This article is more than nine months old

Indexed Finance hacker now says he’s a whitehat

Indexed Finance hacker now says he’s a whitehat
Andean Medjedovic is on the run in connection with a $15 million hack in Canada that is testing the code-is-law argument.

Andean Medjedovic has been living life as a fugitive for more than a year now, but he says it hasn’t been too difficult moving around – through Europe, South America, and now, to an island that he declines to name.

”Soon, I’ll find a place to make a nice base for myself. Moving around all the time is exhausting.”

Medjedovic has been on the run from Canadian authorities since December 2021, when a judge in Ontario issued an arrest warrant after he didn’t show up for a court appearance. In a zig-zagging Telegram conversation with DL News, he made a surprising announcement: He’s working for the good guys now.

“It’s a more sustainable mode of being,” he said of making the switch from so-called blackhat hacking – breaking into computers with malicious intent – to what’s called whitehat work.

Stay ahead of the game with our weekly newsletters

Vulnerabilities in code

He says one can find him these days on the leaderboards of Immunefi, a platform where users spot vulnerabilities in code to prevent hacker attacks. It’s a surprising turn for Medjedovic, who admitted to exploiting some $15 million from the DeFi protocol Indexed Finance in October 2021, according to court papers. Medjedovic allegedly exploited Indexed’s code while operating under the username UmbralUpsilon.

But Medjedovic is an unusual character, a gifted programmer and maths whiz who also revels in making misogynistic and racist comments. He deflected attempts to ask him about the exploit.

‘He used the “code is law” defence in exchanges with victims, a popular adage in DeFi that means any trades within the parameter of a smart contract’s code are lawful’

He used the “code is law” defence in exchanges with victims, a popular adage in DeFi that means any trades within the parameter of a smart contract’s code are lawful.

Join the community to get our latest stories and updates

A Canadian judge was not convinced. Medjedovic was summoned to court after Indexed, along with a Delaware-based company representing victims of the exploit called Cicada 137 LLC, filed lawsuits against him.

NOW READ: Bitstamp CEO on 30% staff cut, the crypto meltdown, and why ‘we’re the good guys’

An Ontario Superior Court justice issued an order to freeze the missing tokens, and a civil search-and-seizure order that allowed authorities to search Medjedovic’s home for passwords and other evidence.

Law firm DLA Piper later wrote that the judge’s orders demonstrated that “the Ontario Superior Court of Justice had no qualms with taking a practical approach to providing relief in respect of digital assets.” In Ontario, at least, it seems that code is not quite law.

Aftermath of an exploit

Medjedovic graduated high school in Waterloo, Canada, at just 14 years old. He finished an undergraduate degree at the University of Waterloo at 17, and according to Bloomberg he completed a master’s degree at the same school in just one year, a feat that not even fellow alumnus and former billionaire Vitalik Buterin has been able to pull off.

In the aftermath of the exploit, he was defiant. Indexed founders Laurence Day and Dillon Kellar identified Medjedovic by linking the UmbralUpsilon username, the exploiter’s wallet, and Medjedovic’s email. They pleaded with him to return the funds.

Medjedovic mocked them, writing on Twitter: “You were out-traded. There is nothing you can do about that... Such is crypto.”

‘You were out-traded. There is nothing you can do about that... Such is crypto.’

Classmates told Bloomberg in 2022 that Medjedovic was self-confident to the point of arrogance, and that he flirted with extreme ideas. Those traits were evident in his conversation with DL News.

Medjedovic repeatedly steered the conversation towards his social views: He disparaged women and made numerous racist comments. Medjedovic also suggested that he should be the one to “turn off” leftism, which he called the “voice of the end times.” He even ridiculed short people. He clearly relishes being outrageous, being a troll.

But when questioned about a photo of himself with non-white people he called his friends, Medjedovic toned it down: “It’s important to judge people as individuals.”

His sudden change of heart, and conversion to whitehat hacking is ironic, given that Immunefi itself specifically told Medjedovic the code is law argument is no defence for blackhat hacking in a July 2022 blog post.

Whitehat bounties

Mitchell Amador, CEO of Immunefi, said the post was published because “code is law” is often misinterpreted to mean both that it’s morally okay to drain a contract of funds by taking advantage of an unintentional bug in the code – and, that authorities can’t, or won’t, do anything about it.

“Both of these beliefs are false, and incorrect beliefs can cause serious harm to misguided individuals and to projects that get exploited,” he told DL News in an email.

Amador said it’s unclear whether Medjedovic uses the Immunefi platform – the company does not require users to verify their identities. And projects themselves pay the whitehat bounties.

NOW READ: Crypto must stop thinking like outlaws and embrace regulation

Amador argued, however, that whitehat hackers have valid reasons to be cautious about disclosing their identities, and encouraged blackhats to return to the light.

“We applaud anyone who wants to turn over a new leaf and start engaging in the right way,” he said. “This doesn’t make potential legal or criminal issues from past behaviour go away. But many hackers in the past have followed a blackhat-to-whitehat trajectory and had tremendously productive and positive careers.”

Whitehat rewards are generally lower than what a blackhat would make with an actual exploit. But the work, at least, is legal.

Higher returns

This seemed to be a factor in Medjedovic’s decision, although his explanation again veered off-topic. Whitehat work has higher returns in terms of risk/reward, he said, before dropping an anti-Semitic theory regarding the likelihood of his prosecution in the US.

Medjedovic’s future plans, apart from destroying leftism, also include earning “some multiple of nine figs” in crypto within the next two years.

“Just gotta find the right token and press the ‘long with leverage’ button, should be easy enough,” he said. “Once I get that settled, I can start working on projects that actually interest me.”

Clandestine cloning

These projects include joining a secret sect that undertakes clandestine cloning, and reinventing cloning technology himself “if need be.”

At a third hearing in January 2022, Justice Fred Myers urged Medjedovic to turn himself in, noting that, “litigation is not a fine wine that improves with age.” He called on Medjedovic to participate in his trial if he wants to advance the position of “code is law,” promised a fair process, and lamented that Medjedovic was wasting what appeared to be a bright future.

Pressed by DL News on what lies ahead for him, he answered with a sexist insult.