Who is Andean Medjedovic, the alleged $48M KyberSwap hacker?

Federal prosecutors in the United States have filed charges against Andean Medjedovic, the hacker behind the $65-million hacks of two decentralized finance (DeFi) protocols.

On Feb. 3, the Department of Justice (DOJ) unsealed an indictment, charging Medjedovic on multiple counts, including wire fraud, computer hacking and attempted extortion for stealing $65 million from KyberSwap and Indexed Finance DeFi protocols.

The DOJ alleges that he used “deceptive trades” to exploit the protocols and offered a “sham settlement proposal” to KyberSwap after the fact. It also alleges that he tried to launder the ill-gotten tokens through an unnamed crypto-mixing service.

The announcement notes that Medjedovic is currently at large. The hacker is already wanted in Canada, where in 2021, he reportedly failed to appear at a court summons regarding the Indexed Finance hack. But who is he?

Medjedovic math wiz at Vitalik Buterin’s alma mater

Medjedovic was reportedly a precocious student, graduating high school at the age of 14 in Waterloo, Canada before going on to pursue a math degree at one of Canada’s top math schools, the University of Waterloo (Ethereum co-founder Vitalik Buterin was also a student but dropped out.)

Medjedovic finished his undergraduate degree in mathematics in just three years at the age of 17 and immediately went on to pursue his master’s degree. In just one year, he had already presented his thesis and was reportedly in the process of applying for PhD programs.

Waterloo professor of mathematics David Jao told Bloomberg in 2022, “I can’t think of any other student in my time here who has gotten that degree that early.”

During his studies, Medjedovic also developed his coding skills. He is said to have regularly participated in Code4rena, a hacking competition in which he won two prizes for finding security flaws in company systems.

He also took an interest in DeFi, particularly automated market makers (AMMs). Medjedovic told Bloomberg:

“Whenever I would hear of a new type of DeFi product, I would take a close look at how it operates and throw some money into it if I came up with a good idea.”

Related: Fake TRUMP and MELANIA tokens record $4.8M inflows in 24 hours

Medjedovic reportedly had problems socially, condescending to students he deemed less intelligent and displaying self-confidence “to the point of arrogance,” per an anonymous classmate. 

He also dabbled in eugenics and racist and anti-Semitic political theories. According to DL News, which spoke to Medjedovic in 2023, he still “relishes” such statements. “He disparaged women and made numerous racist comments.”

Racist epithets would also appear in his 2022 hack of Indexed Finance. 

The troll who stole from Indexed Finance

In October 2021, Medjedovic allegedly employed “manipulative trading to exploit two Indexed Finance liquidity pools on the Ethereum network,” according to the DOJ. He reportedly used millions of dollars in borrowed tokens to distort the platform’s smart contract reindexing process by which it added new tokens to liquidity pools.

Per Bloomberg, Medjedovic noticed a “mispricing opportunity” in the code after reading about Indexed Finance on a forum and saw that there was a way to get around limits on trades in the pool.

“At first, I didn’t believe it,” Medjedovic told Bloomberg. However, after running the calculations a few times and seeing that the hack was possible, he reportedly spent the next few months writing a script to execute it.

The full technical details of how Medjedovic exploited the protocol are available in a court filing. In the end, he was able to get away with $16.5 million in investor tokens from the liquidity pools.

True to form, the crypto address Medjedovic used during the hack included the figure “1488” — a Neo-Nazi shorthand — and his code was peppered with various instances of racial slurs, according to Bloomberg.

He reportedly claimed that Indexed Finance was “out-traded” and that “code is law,” but Canadian Superior Court Justice Fred Myers disagreed. The judge issued an order to freeze tokens, along with a civil search-and-seizure warrant that would allow authorities to search Medjedovic’s belongings and residence.

Medjedovic skipped his court hearing on Dec. 21, 2021. “It appears that the young defendant has gone into hiding,” Myers told the Waterloo Region Record in January 2022. “This strikes me as the worst outcome for everyone involved.”

Related: Can the law keep up with Musk and DOGE?

According to DL News, Medjedovic hopped around Europe and South America before ending up on an island he declined to name as of March 2023.

All the while, Medjedovic began looking for ways to “cash out,” including using a cryptocurrency mixture and cryptocurrency exchange accounts opened with fake Know Your Customer credentials.

Next up was KyberSwap.

Demands for complete control over KyberSwap

The identity of the $46-million KyberSwap hacker was unknown until the DOJ unsealed its indictment on Feb. 3, alleging that Medjedovic was to blame. 

According to the document, Medjedovic used hundreds of millions of dollars in borrowed crypto to create artificial prices in the liquidity pools. Then he exploited KyberSwap’s AMMs — his aforementioned point of interest in DeFi — by calculating the precise number of tokens he would need for them to “glitch,” allowing him to get away with nearly $49 million in investor crypto. 

He further allegedly attempted to extort the developers of the protocol — claiming he would return the stolen funds in exchange for complete control of critical aspects of the protocol, including:

• The company

• Temporary full authority and ownership of its governance mechanism, KyberDAO

• All documents related to the company

• All of the Kyber company’s assets.

According to the DOJ, Medjedovic tried to launder the funds through a mixer as well as by transferring them through several bridge protocols. One bridge protocol caught on and froze his transactions.

Prosecutors alleged that Medjedovic agreed to pay an undercover agent, who was posing as a software developer, $80,000 “to circumvent the bridge protocol’s restrictions and release approximately $500,000 in stolen cryptocurrency.”

With Medjedovic still on the lam, it could be a while before he actually faces his first day in court, if at all. But as noted in the DOJ statement, US authorities are cooperating with international counterparts, including the Netherlands’ Public Prosecution Service and the Dutch National Police’s Cybercrime Unit in The Hague. 

Magazine: Pectra hard fork explained — Will it get Ethereum back on track?