Issue 46 – Checkmate, crypto
Cheating chess-players, cursed mansions, and more defi centralization.
In the courts
The lawsuit from the SEC against Binance's US arm is the one outstanding complaint against the exchange, after the remainder were settled as part of an agreement announced by the Department of Justice in November [Issue 44]. Not long after that announcement, the SEC filed a "notice of supplemental authority" in their case, attaching the two plea agreements with the DOJ and the consent order from the Financial Crimes Enforcement Network (FinCEN).1 If you're curious what's in those filings… stay tuned. Anyway, this process is a way for the SEC to alert the court to new relevant decisions that were filed after the SEC lawsuit. Binance, of course, does not want the court considering the SEC case to take their DOJ and Treasury settlements — in which both Binance and CZ admit to serious wrongdoing — into consideration.2 Binance, meanwhile, is still trying to get the SEC case dismissed.
A long-running criminal trial in Austria took a dramatic turn when the main defendant, who had been arguing his innocence despite seemingly admitting to some portions of the crime earlier on, suddenly gave up. "I've run out of steam, I've finished driving... I plead guilty in full and ask for a lenient and speedy sentence," he told the judge. When asked by the judge what exactly he was pleading guilty to, the defendant replied: "I don't know anything about criminal law… Based on my descriptions, Ms. Prosecutor, what would you say?" He ultimately admitted that the EXW cryptocurrency "investment fund" had been a scam from the beginning, intended to enrich him and his seven accused co-conspirators at the expense of investors. At least 40,000 victims were defrauded of more than €17.6 million (~$19.3 million), though his ex-girlfriend testified that the scammers had actually profited somewhere between €80 and 100 million ($88 and $110 million) [W3IGG].
Remember the guy who googled things like "defi hacks prosecution" and "how to prove malicious intent" and "how to stop federal government from seizing assets" after exploiting Crema Finance for almost $9 million in July 2022 [I33]? Turns out he was also behind the $3.5 million attack on Nirvana Finance that followed only a couple of weeks later [W3IGG]. He's now admitted to both and pleaded guilty to a computer fraud charge. He will forfeit more than $12.3 million and pay $5 million in restitution, and he faces up to five years in prison.3
The cofounder of Bitzlato, who was charged by the Department of Justice with quite a flourish in January [I17], has pleaded guilty to money laundering charges. Bitzlato reportedly was a key conduit for ransomware proceeds, and processed $700 million related to the Russian Hydra darknet market. The cofounder, Anatoly Legkodymov, will shut down Bitzlato, release any claim on the $23 million or so in crypto that's been seized, and face a prison sentence of up to five years.4 He's currently hanging out at MDC Brooklyn, the correctional facility also currently home to Sam Bankman-Fried.
Speaking of Sam Bankman-Fried, Tiffany Fong somehow tracked down Bankman-Fried's former cellmate, former mafia enforcer Gene Borrello, and interviewed him. According to Borrello, Bankman-Fried is residing in a unit for high-profile defendants, which has helped him avoid inmates who might try to extort him for the cash they believe he might still have stashed away. Borrello also said that Bankman-Fried genuinely didn't seem to believe he was going to be found guilty, and that he was also convinced that at worst he would get twenty years in prison — an assumption his unit-mates tried to convince him was ill-informed. "He will be in prison for the rest of his life," predicted Borrello.5 We'll find out for sure in March, unless sentencing is delayed.
What is it with Stanford law professors? The guy who helped lead Bankman-Fried's legal defense did a whole interview with Bloomberg, which seems… ethically questionable.6 David Mills said, "he may be at the very top of the list as the worst person I've ever seen do a cross examination". He also told Bloomberg he believed Bankman-Fried's "whoopsie daisy I'm a dumb boy who lost track of $8 billion" story: "I think he is innocent because he didn't form the intent to do anything wrong." Despite a nice quote by Bankman-Fried's parents about Mills, Mills says "I don't know that our friendship will survive this," presumably referring to the trial but maybe also to his choice to ditch any appeal attempts and instead spill to journalists about the "unwinnable" trial of the "most hated man on earth [besides] Donald Trump."
Su Zhu, one half of the duo behind the collapsed Three Arrows Capital hedge fund, faced questioning from Singaporean lawyers working to liquidate the fund and locate assets that may have been squirreled away. Creditors are owed around $3.3 billion. Zhu is stuck in jail after ignoring a court order and trying to flee the country, although he's set to be released pretty soon.7
Montenegro's going to be hanging on to Do Kwon a little bit longer, with the court extending his custody by two months as the country's justice minister decides whether Kwon will be extradited to the United States or South Korea.8 The rumor is he'll be coming to the US to be tried here, but that hasn't been formally announced and likely won't be until Kwon's last-ditch appeal of the extradition decision has been decided [W3IGG].
In bankruptcies
Gemini is now estimating that customers of its Earn program could see as little as around 60% of their money back. The estimate is based on a new reorganization plan by Genesis, which was Gemini's partner in this Earn program, and which has been target of fiery public letters and court filings from the Winklevoss twins ever since it became clear their company wouldn't be getting their money back. However, some have noted that 60% might actually be overestimating things, because the payouts are dollar-denominated and calculated based on Bitcoin prices at the time of Genesis's bankruptcy petition, when it was around half of today's price. Needless to say, Gemini creditors are not thrilled, and many have urged other creditors to vote "no" on the proposal. "You stole our money. Give it ALL back, every single dollar," wrote one Twitter user in response to Gemini's announcement.9
Over at FTX's bankruptcy, the judge is trying to push things along as things have gotten mired in a dispute between FTX and the IRS. The IRS says that the company owes $24 billion in unpaid taxes, making them the company's largest creditor. The FTX estate has argued that the IRS is massively overestimating the amount owed by FTX, which they'd originally set at $43 billion. "There is simply no basis to support the IRS's meritless claims that the Debtors owe tax in an amount that is orders of magnitude greater than any income the Debtors ever earned and that would effectively prevent most of FTX's creditors—themselves victims of fraud—from obtaining any meaningful recovery," they wrote in a filing. At a recent hearing, Judge John Dorsey seemed to agree with the FTX debtors that the IRS can't just throw out a number without any justification, and scheduled a hearing for early next year to determine how much FTX actually owes so that things can get moving again.10
In government
Hamas continues to have Congresspeople really worried about cryptocurrency. Senators Mark Warner (D-VA), Mike Rounds (R-SD), Jack Reed (D-RI), and Mitt Romney (R-UT), have put forward a bill in the Senate called the Terrorist Financing Prevention Act of 2023. It would seek to broaden current sanctions on organizations that facilitate financial transactions with terrorist groups. Under the new bill, current sanctions which are mostly focused on Hezbollah would be expanded to include groups like Hamas. It includes language that would allow the restrictions to extend to "primary money laundering concerns" even if they don't involve US bank accounts, a strategy explicitly aimed at broadening FinCEN's authority to crack down on cryptocurrency firms.11
Another Senator, Elizabeth Warren (D-MA), has recruited a whole slew of others to back her Digital Asset Anti-Money Laundering Act, which is also focused on illicit cryptocurrency use cases including terrorist financing and ransomware. According to the senators backing the bill, it would simply "close loopholes" in existing regulations and "require cryptocurrency platforms to abide by the same anti-money-laundering rules that banks follow."12 Among other things, the bill aims to extend the Bank Secrecy Act — the law enshrining anti-money laundering programs among financial institutions — to apply to more of the crypto world. Although it already applies to some entities, as the Binance consent order from FinCEN recently illustrated, Warren and company are hoping to broaden it to cover groups including miners and validators — something that I don't think would be desirable or practical. You probably won't be surprised to hear that much of the cryptocurrency industry agrees with me on this particular point, and some (such as lobbyist group Coin Center) have argued that it would be unconstitutional.13 This particular claim seems to me to be based on the idea that the Bank Secrecy Act as it currently exists is unconstitutional. In fairness, this is not an opinion unique to crypto lobbyists, but it's also one that was addressed by the Supreme Court in 1974.
Anyway, given the gridlock in Congress around crypto, I'm not holding my breath for any new crypto legislation — good or bad — anytime soon.
Over in the CFTC, commissioners have voted to publish an apparently FTX-inspired rule to the public comment stage, which is a step along the way towards enacting it. The proposed rule would require derivatives clearing organizations to segregate customer funds from their own.14
Elsewhere in crypto
My favorite thing about Bitcoin's Ordinals project (NFTs on the Bitcoin blockchain, essentially) is that it makes some of the Bitcoin developers steaming mad. It's been almost a year since Ordinals were first introduced, and although they haven't matched the mainstream hype extremes of the NFT mania a few years back, they haven't gone away, either. Recently, the Bitcoin network has gotten so congested thanks to the data-heavy Ordinals transactions that the pool of unconfirmed transactions has grown (and, with it, transaction fees, which are today averaging around $14.23 per transaction). Some Bitcoiners think Ordinals are great, some have adopted a "live and let live" approach, and some think they're horrible.
Luke Dashjr is a member of the latter camp, and naturally, is frothing mad again (see I20 for the first time this happened). He's reiterated his position that Ordinals are "spam[ming] the blockchain" and are "exploiting a vulnerability in Bitcoin", and argued that these types of transactions need to be filtered out by miners to protect the network.15 This is an argument that you'd think might be tough to square for a guy who is also ideologically behind Bitcoin for its "censorship resistance", but he seems to have no issue with it. He has also, somehow, managed to argue that his code to allow Bitcoin miners to opt not to mine these transactions is not censorship, while code that rejects peers using this code is.16 Someone (widely assumed to be Dashjr) also submitted the "bug" that allows Ordinals to exist to the US government's National Vulnerability Database, which records known software vulnerabilities.17 Tattling to the government to try to get your way in an argument about a software project supposedly outside the government's control makes for pretty delicious irony.
I guess if you're an NBA star looking to buy a mansion, you should check first that the previous tenant wasn't the so-called "Crypto King", who still owes victims around $40 million. Shai Gilgeous-Alexander of the Oklahoma City Thunder purchased an $8.4 million lakefront mansion in Ontario, but days after moving in, answered the door to an angry investor looking for Aiden Pleterski. When they called the police, officers told them that they'd received previous break-in reports at that address; a person in the private security field also told them that a victim of Pleterski's fraud had threatened to burn the house down in the past. Gilgeous-Alexander ultimately was able to unwind his purchase of the home and recoup mortgage and insurance payments after a court found that the seller made a "fraudulent misrepresentation" by not disclosing that Gilgeous-Alexander could face "objectively reasonable danger generated by the repeated and ongoing visits to the property by angry creditors". And given that one of the fraud victims previously kidnapped and beat Pleterski [I33], this really doesn't seem like an unfounded fear.
As for the Crypto King, who is in the middle of this $40 million bankruptcy proceeding, well, he's only been enraging said angry creditors further by posting photos on social media showing him driving luxury vehicles, spending $150,000 on Legos, livestreaming himself gambling online for hours at a time, and traveling internationally.18
The Web3 is Going Just Great recap
There were 17 entries between December 4 and December 14, averaging 1.5 entries per day. $1.429 billion was added to the grift counter.
Ledger reminds us how centralized defi is
[link]
Ah, decentralized finance, where one compromised library causes frantic warnings of "Do not interact with ANY d[ecentralized] Apps until further notice." Far from avoiding centralized points of failure, defi projects so widely used the Ledger Connector library to implement the wallet connection portions of their projects that an exploit caused the whole defi space to come to a screeching halt.
It's a little early to talk about losses, but an early estimate of $610,000 was actually a bit lower than I expected for such a major vulnerability — perhaps because it was noticed fairly quickly, in part helped by the attacker's code which contained helpful variable names like DrainerPopup
.
This was hardly the first incident to expose the centralization of defi. Here's an oldie:
Still, some crypto folks seemed to grapple with the issues this incident exposed:
Others, however, suggested it should be up to users to audit every project they use, including their dependency management practices. The future of finance!
Ledger later published a postmortem of the exploit, blaming it on a "former Ledger Employee [who] fell victim to a phishing attack that gained access to their NPMJS account," which then allowed an attacker to publish a malicious version of the library. At least for me, this raised only more questions: namely, why did a former employee still have access to Ledger's release tooling? Why was clicking a phishing link all it took to give a malicious actor full release access?
A $1.3 billion scam
[link]
The HyperVerse cryptocurrency scam has, by Chainalysis' estimates, brought in $1.3 billion from a massive pool of victims, mainly in Australia. The worst thing is: this isn't the scammers' first rodeo.
In 2019, the Australian cryptocurrency exchange ACX halted withdrawals. In late 2021, ACX's parent firm, Blockchain Global, entered liquidation with an estimated $50 million in creditor claims. The liquidator ultimately referred the firm's leaders, Sam Lee, Zijing "Ryan" Xu, and Liang "Allan" Guo, to the Australian Securities & Investments Commission, having himself had trouble tracking them down. ASIC never took any action.
So, there was nothing stopping Lee and Xu from starting a new scheme, this time in the form of a pyramid-style "crypto investment" scheme that promised huge returns. Some individual investors put in tens or hundreds of thousands of dollars, and in some cases, it was their life savings.
HyperVerse's website went offline in mid-2023, but the two are still involved with schemes including StableDao and We Are All Satoshi. In September 2023, the California Department of Financial Protection and Innovation described both in cease-and-desist letters as "fraudulent pyramid and Ponzi scheme[s]".
Checkmate, blockchain
[link]
After raising $12 million from various crypto-focused venture firms, Immortal Game has finally realized that "by offering large amounts of cash with no limit barrier to entry, we encouraged heavy cheating on the platform".
Well, sheesh. Who could've predicted that?
They announced that they would be transitioning from a blockchain chess company to just a chess company, ending support for their "Checkmate" token and halting development on ongoing play-to-earn and NFT projects.
They did, somewhat ironically, say that they were open to using web3 technology for "anti-cheat measures".
Everything else
- SafeMoon files for bankruptcy [link]
- CoinList reaches $1.2 million settlement with OFAC over Russian sanction violations [link]
- Money launderers charged over $80 million crypto romance scam [link]
- Crypto scammer suddenly pleads guilty in trial surrounding EXW fraud [link]
- Grifter-in-chief Donald Trump hawks mugshot NFTs [link]
- Fraudsters steal more than $25 million in "AI-powered" crypto ponzi [link]
- OKX DEX suffers $2.7 million hack [link]
- KuCoin fined $22 million in New York [link]
- Yearn Finance accidentally swaps its entire Ip-yCRVv2 treasury, asks nicely for the money back [link]
- Uranium Finance hacker cashes out in Magic: The Gathering cards [link]
- Do Kwon reportedly to be extradited to the United States [link]
- The AEUR stablecoin isn't [link]
- Nostr Assets gets clogged up [link]
In the news
Several people reached out to me to let me know that my work had been cited on the Behind the Bastards podcast about Sam Bankman-Fried! Super cool. They cited my newsletter post about the discussion of FTX's codebase during the trial.
Cointelegraph wanted to know what I thought were some of the "top signals" of the 2021 crypto mania — the moments where, looking back, it's clear the bubble was way overinflated. I pointed to celebrity shilling like the incredibly awkward conversation about Bored Apes between Jimmy Fallon and Paris Hilton, and the cringy attempts by big brands to adopt the crypto lingo.
Worth a read
404 Media has a great story about right to repair (or lack thereof) and a Polish train that was remotely disabled after its operator had an independent service provider perform regular maintenance on it. They found some hackers to re-enable their train, and now the train company is threatening to sue them, claiming the train could be unsafe.
If you're fresh out of ideas for what not to get your Luddite friend for the holidays, Brian Merchant has you covered. He polled some great folks in the critical tech world and they came up with some good ideas, though somehow blockchains didn't make the list. Perhaps that was more of a 2022 anti-gift.
That's all for now, folks. Until next time,
– Molly White
References
Notice of supplemental authority filed on December 8, 2023. Document #188 in SEC v. Binance. ↩
Response filed on December 12, 2023. Document #189 in SEC v. Binance. ↩
"Former Security Engineer For International Technology Company Pleads Guilty To Hacking Two Decentralized Cryptocurrency Exchanges", Department of Justice press release. ↩
"Russian citizen pleads guilty to operating Bitzlato crypto exchange used by cybercriminals", The Record. ↩
"SBF Extorted & on "Su*cide Watch" in Jail: Ex Mob Enforcer Gene Borrello protects Sam in MDC", Tiffany Fong. ↩
"SBF's Lawyer Says His Client Was the 'Worst' Ever Under Cross Examination", Bloomberg. ↩
"Three Arrows' Su Zhu Probed in Singapore Court as Liquidators Step Up Hunt for Assets", Bloomberg. ↩
"Montenegro Court Extends Custody Of Crypto Fugitive Do Kwon", Barron's via AFP. ↩
"Gemini creditors revolt over 'brutal' Bitcoin slashing reorg plan", Cointelegraph. ↩
"FTX Bankruptcy Judge Takes Step to Shorten Timeline for Customers' Recoveries", CoinDesk. ↩
"Warner, Rounds, Reed, Romney Introduce Bipartisan Legislation to Enforce Sanctions on Terrorist Organizations Like Hamas", Mark Warner press release. ↩
"Elizabeth Warren Launches 'Anti-Money Laundering Act' to Crack Down on Crypto", The Street. ↩
"The Digital Asset Anti-Money Laundering Act is an opportunistic, unconstitutional assault on cryptocurrency self custody, developers, and node operators", Coin Center. ↩
"CFTC Pushes FTX-Inspired Rule to Protect Customers' Money", CoinDesk. ↩
Tweet by Luke Dashjr ↩
Tweet by Luke Dashjr ↩
CVE-2023-50428 in the National Vulnerability Database. ↩
"'Crypto King' still gambling and jet-setting despite $40M bankruptcy", Protos. ↩