19-year-old Euler hacker: Stealed $200 million in just 18 minutes, returned it all after 3 weeks of hesitation

Original source: Coinage
Compiled by: Rhythm
In just 18 minutes on March 13, 2023, a hacker stole nearly $200 million worth of cryptocurrency from Euler Finance, a popular lending platform, in the largest theft of the year. Just three weeks later, he reversed the transaction and returned all the stolen assets.
For the first time since the theft, the hacker came forward to recount the incident and claimed that he had no intention of keeping the funds in the first place.
Coinage spoke with the man claiming to be the hacker, a young Argentinian named Federico Jaime, a claim that is supported by other significant evidence. This is his story.
Image source: Instagram @federicojaimeok
On a cool March night in Rome, around 3 a.m., Federico stood outside a bar, waiting for friends and talking to God. The 19-year-old Argentinian has been looking for something over the past month, but he hasn't found it yet. He wanted to know why.
"Gosh, if all my projects are completed within a month, why not this one?" he thought, looking up at the sky. "Why did you hear me before but not now?" It would still be several hours before he could return to the hotel.
When he finally got home, he couldn't sleep, as usual. So, he decided to go to work.
Federico's prayers were answered almost immediately, perhaps prophetically. He discovered what he'd been looking for: a vulnerability in the code of a cryptocurrency lending program. He immediately set out to exploit his discovery.
“When I work, I work like an artist, like a writer,” Federico later told me over the phone in English, his second language. "Lack of sleep is a good thing in order to awaken the muse."
Federico couldn't sleep for the next two days. When he finally woke up in a hospital bed in Italy, he was $200 million richer but felt like a curse was stamped on his back.
Image source: Instagram @federicojaimeok
The cryptocurrency world relies on transparency. Every transaction — sending money to a friend, buying an NFT, taking out a loan — is public, and the transaction is irreversible. Applications running on the blockchain (called smart contracts) are also public; anyone can inspect the code for themselves.
As interest in cryptocurrencies has surged over the past few years, so has an entire industry of decentralized finance applications that allow cryptocurrency investors to exchange tokens, obtain loans, make leveraged bets on price movements and earn interest. There are currently approximately $45 billion in cryptocurrencies committed to DeFi protocols; in the fall of 2021, this number exceeded $175 billion, roughly equivalent to the entire deposit amount held by Morgan Stanley.
DeFi provides cryptocurrency enthusiasts with exciting financial innovations that align with the rapid development and loose regulation of the cryptocurrency space. If you want to borrow $200 million without collateral or speculate on “meme” cryptocurrencies like DOGE and PEPE, DeFi is the only option.
Hackers, meanwhile, view DeFi as a variety of digital bank vaults, each with a public blueprint (the code is open source), effectively an invitation for someone to try and pull off a heist. According to cryptocurrency research firm Chainaanalysis, DeFi protocols have become the main target of cryptocurrency hackers, who stole $2.2 billion from DeFi in 2021 and $3.1 billion in 2022, accounting for 80% of the total cryptocurrency stolen that year. % above.
The most successful cryptocurrency hacker to date is the Lazarus Group, and of the $1.7 billion stolen by Lazarus in 2022, $1.1 billion came from DeFi vulnerabilities.
Faced with endless attacks, DeFi protocols have responded by recruiting security firms to audit smart contracts, monitor threats, and even lure white hat hackers (hackers who flag vulnerabilities for rewards, rather than black hat hackers who exploit them ). Stealing vulnerabilities for yourself. Even DeFi protocols that are rigorously vetted and take every precaution can still fall victim to a powerful hacker, and that attacker is sometimes just a 19-year-old kid with God on his side.
Image source: Instagram @federicojaimeok
This can all be prevented with a single line of code.
Back at the hotel, as the sun rose over Rome, Federico began looking into a DeFi lending protocol called Euler Finance, developed by London startup Euler Labs. Euler allows its users to withdraw up to ten times the value of their deposited collateral; invest $10,000 and you can trade as if it were $100,000. But cryptocurrencies are volatile, and users’ deposits may not be enough to ensure redemption of their collateral if the price moves wrong. This is why every time a user interacts with Euler, the platform checks the health of their account and triggers automatic liquidation if the health score is too low.
But Federico saw something that wasn't there: a missing health check for a single function in a single Euler smart contract. In just a few hours of research, Federico discovered what Euler’s team and several independent smart contract auditors had missed.
"It's just divine inspiration. It's just awakening my muse," Federico said. "Literally, after a month of searching for what I was looking for... I found it."
Federico begins planning his attack. On March 13, after two days of sleepless programming, he was almost ready to execute. The only problem was: he had no idea how to deploy the smart contract or how much it would cost.
"I was searching on Google, how much does it cost to deploy a smart contract? And I found... articles saying anywhere from $5,000 to $50,000," Federico said, his voice rising in response to the disbelief he felt. "WTF"
But Federico kept going and eventually learned that actual contract deployment costs were much lower. At this point, a few days after he last slept, Federico told me that he wasn't thinking about money at all. "I think it's an experiment. Just an experiment," he explained. "I'm not sure it's going to work... I'm not sure I can deploy a smart contract. I have more doubts than certainty."
"So I really underestimated the vulnerability and myself because it ended up working," he added.
On the morning of March 13, 2023, at 9:54 am Italian time, Federico sat in front of the computer. In the span of 18 minutes, the three wallets he used to launch the attack on Euler Finance stole $197 million worth of cryptocurrency from the protocol. The funds all ended up in a wallet—a virtual duffel bag filled with piles of hundred-dollar bills.
"First of all, I thought, this is so exciting. I cracked a huge deal, and then I thought, wow, $200 million. This is a curse on my back."
Still unable to sleep, Federico asked the hotel concierge to call an ambulance.
Image source: Instagram @federicojaimeok
The first to notice anomalies were bots, and several crypto security companies provide real-time threat monitoring and alerts for DeFi projects. In the case of the Euler hack, at least two security companies, Forta and Hypernative, were alerted before the attack began.
Unfortunately for Euler Labs, which declined to comment for this article, the automated alert was sent out only minutes before the attack began, making it too early for the London-based startup to secure the protocol. (“The time we predict an attack usually ranges from one minute to an hour,” says Alex Behrens, Forta’s marketing manager.)
At 8:59 a.m. on Monday, March 11, UK time, blockchain security company PeckShield posted on social media "Hi @eulerfinance: You might want to take a look" and linked to a page showing that the wallet had attacked Euler's DAI stablecoin supply, more than $8.7 million in funds stolen.
Then, everyone watched as Euler was hit again and again. The hacker stole $18.5 million in WBTC, then $116 million in stETH... Ultimately, the hacker made a profit of $197 million, and Euler's entire 6-token reserve was wiped out.
"We are aware that our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it," Euler said on social media at 9:56 a.m., citing PeckShield.
Because this is cryptocurrency, everyone can see the funds in the hacker's wallet. By looking at the wallet's transactions, security experts were able to reverse engineer the attack and ultimately discover the single vulnerability that led to the theft. But again because this is cryptocurrency, Euler's team has no way of linking the wallet to a real-life identity or understanding the hacker's intentions.
The hacker's final act on March 13 was to send 100 ETH (worth $168,000 at the time) via Tornado Cash, a "hybrid" transaction protocol on Ethereum that makes funds harder to trace. Then the wallet address went silent.
At 10:47 that night, the Euler team sent a message to the hacker wallet saying: "We understand that you are responsible for the attack on the Euler platform this morning. We are writing to see if you are willing to discuss any possible next steps with us. "This tentative communication marks the beginning of a difficult three weeks for the Euler team.
At 9:22 pm the next day, Euler's team sent another message to the hacker's wallet, offering to return 90% of the stolen funds within 24 hours - allowing the hacker to keep the de facto $20 million bug bounty. Otherwise, Euler is offering a $1 million reward to anyone with information about the hack.
The hacker didn't respond.
At 11:20 a.m. on March 15, the Euler team sent another message to the hacker wallet, reiterating its previous bug bounty offer. "The investigation can then be stopped and the focus can turn to distributing it back to protocol users without having to go through legal channels," Euler's team wrote.
At 10:06 that night, after the hacker's continued silence, Euler's team announced a $1 million reward for information leading to the hacker's arrest and the recovery of the funds. The next day, Euler co-founder and CEO Dr. Michael Bentley shared his response to the attack, calling the previous few days the most difficult of his life and expressing his grief for the affected users.
"I had to sacrifice time with my newborn son," Bentley wrote on Twitter. "I will never forgive the attackers, but they can correct their mistakes and return the funds to the EulerDAO Treasury as soon as possible."
Image source: Instagram @federicojaimeok
Federico Jaime claims he never intended to keep the money. “I knew from the beginning that $200 million was not a small number and would cause huge damage to the DeFi community, which was not my goal at all.”
We all wonder, if only for a moment, has Federico ever thought about what $200 million could buy, imagined himself living in a mansion? On a yacht?
"Never, not at all, because I'm an entrepreneur. I can make money legally, perfectly, I don't need to steal, I have no reason to take other people's money."
For most people, such comments would elicit an eye roll at best. After all, the crypto community is not known for its humility. But I’ve seen pictures of Federico traveling around Europe, staying in five-star hotels, and wearing designer streetwear. In our conversations over the phone and the occasional text message, I asked Federico, who turns 20 in June, how he maintains his lifestyle.
Federico grew up in Buenos Aires with his parents and younger sister. Inspired by his father, a software engineer, he learned to program at age 12 and sold his first program, a plug-in for the video game Minecraft, for $10,000 at age 14. "It means freedom because I no longer have to ask my parents for money and they applaud me."
When he grew up, Federico moved on to a new game, Grand Theft Auto V, and he developed an anti-cheat system for a custom multiplayer server run by die-hard fans of the game. "I found a memory read bug. I saw we could make money from it," Federico said, adding that the software FiveGuard is now owned by someone else. "It's special because when you get into a game server with some kind of unfair advantage, you're immediately banned."
Federico originally planned to go to law school in Argentina, but after graduating in 2020 and dealing with the COVID-19 pandemic (with many local restrictions and long quarantine periods in Buenos Aires), Federico decided, with his parents’ permission, to Take a long vacation before starting college.
Federico traveled to Rome in early October last year. In December, he allegedly targeted Buenbit, a cryptocurrency trading platform operating in Argentina, Mexico and Peru, and stole hundreds of thousands of dollars. Buenbit CEO Federico Ogue characterized the attack as a fraud. News reports citing police sources put the damage from the attack at $800,000, but Federico denied that figure.
Federico would not comment on the specifics of the case, and while he acknowledged that he was targeting Buenbit, he similarly claimed that many of the finer details in media reports were either misleading or outright fabricated. The 20-year-old maintains his innocence in the case, noting that he and his lawyers are in contact with Buenbit's team and that he hopes the matter will be resolved soon.
And, just a few months later, Federico had new concerns, this time $200 million.
Image source: Instagram @federicojaimeok
Euler Finance had as many as 7,000 users at the time of the attack. Two days later, on March 15, one of the victims decided to send a message to the hacker’s wallet (Federico’s wallet).
"Please consider returning 90%, 80%. I am a user who only has 78 wstETH and deposited my life savings in Euler. I am not a whale or a millionaire." DL News confirmed that the user is an Argentinian named Santiago Avalos Blockchain developer, he wrote. "You can't imagine the chaos I'm in now, completely devastated... Your decision will come as a huge relief to the many people affected."
Avalos’ life savings of 78 wstETH was worth over $140,000 at the time. Thirteen hours after Avalos sent the message, Federico responded, but not via text message. Instead, in his first move since the hack three days ago, Federico sent 100 ETH to Avalos, roughly $27,000 more than the value the victims lost in the Euler crash. Avalos transferred the extra funds back to Euler, saying, "I believe he might have been impressed by my show."
"It was a heartfelt move," Federico said of his motivation for returning the funds. "I was being generous. Plus, I later found out that this guy... was also Argentinian and a Solidity developer," he added. "This is indeed a very interesting coincidence."
Federico has not yet completed the transfer of funds. Combined with the fact that he has sent himself a cumulative 1,100 ETH via Tornado Cash twice, bringing his earnings to nearly $2 million. When I asked him why, Federico told me: "I didn't think much of it. I thought if they gave me 10 percent of the bounty, it would be too much for me. I would try to take 1 percent of it."
His next move is by far the most confusing. On March 17, just before 5 a.m., Federico sent another 100 ETH, this time to a notorious wallet that had carried out one of the largest cryptocurrency hacks in history a year earlier - from Ronin Bridge stole over $600 million. Just a month later, the U.S. Treasury Department’s Office of Foreign Assets and Control (OFAC) officially linked the Ronin Bridge breach to North Korea’s Lazarus Group.
Yet when I asked him about it, his explanation shocked me. "I had no idea this was North Korea. I never doubted it," he began. "The reason I sent 100 ETH to the Ronin exploiter was purely out of admiration... I guess, from white hat hackers to black hat hackers, I wanted to express my admiration."
I was stunned, and Federico could see it too. "I know you didn't expect me to say that, but it's true," he replied. "I think this is the most important area in the world today, and the Ronin hack was an act of engineering. In that sense, it's admirable... Devils can be beautiful women."
The next day, Federico began returning the funds, initially in three tranches of 1,000 ETH each, totaling about $5.4 million at the time. Then his wallet went dormant again. Analysts at the time expressed doubts that Euler would be able to recoup the remaining funds.
But two days later, on March 20, Federico sent his first message to the Euler team: "We want to make it easy for everyone affected. No intention of keeping things that don't belong to us. Set up secure communications. Let's Let’s make a deal.”
Federico admitted the news came a bit late: "I was trying to decide whether it was a good idea to keep the $20 million in my own hands... because that's what Euler offered me," he said. "I was definitely unprepared, inexperienced, and new... I didn't sleep for days, weeks, but ultimately, I knew I had to return it, and I knew I didn't want to do any damage to Euler's user base. "
Still, Federico took his time returning the funds. At around 3pm on March 25, 81,953 ETH (approximately $143 million) appeared for the first time. Then on the 27th, $10 million in DAI followed. At 3 a.m. on the 28th, Federico publicly apologized and said: "I messed up. I didn't want to, but I disrupted other people's money, other people's work, other people's lives... Please forgive me." However, some funds were still there at the time. under his control.
Finally, on April 3, the Euler team excitedly announced that after the hacker’s last few transactions, all “recoverable funds” had been returned. Euler also officially revoked the $1 million bounty on Federico's head. Federico breathed a sigh of relief that it was over.
Then, two and a half months later, Federico’s wallet became active again, sending messages to himself. The first, on June 17, contained just two words: "Ben yre" - Buenos Aires. Seventeen minutes later, another message was sent to the wallet, also in Spanish, claiming to be Argentinian, Peronist, and white hat hacker. The message's advice to other hackers: "Don't be stupid, don't steal, earn the bounty."
At the end of the message, the wallet links to an Instagram account – @federicojaimeok. I sent him a private message. We started talking on Instagram, where Federico's stories are archived from September 2022, and then we talked via Telegram. During our conversation, everything this man told me matched what I had learned about Federico from other sources. Federico also provided me with the phone number of his father, who confirmed his identity and relationship to Federico, and provided me with other evidence consistent with what Federico told me.
Federico told me that he decided to show up not for his own benefit, but for the benefit of the DeFi community. "I want to encourage ethical hacking, that's the main reason, and I want to be able to be a voice and tell people to do the right thing."
Federico also hopes that Euler’s strategy for negotiating with attackers will set a precedent for the rest of DeFi to follow. He said: “I’m sure the hacking scene in decentralized finance will be different after the Euler hack. I think it showed the world the importance of auditing, and the importance of negotiation after a hack. "
Erin Plante, VP of Investigations at Chainalysis, said: “However, not everyone in the cryptocurrency space is enthusiastic about bug bounties and hacking negotiations becoming the norm. Most DeFi hackers do not start from legitimate vulnerabilities. "Getting paid $100,000 or $500,000 in bounties, but often asking for 50% or more of the total stolen funds as commission, is more like extortion."
Plante also noted that as law enforcement agencies get better at tracking illegal cryptocurrencies, it becomes harder for hackers to cash out their winnings. "In this context, coupled with the collective decline in bounties across the industry, the incentives for hackers to do this work will hopefully change," she said.
Federico has repeatedly insisted to me that his plan from the beginning was to return the funds. So why did it take him three weeks?
"I want to have time to protect myself and find ways to be safe, legally and otherwise," he said.
Of course, some of Federico's claims cannot be verified. Federico told me that the design and execution of the protocol was entirely his job ("I did it all myself"), although he would occasionally get advice from a colleague, such as a list of DeFi protocols to look into (this is more Like masking the involvement of others since there is no way to determine who wrote the code from the on-chain data we have).
We will also never know whether Federico would have kept the money if he had planned the attack better. He admitted to me that he regretted not thinking of the consequences, but said it was just to do the right thing. "I just didn't plan enough and the amount was too big for me to handle," he said.
Federico told me he regretted the pain he had caused Euler's team. "When I saw Michael Bentley's tweet saying he had to sacrifice time with his family, it broke my heart," he said. When I asked him if he was concerned about the impact of the attack in the future, he dismissed that concern. "I believe that, legally speaking, the Euler team will not pursue the case later because this will prevent future hackers from returning the funds."
Euler Finance started compensating victims of the attack on April 12, much to the delight (and almost disbelief) of the victims. The impact of the vulnerability has spread to 11 other DeFi protocols. One of them (Yield Protocol) did not resume until June 27th. Euler Finance has been crippled since the hack.
Federico, who is still in Europe, describes his personal situation as "complicated" but says he hopes to return to Buenos Aires soon to continue his studies. "Ever since the Euler hack, my life has not been easy, and it has left me stressed."
I asked Federico if he thought God, seemingly in answer to his prayers, was teaching him a lesson. "I think he's either playing games with me or (testing) me," he responded.
Federico hasn't made up his mind yet.
(The above content is excerpted and reprinted with the authorization of partner MarsBit, original text link | Source: Rhythm)
Statement: The article only represents the author's personal views and opinions, and does not represent the objective views and positions of the blockchain. All contents and opinions are for reference only and do not constitute investment advice. Investors should make their own decisions and transactions, and the author and Blockchain Client will not be held responsible for any direct or indirect losses caused by investors' transactions.
This article 19-year-old Euler hacker: It took only 18 minutes to steal $200 million, and he returned it all after 3 weeks of hesitation. It first appeared on Blockchain.