Manipulation and fraud in crypto markets tend to mirror traditional market equivalents so closely that I rarely write about them. However, two MIT students were recently indicted for a novel manipulation of Ethereum, which was much more technically demanding than your average rug-pull or pump-and-dump scheme. The students, who are brothers, netted themselves $25 million in the meticulously planned scheme, which, as the United States Department of Justice (DOJ) indictment details, involved creating tailored spoof orders in illiquid cryptocurrencies, attracting bots that attempted to front-run those spoof orders. The students then exploited a flaw in the Ethereum protocol to alter their original spoof order, essentially front-running the front-runners and leaving their victims unable to back out of the illiquid assets.
To understand the scheme, we first need to recognize some of the intricacies of Ethereum-style blockchain models. Unlike traditional markets, Ethereum transactions don’t happen continuously; they happen in batches called blocks. You submit orders to be processed onto what is known as a mempool, and orders are taken from the mempool in approximately 12-second batches (blocks). The tricky bit is that orders in the block aren’t executed in time priority, as would happen in a traditional market; it’s possible to pay additional fees to have your order executed first. These additional fees are known as gas fees and pay for the validators’ costs to execute your transaction. However, they create other problems that are counter to what most people consider a fair market.
The Sandwich Attack
The orders submitted onto the mempool are public, which immediately creates a potential front-running situation. In fact,the behavior is so common it’s known as a “sandwich attack” within the crypto world. In a sandwich attack, the attacker would first be monitoring the mempool for large orders. Then, for example, if the victim submits a large buy order, the attacker will submit a buy and a sell order pair. They pay gas fees so that the attacker’s order will execute before the victims, and the attacker’s sell order after the victim’s order, hence the sandwich. The attacker buying pushes up the price for the victim, and the victim buying at the now higher price creates liquidity for the attacker to be able to cash out higher. Sandwich attacks are typically performed by algos/bots, which scour the mempool for the right orders and programmatically submit the sandwich orders.
What makes this case especially interesting is that the sandwich attack bots were the victims of the fraud.
Exploiting the Front-Runners
In the DOJ case, the two MIT students did their homework — they identified and tracked sandwich attack bots to identifythe types of activity that would cause them to act. Even going so far as to put out test orders. They then crafted transactions (the “Lure Transactions”) to bait the bots to perform a sandwich attack on an illiquid cryptocurrency. Importantly, they timed the Lure Transactions to happen such that the 12-second block of transactions would be executedby a validator, which they themselves had set up.
The bots executed a $25 million sandwich attack, which consisted of orders that were coded to execute under the condition “(a) the Lure Transactions took place immediately after the front run trades; and (b) the sell transactions took place immediately after the Lure Transactions.” The victims didn’t intend to hold the illiquid cryptocurrency but immediately buy and then sell.
The next step is quite technical, though the DOJ indictment has a good explanation; in summary, by having control of the validator, the MIT students were able to exploit a loophole in the Ethereum protocol to modify their Lure Transaction in the 12-second block. They changed the Lure Transaction from a buy order to a sell order. The effect was that the students exchanged their illiquid cryptocurrency, which the DOJ indictment implies is junk and not worth $25 million, for the victim’s liquid and valuable cryptocurrencies that they used in their front-running buy order.
Even worse for the victims, because of the changes, their closing-out sell transaction could not execute, leaving them with an open sandwich and stuck with the “effectively worthless” illiquid cryptocurrency.
The rest of the case is decidedly less smart. Investigators found online searches from the students for “money laundering,” “does the U.S. extradite to [foreign country],” and “money laundering statue [sic] of limitations.”
Implications
Given the historically unregulated nature of crypto, the legality of the sandwich attack has never been tested; it’s also arguable if this meets the stricter legal definition of front-running as the mempool, which contains the victim’s order, is public. Interestingly when referring to the sandwich attack performers in the Ethereum case, the DOJ refers to their activity as “front run trades,” and they were the victims in that instance.
The U.S. DOJ is not shy about prosecuting front-running. The same U.S. attorney who prosecuted the Ethereum case only a week later announced a 70-month prison sentence for an equity trader found guilty of front-running using inside information. It’s worth contrasting the important differences, with the equity case focusing heavily on the fact that insider information was used.
Spoofing trading bots have a longer history than you may think. I previously wrote about a Norwegian case that occurred back in 2007, in which a pair was prosecuted — and then later acquitted — for manipulating the behavior of a market maker algorithm. It’s quite amazing to contrast the simplicity of that early case against the complexity of the Ethereum one.
The Ethereum exploit itself, the crux of the case, reminds us how dependent we are on technology and that those risks exist across decentralized finance and traditional financial infrastructure. All architectures, no matter how modern, have potential points of weakness, and it is our ability to react to them effectively that creates a resilient ecosystem.
On a final note, I’d like to remind readers that the implementation timeline for MiCA steadily moves forward, with ESMA issuing its third and final consultation package for review earlier this year. MiCA is broken into seven titles, which cover various aspects of crypto-asset regulation and authorization. Those titles will be implemented in phases, with Titles III (Asset-reference tokens) and IV (E-money tokens) effective in June 2024 and the remaining titles in December 2024. We give an overview of the MiCA timeline, consultations, and titles here.
Regulatory Updates
22 May: The Securities and Exchange Board of India (SEBI) introduced guidelines to manage stock price impact from market rumors, including the concept of an unaffected price to mitigate artificial fluctuations, applicable to the top 100 listed entities from June 1, 2024, and the next 150 entities from December 2024. Listed companies must verify and respond to market rumors upon significant price movements, considering the unaffected price for transactions under SEBI or stock exchange pricing norms if a rumor is confirmed within 24 hours of triggering material price changes.
22 May: The U.S. House of Representatives passed the “Financial Innovation and Technology for the 21st Century Act”(FIT21), a landmark bill providing regulatory clarity and consumer protections to foster digital asset innovation in the U.S. The bipartisan support for FIT21 signifies a major step towards establishing a regulatory framework that safeguards consumers and investors while positioning the U.S. as a leader in blockchain technology and digital assets.
21 May: The European Council approved the first Artificial Intelligence Act, employing a risk-based approach to regulate AI systems based on potential societal harm. The law aims to promote safe and trustworthy AI development within the EU while prohibiting certain high-risk practices like cognitive manipulation and social scoring.
16 May: The Swedish Financial Supervisory Authority (FSA)published a report on retails trading in crypto certificates, concluding that more than half of the 200,000 Swedes who traded crypto certificates in the last six years have lost money on their investments.
16 May: The U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P to modernize rules governing the treatment of consumers’ personal information by financial institutions, aiming to address technological advancements and associated risks since the rule’s inception in 2000. The amendments require covered institutions to establish incident response programs to detect, respond to, and recover from unauthorized access to customer information, with a mandate to notify affected individuals within 30 days of becoming aware of a security breach, promoting investor protection and privacy.
13 May: The state of Oklahoma signed into law a bill protecting crypto-related rights. Under the new law, the Oklahoma state government cannot prohibit, restrict, or impair the use of crypto in purchases or the self-custody of crypto; thus, state and local governments cannot impose additional taxes or other charges targeted at crypto. The bill comes into effect on November 1, 2024.
9 May: The Governing Council of the Bank of Canada released its 2024 Financial Stability Report, an annual assessment of the stability of the Canadian financial system. The 2024 report reveals that while Canada’s financial system remains resilient, risks persist due to challenges in debt serviceability and stretched asset valuations, emphasizing the need for proactive planning and monitoring given the system’s high interconnectedness.
9 May: The U.S. Senate and House of Representatives in Congress voted for a resolution to disown an SEC rule regarding the management of digital assets by cryptocurrency custodians.
7 May: The Norwegian Financial Supervisory Authority (FSA) published its annual risk and vulnerability analysis (ROS) report.
2 May: The U.S. Commodity Futures Trading Commission’s (CFTC) Technology Advisory Committee (TAC) released a Report on Responsible AI in Financial Markets, which facilitates an understanding of the impact and implications of the evolution of AI on financial markets.
1 May: The CFTC designated its first Chief Artificial Intelligence Officer, who will lead the development of the agency’s data and artificial intelligence strategy to enhance oversight, surveillance, and enforcement in derivatives markets.
1 May: The Securities and Exchange Board of India (SEBI) approved amendments to Mutual Funds Regulations requiring asset management companies (AMCs) to establish an “institutional mechanism” to identify and prevent potential market abuse like front-running and fraudulent transactions in securities. Additionally, AMCs must implement a whistle-blower process to enhance transparency within the industry.
29 April: The Danish Financial Supervisory Authority (FSA) published a report on its supervisory efforts in 2023. In 2023, the Danish FSA focused on sustainability information in investment products, the development of stress tests for insurance and pensions, debt recovery and IT inspections at systemically important banks. In total, the FSA made 147 inspections, 692 supervisory responses and 260 cases of insider trading and market manipulation. The report is in Danish only.
Enforcement Actions
A U.S. District Judge of the Southern District of New York sentenced an individual to 70 months in prison for engaging in a multi-year insider trading scheme resulting in tens of millions of dollars in profits after pleading guilty to one count of securities fraud. The individual orchestrated front-running trades over a thousand times between 2016 and December 2022, utilizing insider information from their employment to generate illicit gains, employing tactics like burner phones and deception to conceal their activities.
SEBI fined 19 entities with fines totaling Rs 11.90 crore for engaging in a pump and dump scheme of shares in Superior Finlease Ltd., barring them from the securities market for up to five years. The scheme orchestrated by the entities involved manipulating share prices through connected entities, exploiting unsuspecting investors, resulting in inflated prices and decreased liquidity, prompting SEBI to direct disgorgement of unlawful gains along with penalties and interest.
The Shanghai Stock Exchange investigated Nanjing Chemical Fibre’s shares due to abnormal price swings, with concerns of potential market manipulation after a social media post predicted the price drop. Despite the company reporting normal operations, the regulator suspects irrational speculation amidst efforts by China’s securities regulator to combat market misbehavior like manipulation and insider trading to rebuild stock market confidence.
The U.K. Financial Conduct Authority (FCA) charged “finfluencers” for operating an unauthorized investment scheme and issuing unauthorized financial promotions through an Instagram account, offering advice on buying and selling high-risk investment products known as contracts for difference (CFDs). The FCA also alleges that payments were made to individuals to promote the Instagram account to their extensive follower bases.
The U.K. FCA fined Citigroup Global Markets Limited (CGML) after failures in the firm’s systems and controls led to the accidental sale of $1.4 billion worth of equities in European markets due to an inputting error by a trader, resulting in regulatory penalties totaling £27,766,200.
The U.K. Prudential Regulation Authority (PRA) fined CGML £33,880,000 for failings in its trading systems and controls between April 2018 and May 2022. The fine was reduced by 30% due to CGML’s agreement to resolve the matter, with the PRA emphasizing the importance of effective risk management in trading operations and the need for prompt remediation of identified issues.
The FCA fined a former CEO of Shard Capital Partners and banned him for providing inaccurate information about clients’ cash holdings, jeopardizing market stability and investor interests. The individual misled auditors and clients by misrepresenting cash balances held by Shard, leading to misstated annual accounts.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) fined Binance Holdings Limited $6,002,000 for non-compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Binance failed to register as a foreign money services business with FINTRAC and did not report large virtual currency transactions of $10,000 or more as required by regulations.
The Australian Securities & Investments Commission (ASIC) fined J.P. Morgan Securities Australia Limited (JPMSAL) $775,000 for allowing suspicious client orders on the futures market, ASX 24, potentially creating misleading appearances in the Eastern Australia Wheat futures market.
The Dubai Financial Services Authority (DFSA) fined Sarwa Digital Wealth Limited for making a public offer ofshares without an approved prospectus. The DFSA imposed a financial penalty of $191,100 on Sarwa DIFC, reduced from $390,000 following mitigation and settlement discounts, due to the company immediately halting the share sale upon advice from the DFSA and coordinating with the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM).
The Federal Court of Australia found BPS Financial Pty Ltd (BPS) engaged in unlicensed conduct by offering the ‘Qoin Wallet’ using a crypto-asset token called ‘Qoin.’ ASIC determined that BPS contravened the Corporations Act since January 2020 by not holding an Australian Financial Services License. This is ASIC’s first court win regarding a non-cash payment facility involving crypto assets.
A federal jury in New York convicted an investor of all five conspiracy and securities fraud charges, potentially leading to a maximum prison sentence of 25 years. The investor, who had been on the board of directors of Digital World Acquisition Corp. at the time when it was negotiating plans to merge with Trump Media, was found guilty of providing confidential information that facilitated illegal trading profits of approximately $22 million for others, with his personal share amounting to around $50,000.
The Financial Industry Regulatory Authority (FINRA) settled charges with SoFi Securities due to inadequate user verification processes in its cash management brokerage business, leading to the illicit transfer of $8.6 million from other financial institution accounts through 800 opened accounts. Sofi Securities has agreed to a $1.1 million monetary penalty.
The Hong Kong Securities and Futures Commission (SFC) initiated criminal proceedings against Segantii Capital Management Limited, its director, and a former trader for insider dealing in a company’s shares listed on the Stock Exchange of Hong Kong prior to a block trade in June 2017.
The H.K. SFC sentenced two former licensees to three months of imprisonment following their convictions for false trading in the shares of Forebase International Holdings Limited (Forebase). In sentencing, the licensees played importantroles in the false trading of Forebase shares in their capacities as licensed brokers. The offense created a false or misleading appearance of active trading in Forebase shares.
The SEC charged a Pennsylvania resident with insider trading for using material nonpublic information about Dick’s Sporting Goods Inc. to make illegal profits exceeding $800,000 by trading in the company’s securities. The resident exploited his relationship with a Dick’s employee who had access to confidential financial information, disregarding the employee’s warnings not to trade on the information.
The CFTC settled charges against Falcon Labs, Ltd., an unregistered futures commission merchant (FCM) from Seychelles, for providing unauthorized access to digital asset exchanges for U.S. persons. Falcon Labs must stop acting as an unregistered FCM, pay a $1,179,008 disgorgement, and a reduced civil monetary penalty of $589,504 due to their cooperation with the CFTC.
The SEC issued a Wells Notice to the retail trading platform Robinhood Markets, a formal notification from the SEC that it intends to take legal action against a company or individual, giving the recipient the opportunity to respond before any legal proceedings begin. This notice signals an escalation in regulatory oversight of Robinhood’s cryptographic operations, which could culminate in a legal case.
The SEC filed insider trading charges against three individuals who collectively made about $70,000 from trading Zogenix stock ahead of its acquisition announcement. They settled by agreeing to pay over $170,000 in disgorgement, interest, and penalties without admitting or denying the allegations.
The U.S. Attorney’s Office, District of Massachusetts, sentenced a California businessman for engaging in a fraudulent scheme to profit from the sale of penny-stock shares, resulting in a forfeiture of $6.12 million after pleading guilty to securities fraud in January 2024. His actions between October 2020 and July 2021 involved manipulating the market with unrestricted free-trading shares of Oncology Pharma, Inc., leading to illicit profits transferred through entities controlled by him and a co-defendant.
Featured Content
Practical Guide Markets in Crypto Assets (MiCA) Regulation
The Markets in Crypto Assets (MiCA) regulation offers regulation and legal certainty for all crypto assets in the EU. Learn what alerts and behaviors to focus on for each category of market abuse.
2023 Cryptocurrency Regulation Guide
The cryptocurrency market has seen significant growth in global market capitalization, but it remains volatile. Read Nasdaq’s comprehensive and updated guide to learn about all the major policies that govern the regulation of crypto assets.
TECH TUESDAY: Integrating Gen AI in Surveillance
Tony Sio, Head of Regulatory Strategy and Innovation, Nasdaq Financial Technology, and delves into Nasdaq’s recent announcement of Gen AI features within the Market Surveillance technology solution to enhance the quality, speed, and efficiency of investigations into suspected market abuse and market manipulation.
Latest articles
This data feed is not available at this time.
Data is currently not available