On February 22, 2023, French authorities arrested two brothers, aged 18 and 20, on suspicions of orchestrating the cyberattack on Platypus Finance. On February 16, 2023, the cryptocurrency management platform declared a theft of 9 million USD in cryptocurrency.
The eldest is thought to be behind the cyberattack. He is being investigated for “unlawful breach of an automated data processing system”, fraud and money laundering. His younger brother has only been charged with possession of stolen goods.
The hackers targeted Platypus Finance’s system of flash loans, i.e. instant crypto loans offered by most cryptocurrency platforms. Flash loans grant considerable sums to users, who must pay them back after a few minutes. This method allows them to make bold financial moves, without directly committing money.
A flash loan attack exploits a software vulnerability to embezzle those borrowed funds. The young hacker is thus believed to have breached Platypus Finance’s system to activate emergency withdrawals.
Upon questioning by detectives with the French central office for combating cybercrime (OCLCTIC), he claimed to be an ethical hacker. He stated he was only trying to check if the vulnerability could be exploited, in order to report it to Platypus Finance.
According to Christophe Durand, Deputy Director of OCLCTIC, the amateur hacker made programming mistakes. The bulk of the stolen funds, to the tune of 9 million dollars, thus slipped through his fingers. These funds were blocked in smart contracts, and seized by French courts.
Platypus Finance managed to recover two million dollars, and the pair of hackers only got away with 270,000 dollars. Authorities found a Ledger key belonging to them, containing 210,000 dollars in crypto assets. The two suspects will be tried by the Paris criminal court, at a date to be determined.