He stole $200 million. He gave it back. Now, he’s ready to explain why
In a Coinage exclusive, the hacker behind 2023's biggest crypto heist explains himself
By: Zack Abrams, Edited by Zack Guzman
June 30, 2023
Connect your wallet if you have a Coinage membership pass. Or, mint a Subscriber pass for 0.0175 ETH to unlock all our stories.MINT SUBSCRIBER MEMBERSHIP PASS
In a matter of 18 minutes, on March 13, 2023, a hacker drained nearly $200 million worth of cryptocurrency from a popular lending platform in the largest heist of the year. Just three weeks later, he reversed the transactions to return everything he stole.
For the first time since the hack, the man at the helm of the operation has come forward to explain his side of the events — and claims he never intended to keep the money at all.
Coinage has spoken with the man who says he’s the hacker, a young Argentine by the name of Federico Jaime — a claim supported by other significant evidence. This is his story.
On a cool March night in Rome, around 3 a.m., Federico Jaime was standing outside a bar, waiting for a friend, and talking to God. The 19-year-old Argentinian had spent the past month searching for something, but he hadn’t found it yet. He wanted to know why.
“God, if all of my projects had [been] complete within a month, why [not] this time?” he thought to himself, looking up at the sky. “Why have you heard me before, but not now?” He wouldn’t get back to his hotel for another few hours.
When he finally made it home, sleep eluded him, as it often does. And so, he decided to work.
Almost immediately, perhaps prophetically, Federico’s prayer was answered. He found what he had been looking for: A vulnerability in the code of a cryptocurrency lending program. He immediately set to work on taking advantage of his discovery.
“When I work, I work like an artist, like a writer,” Federico would later tell me by phone in English, his second language. “For the muse to be awakened, being lacking in sleep is good.”
Federico wouldn’t sleep for the next two days. When he finally woke up, in an Italian hospital bed, he was $200 million richer — and felt like a curse had been branded on his back.
Now, three months after the hack, the hacker who says he's "Federico Jaime" is coming forward publicly for the first time to explain why he took the money and why, exactly 23 days later, he would give it all back.
The world of crypto runs on transparency. Every transaction — sending money to a friend, buying an NFT, taking out a loan — is public, and transactions are irreversible. The applications that run on blockchains, known as smart contracts, are similarly public; anyone can examine the code for themselves.
As interest in crypto has exploded over the past few years, an entire industry of decentralized finance applications (“DeFi protocols,” to those in the space) has sprung up along with it, allowing crypto investors to swap tokens, take out loans, make levered bets on price movements, and earn interest. Around $45 billion in cryptocurrency is currently pledged to DeFi protocols; in Fall 2021, that figure surpassed $175 billion, or about as much as Morgan Stanley holds in deposits.
DeFi offers crypto fans exciting financial innovations befitting the breakneck pace and lax regulation of the crypto space. If you want to borrow $200 million dollars with no collateral, or speculate on “meme” cryptocurrencies like Dogecoin and Pepecoin, DeFi is the only place to do it.
Hackers, meanwhile, see DeFi as a wide array of digital bank vaults, each with a public blueprint, practically inviting someone to try their hand at a heist. According to crypto research firm Chainalysis, DeFi protocols have become the primary target of crypto hackers, who stole $2.2 billion from DeFi in 2021 and $3.1 billion in 2022, representing over 80% of all stolen crypto that year.
The most successful crypto hacker, by far, is the Lazarus Group, known to experts as North Korea’s incredibly efficient state-sanctioned hacking operation. Of the $1.7 billion Lazarus stole in 2022, $1.1 billion came from DeFi exploits. U.S. officials claim that half of the roughly $3 billion Lazarus has stolen thus far has gone directly into funding North Korea’s ballistic missile program.
Given an unending onslaught of attacks, DeFi protocols have responded by enlisting security firms to audit smart contracts, monitor threats, and even entice white-hat hackers (the kind that flag vulnerabilities to earn rewards, as opposed to black-hat hackers who leverage those vulnerabilities to steal for themselves). Yet sometimes, even well-audited DeFi protocols taking every precaution can still fall victim to a robust hacking operation. Sometimes, though, all it takes is one 19-year-old kid with God on his side.
It all could’ve been prevented by a single line of code.
Back at his hotel, as the sun rose above Rome, Federico began investigating a DeFi lending protocol called Euler Finance, developed by London-based startup Euler Labs. Euler let its users take out loans of up to ten times the value of the collateral they deposited; put in $10,000 and you can trade like it’s $100,000. But crypto is volatile, and if prices move the wrong way, your deposit might not be enough to secure your collateral. That’s why, every time a user interacts with Euler, the platform checks the health of their account, triggering an automatic liquidation if that health score falls too low.
But Federico saw something that wasn’t there: a single function in a single Euler smart contract was missing that health check. In just a few hours of research, Federico had uncovered what the Euler team — and several independent smart contract auditors — had missed.
“It was nothing but divine inspiration. It was nothing but the muse awakened for me,” Federico said. “After one month, exactly, of searching for what I was looking for…I found it.”
Federico began sculpting his attack. On March 13, following two sleepless days of programming, he was nearly ready to execute. The only problem: He didn’t know how to deploy a smart contract, or how much it would cost.
“I Googled, ‘What is the cost of deploying a smart contract?’ and I found…articles saying ‘from $5,000 to $50,000,’” Federico said, his voice rising to echo the disbelief he had felt. “Fuck you!”
But Federico pushed forward, eventually learning that his contract would cost far less to deploy. At this point, days after he last slept, Federico told me he wasn’t thinking about the money at all. “I [thought] of it as an experiment. Nothing but an experiment,” he explained. “I was not sure it was going to work...I was not sure I could deploy the smart contract. I had more doubts than certainties.”
“And so I truly underestimated the exploit and myself, because in the end it worked,” he added.
At 9:54 a.m. Italian time, on the morning of March 13th, 2023, Federico sat in front of his computer. Over the course of 18 minutes, the three wallets he used to launch his attack on Euler Finance drained $197 million worth of crypto from the protocol. The funds eventually all settled in one wallet — a virtual duffle bag filled with stacks of hundred-dollar bills.
“Firstly, I thought, ‘This is so exciting. I hacked a huge protocol,’” he said. “Then I thought, ‘Wow, $200 million. This is a curse on my back.’”
Federico, still unable to sleep, had the hotel concierge call an ambulance.
The first ones to notice something amiss were robots. Some crypto security firms offer real-time threat monitoring and alerts for DeFi projects. In the case of the Euler hack, at least two security firms, Forta and Hypernative, were alerted to the attack before it began.
Unfortunately for Euler Labs, which declined to comment for this article, the automated alerts fired only minutes before the attack began, far too soon for the London-based startup to secure the protocol. (“It’s usually between a minute and an hour…when we predict attacks,” said Alex Behrens, Forta’s Marketing Manager.)
At 8:59 a.m. UK time on Monday, March 11, the blockchain security company PeckShield tweeted at Euler, saying simply: “Hi @eulerfinance: you may want to take a look,” and linking to a page which showed that a wallet had attacked Euler’s supply of DAI stablecoins, making off with over $8.7 million in profit.
Then, everyone watched the blockchain as Euler was hit again and again. The hacker made off with $18.5 million in Wrapped Bitcoin, then $116 million in Staked Ether, then came back three more times. In the end, the hacker’s profits amounted to $197 million, while Euler’s entire reserves of six tokens were left barren.
At 9:56 a.m. Euler quote-tweeted PeckShield’s initial message: “We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.”
Because this is crypto, everybody could see the funds sitting in the hacker’s wallet. By looking through that wallet’s transactions, security experts were able to reverse-engineer the attack, eventually discovering the single vulnerability that had enabled the theft. But because this is crypto, Euler’s team had no way of connecting that wallet to a real person, and no way of knowing the hacker’s intentions.
The hacker’s final act on March 13 was to send 100 ETH ($168,000 at the time) through Tornado Cash, a protocol on Ethereum that “mixes” transactions, making funds harder to trace. Then, the wallet fell silent.
At 10:47 p.m. that night, the Euler team sent a message to the hacker’s wallet: “We understand that you are responsible for this morning's attack on the Euler platform. We are writing to see whether you would be open to speaking with us about any potential next steps.” It would mark the start of three grueling weeks for the Euler team.
The next day, at 9:22 p.m., the Euler team sent another message to the hacker’s wallet, proposing a 24-hour deadline to return 90% of the stolen funds — letting the hacker keep a de facto bug bounty of $20 million. Otherwise, Euler would offer a $1 million reward to anyone with information leading to the hacker’s arrest.
The hacker didn’t respond.
On March 15, at 11:20 a.m., the Euler team followed up again with another message to the hacker’s wallet, reiterating the prior bug bounty offer. “Then investigations can be halted, and the focus here can turn to distribution of that back to protocol users, without needing to go the legal route,” the Euler team wrote.
At 10:06 p.m. that night, following continued silence from the hacker, the Euler team announced a $1 million reward for information that led to the hacker’s arrest and recovery of the funds. The next day, Euler’s co-founder and CEO, Dr. Michael Bentley, shared his response to the attack, calling the prior few days the hardest in his life and expressing his devastation towards the affected users.
“I've had to sacrifice time with my newborn son,” Bentley tweeted. “I'll never forgive the attacker for that, but they can put things right and return funds to the EulerDAO Treasury ASAP.”
Federico Jaime claims he never had any intention of keeping the money. “I knew from the first moment $200 million is not a small number,” he told me. “It would cause big damage to the DeFi community and that was not my goal at all.”
I wondered if — even if just for a moment — the thought ever set in about what $200 million could buy. Did Federico picture himself living in a mansion? On a yacht?
“Not at all,” he replied. “Not at all, because you know why? Because I am an entrepreneur. I can make money legally, perfectly. I do not need to steal. I have no reason to take others' money.”
Coming from most people, a comment like that might attract an eye roll at best. After all, to put it mildly, the crypto community isn't exactly known for its humility. But I had seen pictures of Federico traveling around Europe, staying at five-star hotels, and wearing designer streetwear. In our conversations, which occurred over the phone and occasionally in text messages, I asked Federico, who turned 20 in June, how he was financing his lifestyle.
Federico grew up in Buenos Aires with his parents and sister. He learned to code at age 12, inspired by his software engineer father, and at age 14, sold his first program — a plugin for the video game Minecraft — for $10,000. “It meant freedom, since I no longer had to ask my parents for money,” Federico told me. “They applauded me.”
When he got older, Federico moved on to a new game, Grand Theft Auto V. He developed an anti-cheat system for the custom multiplayer servers that die-hard fans of the game ran. “I had found a memory-read bug. I saw that we could profit from it,” Federico said, adding that the software, FiveGuard, is now owned by other people. “It was very special because the moment you entered a game server with some kind of unfair advantage, you were immediately banned. No delay.”
Federico had planned on going to law school in Argentina, but after graduating in 2020 and dealing with COVID (“In Buenos Aires there were many restrictions…and a long, long quarantine”) he said he decided, with the approval of his parents, to take time off before going to university.
By early October last year, Federico had traveled to Rome. In December, while he was still in Italy, he allegedly targeted the cryptocurrency exchange Buenbit, which operates in Argentina, Mexico, and Peru, making off with hundreds of thousands of dollars. Buenbit’s CEO, Federico Ogue, characterized the attack as fraud. News reports, citing police sources, pegged the value of the attack at $800,000, though both Federicos — Jaime and Ogue — have denied that number. Ogue did not respond to requests for comment.
Federico was reluctant to comment on the details of the case, admitting that he targeted Buenbit but alleging that many of the more fabulous details in media reports are either misleading or outright fabrications. The 20-year-old maintains his innocence in the case, noting that he and his lawyer are in contact with Buenbit’s team and that he hopes to have the matter resolved soon.
Besides, only a few months later, Federico would have new concerns. Two hundred million of them.
Euler Finance had as many as 7,000 users at the time of the attack. On March 15, two days after, one of the victims decided to send the hacker’s wallet — Federico’s wallet — a message.
“Please consider returning 90%/80%. I'm just a user that only had 78 wstETH as my life savings deposited into Euler, I'm not whale or millionaire,” the user, identified by DL News as an Argentinian blockchain developer named Santiago Avalos, wrote. “You can't imagine the mess I'm into right now, completely destroyed…you'll bring back joy to a lot of affected people.”
Avalos’s life savings of 78 wstETH were worth over $140,000 at the time. Thirteen hours after Avalos sent the message, Federico responded, though not by text. Instead, in his first action since the hack three days before, Federico sent Avalos 100 ETH, worth around $27K more than his victim had lost in Euler’s collapse. Avalos transferred the excess funds back to Euler, telling DL News, “I believe he was probably moved by my message.”
“That was an act of my heart,” Federico said of his motivation for returning the funds. “I was generous at the time. Also, I was very surprised to know that afterwards it was discovered that this guy…was also an Argentine, and was a Solidity developer,” he added. “It was a very interesting coincidence, truly.”
Federico wasn’t done moving funds. Adding to the 100 ETH he had already sent himself through Tornado Cash, he sent 1,000 more, bringing his haul to nearly $2 million. When I asked him why, Federico told me, “I did not give it much thought. I thought, if they offer me a 10% bounty, that is too much for me. I will just try to take 1% of it all.”
His next action was by far the most baffling. On March 17, just before 5 a.m, Federico again sent 100 ETH, this time to a notorious wallet — the one which had performed one of the largest crypto hacks in history a year prior, stealing over $600 million from the Ronin Bridge, which helped power the popular NFT game Axie Infinity. Just a month later, the U.S. Treasury Department’s Office of Foreign Assets and Controls (OFAC) officially tied the Ronin Bridge exploit back to Korea’s Lazarus Group.
Yet when I asked him about it, his explanation shocked me. “I did not know it was North Korea at all. I never suspected it,” he began. “The reason I sent 100 ETH to the Ronin exploiter was pure admiration…I thought, from white-hat hacker to black-hat hacker, I want to show my admiration.”
I was stunned, and he could tell. “I know you did not expect me to say this, but it is the truth,” he replied. “I think engineering is the most important…field in today's world. The Ronin hack was an act of engineering. And in this sense, it was admirable…The devil can also be a beautiful woman.”
The next day, Federico began to return the money, starting with three installments of 1,000 ETH each, totaling about $5.4 million at the time. Then, his wallet fell dormant again. Analysts expressed skepticism that Euler would ever be able to recover the rest of the funds.
But two days later, on March 20, Federico sent his first message to Euler’s team: “We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement.”
Federico acknowledged that this message was “kind of late.” “I was trying to decide if it was a good idea to keep 20 million dollars in my own hands…because it’s what they offered to me,” he said. “I was truly unprepared, inexperienced, and new…I didn't sleep for days, for weeks, but in the end, I knew I had to return the money,” he went on. “I knew I wanted no damage to be done to the user base of Euler.”
Still, Federico took his time returning the funds. First came 81,953 ETH (about $143 million) around 3 p.m. on March 25th. Then $10 million DAI followed on the 27th. On the 28th, at 3 a.m. his time, Federico penned a public apology, saying, “I fucked up. I didn't want to, but I messed with others' money, others' jobs, others' lives…Forgive me.” Yet, some funds remained in his control.
Finally, on April 3rd, the Euler team excitedly announced that all “recoverable funds” had been returned following the final few transactions from the hacker. Euler also formally revoked the $1 million bounty on Federico’s head. The return of the funds marked one of the most successful recoveries in DeFi history. Federico was just relieved it was over.
Then, two and a half months later, Federico’s wallet became active again, sending messages to itself. The first one, on June 17, was just two words: “Bùen Áyre” — Buenos Aires. Seventeen minutes later, the wallet sent another message, also in Spanish, declaring himself to be an Argentine, a Peronist, and a white-hat hacker. The message's advice to other hackers: “Don't be fools, don't steal, do bounties.”
At the end of the message, the wallet linked to an Instagram account—@federicojaimeok. I sent him a DM. We started talking on Instagram, which had archived stories of Federico dating back to September 2022, and then through Telegram. Over the course of our conversations, everything this person told me matched with information I had learned about Federico Jaime from other sources. Federico also gave me his father's number, who confirmed his own identity and relationship to Federico, and gave me other information that matched what Federico had told me.
Federico told me he decided to go public not for his own benefit, but for the benefit of the DeFi community. “I wanted to encourage ethical hacking, that’s the main reason,” he said. “I wanted to have a voice to be able to tell the people to do the right thing.”
Federico also hopes that Euler’s tactic of negotiating with their attacker will set a precedent for the rest of DeFi to follow. “I am convinced the scene of hacking in decentralized finance is just not the same after the Euler hack,” he said. “I think this shows the world the importance, not only of auditing, but of the post-hack [negotiations].”
Not everyone in crypto is gung-ho about bug bounties and hacker negotiation becoming the norm, though. “Most DeFi hackers are not after $100,000 or $500,000 payouts from legitimate bug bounties, but frequently ask upward of 50% or more of the gross amount of stolen funds as commission,” said Erin Plante, a Certified Ethical Hacker and the VP of Investigations at Chainalysis. “This is more like extortion.”
Plante also pointed out that as law enforcement agencies have gotten better at tracking illicit crypto, it’s harder for hackers to cash out their winnings. “Between this, and the industry collectively declining bounties, the incentives for hackers to do this work will hopefully become obsolete,” she said.
Federico repeatedly insisted to me that his plan, from the beginning, was to return the funds. So why did it take him three weeks?
“I wanted to have time to protect myself, to find a way to my safety legally and in other ways,” he said.
Of course, some of Federico’s claims are impossible to verify. Federico told me the design and execution of the protocol was solely his work (“I did it all myself,”) though he got occasional advice — like the list of DeFi protocols to look into — from an associate (“It was more of an advisor than a collaborator.”) He could be covering up someone else’s involvement, though, as there’s no way to determine who wrote the code from the on-chain data we have.
We’ll also never know if Federico would’ve kept the money had he planned the attack better. He acknowledged to me that he regretted not thinking through the aftermath, but only, he said, in the interest of doing the correct thing. “I simply did not plan enough, and the amount was too large for me to handle,” he said.
Federico told me he regrets the pain he caused the Euler team. “My heart was broken when I saw the tweet of Michael Bentley saying that he had to sacrifice time with his family,” he said. When I asked whether he was worried about future repercussions from the attack, he brushed off the concern. “I am convinced, legally, the Euler team will not push against me,” he said. “It will discourage future hackers to return funds, simply because of that.”
Euler Finance began to reimburse the victims of the attack starting on April 12, to the delight (and near-disbelief) of the victims. The wake of contagion from the exploit had spread to 11 other DeFi protocols. One of them (Yield Protocol) took until June 27 to recover. Euler Finance has been down since the hack, but recently, the Euler team has begun to tease version 2 of the protocol.
Federico is still in Europe — he described his personal situation as “complicated” — but said he hopes to return to his studies in Buenos Aires soon. “Since the Euler hack, my life is not so easy,” he told me. “It left me a trail of stress.”
I asked Federico if he thought God, who seemingly answered his prayer, was teaching him a lesson. “I think he either was playing games with me or he was [testing] me,” he replied.
Federico still hasn’t made up his mind.
Coinage is a Web3 media outlet co-owned by our NFT holders. Own a piece of Coinage today by minting one of our Membership Passes.