Cryptohack Roundup: $34M MEV Bot Attack, $1.2M BitFlyer FineAlso: Insider Trading, the IRS Trains Up Ukraine and Proposed Cybersec Regulations
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between May 5 and 11, a pseudonymous person made $34 million by perpetrating MEV bot attacks, New York DFS penalized Bitflyer for lax cybersecurity compliance, Ishan Wahi was sentenced to serve two years in jail in the Coinbase insider trading case, the IRS said it's training Ukrainian law enforcement on blockchain forensics and the New York AG proposed legislation boost crypto platform cybersecurity.
MEV bot attack
A pseudonymous individual going by "Jaredfromsubway" deployed MEV bots to carry out sandwich and arbitrage attacks to make $34 million in the past three months, an EigenPhi report showed. The MEV - it stands for maximum extractable value - bots monitor the blockchain for unconfirmed transactions to carry out sandwich attacks, CertiK told ISMG earlier. The attacks "sandwich" a user's transactions by placing one transaction before the original transaction and one after, similar to front running, in which a sophisticated actor sees the initial trade before it can be confirmed and acts to profit from it. MEV bots are also deployed to carry out arbitrage attacks, where the bots take advantage of price differences between exchanges to make money.
The New York State Department of Financial Services on Wednesday levied a $1.2 million penalty on crypto exchange bitFlyer USA for having "multiple deficiencies" in meeting the state's cybersecurity regulations. The regulator said that BitFlyer failed to perform periodic assessments of internal and external cybersecurity risks, relying instead on an IT audit. "Although an IT audit ensures the existence of policies and procedures to protect an organization’s networks and computer systems, it does not provide visibility into the organization’s security risks or how the organization can mitigate those risks and, therefore, is not an acceptable substitute for a comprehensive risk assessment," regulators wrote.
During the investigation, bitFlyer presented a remediation plan designed to bring the exchange into compliance by the end of this year.
Crypto Insider Trading
Former Coinbase product manager Ishan Wahi will serve a two-year prison sentence for sharing confidential insider information with his brother Nikhil Wahi and friend Sameer Ramani to make unauthorized profitable trades of about $1.5 million between June 2021 and April 2022. Wahi previously pleaded guilty to two counts of conspiracy to commit wire fraud and was ordered to forfeit the proceeds from the scam, the Department of Justice said. The case, which marks the first insider trading case involving cryptocurrency, also saw his brother sentenced to 10 months in jail over a guilty wire fraud conspiracy charge in January. Ramani is at large.
IRS Trains Ukraine Investigators in Blockchain Forensics
The U.S. tax agency's criminal investigation arm is providing blockchain tracing and analysis training to about 70 Ukrainian law enforcement agents, the agency said in a Thursday press call. IRS Criminal Investigation anticipated the training will facilitate information sharing between the two countries in a bid to target financial networks used by sanctioned Russian oligarchs.
The training will help investigators trace the source and flow of blockchain funds when they probe financial crimes, which often involve offshore holdings and anonymous transactions, said IRS-CI Chief Jim Lee.
Proposed Crypto Legislation to Boost Cybersecurity
New York Attorney General Letitia James proposed a new legislation, dubbed the Crypto Regulation, Protection, Transparency and Oversight Act, to bolster cybersecurity practices in the industry. Cryptocurrency companies often lack comprehensive oversight to meet consumer obligations, with many crypto brokers and marketplaces losing billions of dollars in consumer funds due to "inadequate cybersecurity measures," Letitia's office said. The proposed legislation would bolster know-your-customer requirements and mandate reimbursement plans in case of "unauthorized asset transfers and transfers resulting from fraud."