Federal authorities in the United States have indicted a Canadian national for orchestrating sophisticated attacks on two decentralized finance (DeFi) platforms, KyberSwap and Indexed Finance, resulting in the theft of millions in cryptocurrency.
Andean Medjedovic, a mathematics graduate from the University of Waterloo, is facing charges of wire fraud, computer hacking, attempted extortion, and money laundering, according to the U.S. Department of Justice’s announcement on February 3.
Medjedovic is accused of manipulating smart contracts on both platforms, exploiting vulnerabilities in their automated systems to trick them into miscalculating key values. This led to the theft of $48.8 million from KyberSwap in 2023 and $16.5 million from Indexed Finance in 2021.
The indictment details how Medjedovic used deceptive trading strategies to withdraw investor funds at artificially inflated prices, leaving victims with worthless assets. Prosecutors further claim that he meticulously planned the KyberSwap attack, creating files labeled with terms like “KYBER_KILL” and “templateexploit” to keep track of the exploit. His attack was carefully timed to coincide with off-peak hours, when investors in the U.S. and Europe would be asleep.
Medjedovic’s post-attack actions included attempts to extort KyberSwap’s developers, investors, and decentralized autonomous organization (DAO) members. He demanded control of the protocol in exchange for returning 50% of the stolen funds.
In his efforts to cover his tracks, Medjedovic allegedly used crypto mixers and blockchain bridges to launder the stolen funds, routing them through multiple networks to hide their origins. He also opened accounts on crypto exchanges using fake identities to liquidate his holdings without triggering alarms. When one transaction was blocked by a bridge protocol, Medjedovic reportedly attempted to bribe an undercover law enforcement agent, offering $85,000 to bypass restrictions and release $500,000 worth of frozen assets.
If convicted on all charges, Medjedovic faces up to 20 years in prison for wire fraud, attempted extortion, and money laundering, and up to 10 years for unauthorized damage to a protected computer. He remains at large, with law enforcement agencies, including the Dutch National Police Cybercrime Unit, continuing their pursuit.
In response to the hack, KyberSwap announced on December 20, 2023, that it would launch a treasury program to compensate users affected by the attack.
