number exceeded $175 billion, roughly equivalent to the total amount held by Morgan Stanley in deposits.

DeFi offers exciting financial innovations for cryptocurrency enthusiasts, adapting to the rapid development of the cryptocurrency space and loose regulations. If you want to borrow $200 million without collateral or speculate on “meme” cryptocurrencies like DOGE and PEPE, DeFi is the only option.

Meanwhile, hackers view DeFi as a series of digital bank vaults, each with a public blueprint (open-source code), effectively inviting someone to attempt a heist. According to data from cryptocurrency research firm Chainalysis, DeFi protocols have become prime targets for cryptocurrency hackers, who stole $2.2 billion from DeFi in 2021 and $3.1 billion in 2022, accounting for over 80% of all stolen cryptocurrency that year.

So far, the most successful cryptocurrency hacker is the Lazarus Group, which stole $1.7 billion in 2022, with $1.1 billion coming from DeFi vulnerabilities.

Faced with relentless attacks, DeFi protocols have responded by recruiting security firms to audit smart contracts, monitor threats, and even lure white-hat hackers (hackers who report vulnerabilities for rewards rather than exploit them) to exploit vulnerabilities for themselves. Even DeFi protocols that undergo rigorous audits and take all precautions can still fall victim to powerful hacking attacks, and sometimes that attacker is just a 19-year-old kid with God on his side.

Image Source: Instagram @federicojaimeok

All of this could have been prevented with a line of code.

Back at the hotel, as the sun rose over Rome, Federico began studying a DeFi lending protocol called Euler Finance, developed by a London startup, Euler Labs. Euler allows its users to withdraw loans up to ten times the value of their deposited collateral; deposit $10,000, and you can trade as if you had $100,000. But cryptocurrencies are volatile, and if prices move against you, a user’s deposit may not be enough to secure the redemption of their collateral. That’s why every time a user interacts with Euler, the platform checks the health of their account, and if the health score is too low, it triggers an automatic liquidation.

But Federico saw something that wasn’t there: a single function in a single Euler smart contract lacked a health check. In just a few hours of research, Federico discovered what the Euler team and several independent smart contract auditors had missed.

“It was just divine inspiration. It was just awakening my muse,” Federico said. “Exactly one month after searching for what I was looking for… I found it.”

Federico began plotting his attack. On March 13, after two days of sleepless programming, he was almost ready to execute. The only problem was: he didn’t know how to deploy a smart contract or how much it would cost.

“I Googled, ‘How much does it cost to deploy a smart contract?’ I found… articles saying ‘between $5,000 and $50,000,’” Federico said, raising his voice in disbelief. “WTF”

But Federico pressed on and eventually learned that the actual cost of contract deployment was much lower. By this time, days after his last sleep, Federico told me he wasn’t thinking about money at all. “I thought it was an experiment. Just an experiment,” he explained. “I wasn’t sure if it would work… I wasn’t sure if I could deploy the smart contract. My doubts outweighed my certainties.”

“So I really underestimated the vulnerability and myself because it ultimately worked,” he added.

On March 13, 2023, at 9:54 a.m. Italian time, Federico sat in front of his computer. In just 18 minutes, the three wallets he used to initiate the attack on Euler Finance stole $197 million worth of cryptocurrency from the protocol. All the funds ended up in one wallet—a virtual duffel bag stuffed with piles of cash.

“At first, I thought, this is so exciting. I hacked a huge protocol, and then I thought, wow, $200 million. This is the curse on my back.”

Federico still couldn’t sleep, and he had the hotel concierge call an ambulance.

Image Source: Instagram @federicojaimeok

The first to notice the anomaly was a bot; some crypto security firms provide real-time threat monitoring and alerts for DeFi projects. In the Euler hack incident, at least two security firms, Forta and Hypernative, received alerts minutes before the attack began.

Unfortunately for Euler Labs, which declined to comment for this article, the automated alerts were issued only minutes before the attack began, making it too early for the London-based startup to secure the protocol. (“We predict the timing of attacks usually ranges from one minute to one hour,” Forta marketing manager Alex Behrens said.)

At 8:59 a.m. GMT on March 11, blockchain security firm PeckShield posted on social media, “Hi @eulerfinance: you might want to take a look,” linking to a page showing that a wallet had attacked Euler’s DAI stablecoin supply, stealing over $8.7 million in funds.

Then, everyone watched as Euler was hit again and again. The hacker stole $18.5 million in WBTC, then $116 million in stETH… Ultimately, the hacker profited $197 million, while all six of Euler’s token reserves evaporated.

At 9:56 a.m., Euler quoted PeckShield’s message on social media, stating, “We are aware, and our team is currently working with security professionals and law enforcement. We will post updates as we obtain further information.”

Because it’s cryptocurrency, everyone could see the funds in the hacker’s wallet. By examining the transactions of that wallet, security experts were able to reverse-engineer the attack, ultimately identifying the single vulnerability that led to the theft. But also because it’s cryptocurrency, Euler’s team couldn’t associate that wallet with a real-world identity or understand the hacker’s intentions.

On March 13, the hacker’s final action was to send 100 ETH (worth $168,000 at the time) through Tornado Cash, a “mixing” transaction protocol on Ethereum that makes funds harder to trace. Then, the wallet address fell silent.

At 10:47 p.m., the Euler team sent a message to the hacker’s wallet, stating, “We understand that you are responsible for the attack on the Euler platform this morning. We are writing to see if you would be willing to discuss any possible next steps.” This tentative communication marked the beginning of a difficult three weeks for the Euler team.

The next evening at 9:22 p.m., the Euler team sent another message to the hacker’s wallet, proposing to return 90% of the stolen funds within 24 hours—allowing the hacker to keep an effective $20 million bounty for the vulnerability. Otherwise, Euler would offer a $1 million reward to anyone providing information leading to the hacker’s capture.

The hacker did not respond.

At 11:20 a.m. on March 15, the Euler team sent another message to the hacker’s wallet, reiterating the previous bounty proposal. The Euler team wrote, “Then the investigation can stop, and the focus can shift to distributing it back to protocol users without going through legal channels.”

That evening at 10:06 p.m., after the hacker remained silent, the Euler team announced a $1 million reward for information leading to the hacker’s capture and recovery of the funds. The next day, Euler co-founder and CEO Dr. Michael Bentley shared his response to the attack, stating that the previous days had been some of the hardest of his life, expressing his sorrow for the affected users.

“I had to sacrifice time with my newborn son,” Bentley wrote on Twitter. “I will never forgive the attackers, but they can correct their mistake and return the funds to the EulerDAO Treasury as soon as possible.”

Image Source: Instagram @federicojaimeok

Federico Jaime claims he never intended to keep the money. “I knew from the beginning that $200 million was not a small number, and it would cause tremendous damage to the DeFi community, which was not my goal at all.”

We all want to know if, even for a moment, Federico thought about what $200 million could buy, imagining himself living in a mansion? On a yacht?

“Never, not at all, because I’m an entrepreneur. I can make money legally and perfectly; I don’t need to steal. I have no reason to take someone else’s money.”

For most people, such comments would at most elicit eye rolls. After all, the crypto community is not known for its humility. But I’ve seen photos of Federico traveling around Europe, staying in five-star hotels, and wearing designer streetwear. In our conversations over the phone and occasional texts, I asked Federico, who turns 20 this June, how he maintained his lifestyle.

Federico grew up in Buenos Aires with his parents and sister. Inspired by his software engineer father, he learned to code at 12 and sold his first program—a plugin for the video game Minecraft—for $10,000 at 14. “It meant freedom because I no longer had to ask my parents for money; they applauded me.”

As he grew older, Federico turned to a new game, GTA V, for which he developed an anti-cheat system for a custom multiplayer server run by die-hard fans of the game. “I found a memory reading error. I saw we could profit from it,” Federico said, adding that the software, FiveGuard, is now owned by someone else. “It was special because when you entered the game server with some unfair advantage, you would be banned immediately.”

Federico originally planned to attend law school in Argentina, but after graduating in 2020 and dealing with the COVID pandemic (with many restrictions and long lockdowns in Buenos Aires), he decided, with his parents’ consent, to take a long break before going to university.

In early October last year, Federico traveled to Rome. In December, he allegedly targeted the cryptocurrency exchange Buenbit, which operates in Argentina, Mexico, and Peru, stealing hundreds of thousands of dollars. Buenbit’s CEO, Federico Ogue, characterized the attack as fraud. News reports cited police sources saying the losses from the attack were $800,000, but Federico denied that figure.

Federico was reluctant to comment on the details of the case, although he admitted that his target was Buenbit, while also claiming that many of the more sensational details in media reports were either misleading or completely fabricated. The 20-year-old insists he is innocent in this case and noted that he and his lawyer are in contact with Buenbit’s team, hoping for a swift resolution.

And just a few months later, Federico had new concerns—this time, $200 million.

Image Source: Instagram @federicojaimeok

At the time of the attack, Euler Finance had up to 7,000 users. Two days later, on March 15, one of the victims decided to send a message to the hacker’s wallet (Federico’s wallet).

“Please consider returning 90%/80%. I’m just a user with 78 wstETH, my life savings deposited in Euler; I’m not a whale or a millionaire,” DL News confirmed that the user was an Argentine blockchain developer named Santiago Avalos, who wrote. “You can’t imagine the chaos I’m in right now, completely destroyed… your decision would relieve many affected people.”

Avalos’s life savings of 78 wstETH was worth over $140,000 at the time. Thirteen hours after Avalos sent the message, Federico responded, but not via text. Instead, for the first time since the hack three days earlier, Federico took action, sending Avalos 100 ETH, worth about $27,000 more than what the victim lost in the Euler collapse. Avalos returned the excess funds to Euler, saying, “I believe he might have been moved by my message.”

“This was my heartfelt gesture,” Federico said of his motivation for returning the funds. “I was generous at that moment. Also, I later found out this person… is also Argentine and a Solidity developer,” he added. “It was indeed a very interesting coincidence.”

Federico was not done transferring funds. Along with the 1,100 ETH he had already sent to himself via Tornado Cash, his earnings reached nearly $2 million. When I asked him why, Federico told me, “I didn’t think much about it. I thought, if they give me 10% of the bounty, that would be too much for me. I would try to take 1% of it.”

His next move was the most perplexing to date. On March 17, before 5 a.m., Federico sent another 100 ETH, this time to a notorious wallet that had executed one of the largest cryptocurrency hacks in history a year prior—stealing over $600 million from the Ronin Bridge. Just a month later, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) officially linked the Ronin Bridge exploit to North Korea’s Lazarus Group.

However, when I asked him about this, his explanation shocked me. “I had no idea this was North Korea. I never suspected,” he began. “The reason I sent 100 ETH to the Ronin user was purely out of admiration… I wanted to express my admiration from white-hat hackers to black-hat hackers.”

I was stunned, and Federico noticed. “I know you didn’t expect me to say that, but it’s the truth,” he replied. “I think this is one of the most important fields in today’s world, and the attack on the Ronin hacker was an engineering act. In that sense, it’s admirable… even demons can be beautiful women.”

The next day, Federico began returning funds, initially in three installments of 1,000 ETH each, totaling about $5.4 million at the time. Then, his wallet fell silent again. Analysts were skeptical at the time about whether Euler would be able to recover the remaining funds.

But two days later, on March 20, Federico sent the Euler team his first message: “We want to make it easy for all affected people. We never intended to keep what doesn’t belong to us. Set up secure communication. Let’s reach an agreement.”

Federico admitted that the message was a bit late: “I was trying to decide whether it was a good idea to keep $20 million to myself… because that’s what Euler offered me,” he said. “I really wasn’t prepared, lacked experience, and was a newbie… I hadn’t slept for days, for weeks, but ultimately, I knew I had to return it. I knew I didn’t want to cause any harm to Euler’s user base.”

Even so, Federico took a considerable amount of time to return the funds. Around 3 p.m. on March 25, 81,953 ETH (about $143 million) first appeared. Then on the 27th, $10 million in DAI followed. At 3 a.m. on the 28th, Federico publicly apologized, stating, “I messed up. I didn’t want to, but I disrupted other people’s money, other people’s work, other people’s lives… please forgive me.” However, some funds were still under his control at that time.

Ultimately, on April 3, the Euler team excitedly announced that all “recoverable funds” had been returned after the hacker’s last few transactions. Euler also officially rescinded the $1 million bounty on Federico’s head. The return of the funds marked one of the most successful recoveries in DeFi history, and Federico breathed a sigh of relief that everything was over.

Then, two and a half months later, Federico’s wallet became active again, sending himself a message. The first was on June 17, with just two words: “Ben yre”—Buenos Aires. Seventeen minutes later, the wallet sent another message in Spanish, claiming to be an Argentine, a Peronist, and a white-hat hacker. The message advised other hackers: “Don’t be stupid, don’t steal, earn bounties.”

At the end of the message, the wallet linked to an Instagram account—@federicojaimeok. I sent him a private message. We began chatting on Instagram, where Federico’s story has been archived since September 2022, and then we communicated via Telegram. Throughout our conversations, everything this person told me matched the information I had learned about Federico from other sources. Federico also provided me with his father’s phone number, who confirmed his identity and relationship with Federico, providing additional information consistent with what Federico had told me.

Federico told me he decided to come forward not for his own benefit, but for the benefit of the DeFi community. “I want to encourage ethical hacking, that’s the main reason, and I want to be able to raise my voice to tell people to do the right thing.”

Federico also hopes that Euler’s strategy of negotiating with the attacker will set a precedent for the rest of DeFi to follow. He said, “I’m sure the hacker scene in decentralized finance will be different after the Euler hack incident. I think this shows the world the importance of audits and the importance of negotiations after a hacking attack.”

Erin Plante, vice president of investigations at Chainalysis, stated, “However, not everyone in the cryptocurrency space is keen on bounties and hacker negotiations becoming the norm. Most DeFi hackers don’t receive $100,000 or $500,000 from legitimate bounties; they often demand 50% or more of the total stolen funds as a commission, which is more like extortion.”

Plante also pointed out that as law enforcement improves at tracking illegal cryptocurrency, it becomes harder for hackers to cash in on their bounties. She said, “In this case, combined with the overall decline in bounties across the industry, the incentives for hackers to engage in this work are likely to change.”

Federico repeatedly insisted to me that his plan from the beginning was to return the funds. So why did it take him three weeks?

“I wanted time to protect myself and find a safe way, legally and otherwise,” he said.

Of course, some of Federico’s claims cannot be verified. Federico told me that the design and execution of the protocol were entirely his work (“I did it all myself”), although he occasionally received advice from a colleague, such as a list of DeFi protocols to research (which seems more like covering up others’ involvement, as it’s impossible to determine who wrote the code from the on-chain data we have).

We will also never know if Federico would have kept the money if he had planned the attack better. He admitted to me that he regretted not considering the consequences, but he said it was simply to do the right thing. “I just didn’t plan enough, and the amount was too big for me to handle,” he said.

Federico told me he regretted the pain he caused the Euler team. “When I saw Michael Bentley’s tweet saying he had to sacrifice time with his family, my heart broke,” he said. When I asked him if he was worried about the impact of the attack on his future, he denied that concern. “I believe, legally, the Euler team won’t retroactively pursue me because that would prevent future hackers from returning funds.”

Euler Finance began compensating attack victims on April 12, which delighted the victims (and was almost unbelievable). The impact of the vulnerability has spread to 11 other DeFi protocols. One of them (Yield Protocol) didn’t recover until June 27. Since the hack, Euler Finance has been in a state of paralysis.

Federico is still in Europe, describing his personal situation as “complicated,” but he hopes to return to Buenos Aires soon to continue his studies. “Since the Euler hack incident, my life hasn’t been easy; it has left me under pressure.”

I asked Federico if he thought God seemed to be responding to his prayers, giving him a lesson. “I think he’s either playing games with me or (testing) me,” he replied.

Federico has not yet made up his mind.