Cryptocurrency hacker says stolen $53 million is legally his

By June 18, 2016Ethereum
Click here to view original web page at www.theverge.com

One day after $53 million abruptly disappeared from an experimental cryptocurrency project, a note appearing to be from the attacker has surfaced on PasteBin, claiming that the money drained from the system is now legally his. The attacker withdrew the money by exploiting a contract bug in the code of the DAO (or Decentralized Autonomous Organization), a collective investment fund that uses the Ethereum cryptocurrency. The DAO had raised well over $100 million from Ethereum users at the time of the attack.

"I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether," the note reads. "I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward." The note concludes with an identifying signature and hash, although The Verge was unable to independently verify their authenticity. The attacker's legal name is still unknown.

"I... would like to thank the DAO for this reward."

"I am disappointed by those who are characterizing the use of this intentional feature as ‘theft,’" the note continues. "My law firm has advised me that my action is fully compliant with United States criminal and tort law."

It’s unclear whether this legal reasoning holds up, but it’s not entirely unprecedented. The DAO is structured like a legal contract, and while the attack certainly wasn’t an intended use of that contract, it proceeded according to the contract’s pre-established rules. Cornell cryptographer Emil Gün Sirer wrote yesterday that draining the funds may not even qualify as a hack.

"Had the attacker lost money by mistake," Sirer wrote, "I am sure the devs would have had no difficulty appropriating his funds and saying ‘this is what happens in the brave new world of programmatic money flows.’ When he instead emptied out coins from The DAO, the only consistent response is to call it a job well done."

The attacker’s new legal argument significantly complicates the ongoing efforts to recover the money. The money is stuck in a holding account for the next 26 days as a result of a clause in the DAO contract, and a number of Ethereum leaders have been making efforts to get it back. In particular, miners have proposed a change to the Ethereum code that would make those coins effectively unspendable. If enough of the community accepts the change, it could prevent the money from slipping away.

But in today’s note, the attacker says such a change would amount to theft of his lawfully acquired coins, and threatens legal action against anyone attempting it. "I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm," the note reads. "Those accomplices will be receiving Cease and Desist notices in the mail shortly."

"I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether," the note reads. "I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward." The note concludes with an identifying signature and hash, although The Verge was unable to independently verify their authenticity. The attacker’s legal name is still unknown.

"I… would like to thank the DAO for this reward."

"I am disappointed by those who are characterizing the use of this intentional feature as ‘theft,’" the note continues. "My law firm has advised me that my action is fully compliant with United States criminal and tort law."

It’s unclear whether this legal reasoning holds up, but it’s not entirely unprecedented. The DAO is structured like a legal contract, and while the attack certainly wasn’t an intended use of that contract, it proceeded according to the contract’s pre-established rules. Cornell cryptographer Emil Gün Sirer wrote yesterday that draining the funds may not even qualify as a hack.

"Had the attacker lost money by mistake," Sirer wrote, "I am sure the devs would have had no difficulty appropriating his funds and saying ‘this is what happens in the brave new world of programmatic money flows.’ When he […]

Leave a Reply