Hacked - Mission Critical
Episode Date: August 1, 2023Jordan interviews TechCrunch Senior Writer Lorenzo Franceschi-Bicchierai about a new chapter in crypto in the US; the first criminal charges for hacking a decentralized crypto exchange. Which is maybe... the least interesting thing about the story these charges tell. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Someone a couple of years ago compared the smart contract with the mission critical code.
He was telling me that you could actually compare it to like the code that's used in an F-35
or to launch a satellite in space.
It's code that you really have to get right.
I have read the charges against Shikib Ahmed a few times now.
And I think I almost entirely understand it.
Without getting too into the weeds, and there's a lot of,
weed. The story is set exclusively in weeds. Here's the basics. According to the U.S.
Department of Justice, in July 2022, Shikib haks a decentralized cryptocurrency exchange.
The 15-page sealed indictment unpacks how, but the gist, and I'm going to stop saying
allegedly now because these are all allegations, is that he found a way to imitate the equivalent
of an admin account that he then used to fraudulently manipulate the fees that a user got paid
for lending the exchange money. He then borrowed a ton of crypto from somewhere else,
briefly loans it to the exchange, gets paid out millions in these fraudulently inflated fees
before returning the loan and walking away with the money. He allegedly does this 21 times
extracting 9 million U.S. dollars in fraudulent fees from the exchange.
In the days following the hack, the government then alleges Shikib does two things.
First, he Googles. All of the stuff you would Google if you had just done a big cyber money crime heist.
In a section of the sealed indictment named Ahmed's post-attack internet history, it outlines these searches.
They include.
centralized finance hack FBI, DefyHack prosecution, evidence laundering, wire fraud,
how to prove malicious intent, can I cross border with crypto, buying citizenship, how to stop
federal government from seizing assets. It is by no means illegal to search any of these things,
but I do get why if you are trying to make the case that this person is guilty, you would include
the fact he had Googled them. Lastly, they alleged
that Shakib sends an email.
A very important email.
An email that kind of changes what kind of crime this ultimately is.
Because up until now, it's theft.
But with this email, to the exchange he had allegedly stolen from,
it kind of becomes something else.
A negotiation or a ransom.
It might be extortion.
I'm not totally sure.
but we're going to get to that.
I called up friend of the show Lorenzo Franceschi Bickory
over at TechCrunch, who has been reporting at length on this story
to help me try and make sense of it.
Scott's away this week, so this episode is my conversation with Lorenzo.
The last thing you need to know for all of this to make sense
has to do with smart contracts.
These decentralized crypto exchanges, basically all of them,
operate using something called smart contracts.
Instead of the software that governs the exchange being stored on a server, it's stored on the blockchain.
The very software that rules these exchanges is public and generally immutable, which sounds great until something goes wrong.
Like, say, a hacker finds a bug.
And now you're trying to fix a thing inside of a thing that wasn't really built to be fixed.
The safety of that money depends on code that is completely open source.
It is public.
And as you say, in many cases it's immutable because the developers don't even realize the risks.
So here's my chat with Lorenzo about the charges against Shakyb Ahmed.
What happens when someone finds a vulnerability in a system that is supposed to be beyond anyone's control?
And whether giving back most of what you stole changes the fact that you did.
steal it on this episode of Hacked. Thanks for sitting down with Muranzo. It's good to have you back.
Thanks for having me. So you've been covering the story since the U.S. Department of Justice
announced this arrest. And I want to start with the person at the heart of all this.
Who is Shikib Ahmed? What do we need to know about him for this story to make sense?
Yeah, so Shakyb Ahmed is, or was, we should probably say, someone
worked in cybersecurity. He worked at a couple of small companies, small cybersecurity companies,
Optive and Red Balloon. Red Balloon in particular is a startup here in New York. Then he worked
for Amazon, I think Amazon, AWS in particular as a security engineer. He had all the necessary
skills to do a hack, to, you know, perform cyber attack and steal money, which is what is accused of.
And, you know, just to start, if I forget to say alleged, you know, we should assume that everything I say about Ahmed is alleged based on what the feds are accusing him of.
So in short, he was a cybersecurity engineer and he had specific knowledge about how to exploit systems, how to exploit smart contracts and things like that.
At least that's what the fed say. To be honest, from his LinkedIn, it's not clear that.
that it specifically had knowledge about smart contracts and cryptocurrency,
but a lot of the skills that you have as a cybersecurity researcher, engineer,
translate relatively well to smart contracts.
At the end of the day, it's all code that you find bugs in,
that you find flaws in,
and you figure out how to exploit those flaws.
Yeah, I want to talk a little bit more about the difference
between exploiting smart contracts and more traditional server-sides kind of software.
But as you said, importantly, these are just charges.
They haven't been proven in court.
But broadly speaking, what is the Department of Justice alleging he did?
10,000 foot view.
Yeah, so the DOJ is simply accusing Ahmed of stealing around $9 million in crypto
from a cryptocurrency exchange, which the DOJ doesn't name,
but because of the dates of the attack and the description of the exchange
and the money stolen, it's clear that it was a cryptocurrency.
Kremah, like a company from abroad that operates a cryptocurrency exchange, which, you know,
it's basically like what Coinbase or Gemini, Binance, all these companies provide, essentially
a platform to exchange money for crypto or some crypto for some other kind of crypto and
things like that.
And the DOJ says that he exploited this platform in July of last year.
And he then proceeded to try to launder the money.
He also was in touch with the cryptocurrency exchange.
There was a little negotiation going on.
And he agreed to return almost all of the money.
He kept like only $1.5 million in crypto.
He also agreed to tell them about the flaws that he allegedly exploited in, you know, in an attempt to
presumably in an attempt to be like,
okay, I'm a good guy, I'm going to help you
shift this flaws so nobody else
exploits them.
Yeah, I want to talk a little bit about
the timeline of the negotiation that took place there
because I think it's pretty important
to whether this was a black hat, white hat, gray hat type thing.
But before we get to that,
I want to dig a little bit more
into how this hack worked.
I read, I think it's a 15-page sealed indictment,
the middle of like third of it really digs into
of that hack. The rest of it's pretty readable. I think I read that middle section, four or five times,
just trying to like grok how this hack actually worked. You've got fees for contributing to a
liquidity pool. You've got these tick accounts. You've got flash loans. It's a lot. Can you help
me make a little bit of sense of what are they accusing he actually did? How did this hack allegedly
actually work? Yeah, so it's a little complicated. And to be honest, I am also not sure.
about all the details and all those like sort of buzzwords that are common in crypto but are
really not common outside of crypto. But my understanding is that essentially Ahmed allegedly
found flaws in the exchange's smart contract and he tricked the smart contract into believing
that he was providing more liquidity, meaning more crypto to the liquidity pool. And when people
contribute crypto or liquidity to this pool, they get some fees,
they get some sort of like reward for contributing to the liquidity pool.
So he essentially tricked the exchange, the smart contract into believing, quote unquote,
that he had provided more money, more crypto that he had.
And so he cashed out on that.
In terms of the flash loans, took out 21 flash loans.
My understanding of the flash loan is that it's essentially a loan in cryptocurrency
that doesn't actually have collateral because it's done very quickly.
And so he was able to do that without actually giving any cryptocurrency.
That's my understanding.
The indictment actually says that he performed at least 21 flash loans
and used them to generate falsely inflated fees from five separate liquidity pools.
So I think it's a similar attack to the first one that we described.
It's essentially they he found a way to trick the exchange into giving him more cryptocurrency
that he was owed that he was actually supposed to get.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents
that handle whole entire workflows.
Humans stay in the loop and on the loop
to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running
on their secure operations graph.
A constantly updating intelligence engine
fueled by more than 9 trillion telemetry event,
every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SCC that is agent-led-by-design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy
and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks
like, go to Arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these
attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders
are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
There's only one line in the whole document that really warrants a little bit of explanation that they don't really provide.
And it sounds like this smart contract has two different types of accounts, normal accounts, I think they call them position accounts, and then almost an admin-style tick account.
And with that tick account, he was able to fudge, I think, the rates that got paid out, like the fees that got paid out for loaning the system money.
what's unclear to me is how he was able to get a normal account to imitate that admin-style account,
what the vulnerability on the smart contract was that let him do that, I guess, kind of, yeah, that little subterfuge,
that little imitation.
Yeah, I mean, my intuition here is that the smart contract had some sort of bug that allowed him to pretend that he had an admin account and act as an admin, whereas it was just a regular user.
So he allegedly figures out this vulnerability in the smart contract,
uses this flash loan vulnerability to pump a bunch of money out,
take out these inflated fees,
return the loan and walk away with 9 million bucks in cryptocurrency.
He then launders that.
Yes.
So the feds allege that Ahmed then proceeded to launder the stolen crypto,
which is a pretty standard technique,
pretty standard thing to do after you still crypto.
You try to launder it and essentially hide your tracks.
Because as all the listeners know, cryptocurrencies are all based on blockchain technology,
which the main feature of it is that all the transactions are recorded.
They are recorded forever.
They're immutable.
So anything you do on the blockchain is recorded.
Any movement of the crypto is right there.
And so this makes it relatively easy for the feds to find or at least follow the money.
You know, finding who did it is one thing because the blockchain is not, you know,
the users are not necessarily identified there.
You can see the flow of money, but you may not know who did it, but you can see the flow of money.
And that sometimes leads to a person because at the end of the day, you got some cryptocurrency.
You may want to cash it out and not just keep it there.
So what he did or what he allegedly did was,
to do a series of transactions to launder it.
They were all pretty standard.
He swapped some tokens from others,
so some cryptocurrency from other kinds of cryptocurrency.
He used bridges, which are technology,
some sort of blockchain technology
that bridges from one blockchain to another.
So you can go, for example,
from the Bitcoin blockchain to the Ethereum blockchain
and exchange Bitcoin into Ethereum directly.
He also transferred the...
some of the crypto or exchange it rather into Monero, which is a relatively well-known and pretty
anonymous cryptocurrency. It's one of the few cryptocurrencies that are actually much harder to track.
It's unclear actually if the law enforcement is able to track it at all, and it was specifically
designed to be very hard to track. So this was a smart move on his part, but, you know, the rest,
I think, well, the rest clearly, the rest of the flow of the money was.
the feds were able to follow and trace to him and trace to the hack.
The next section of the indictment has an interesting name.
It's Ahmed's post-attack internet history.
And it suggests that in the days following this, after the hack, after the laundering,
he starts Googling some relevant terms.
I wonder if you could tell me a little bit about that.
Yeah.
So one thing that it's interesting here actually is that I don't think it's clear from the indictment
how they identified him.
I was wondering that.
And I wonder if that's just because they didn't need to do that for the indictment,
and it will come up later in the case.
That would be my bet, because clearly they were able to go from this anonymous person
that stole the cryptocurrency and laundered it to actually identifying this person.
And that's the first step before they are able to look at his search history.
Because I imagine that once they identified him, however, they were able to do that,
Then they just, you know, got a search warrant, went to Google and asked Google what Ahmed
Googled around those days.
And they struck gold because they found out that just a couple of days after the hack, he was
Googling stuff like defy hack, which stands for decentralized finance.
He Googled stuff like why expensive crypto hacks are the cost of doing business.
He also searched for embezzled.
He searched for D.5.Hex FBI, DFIHex prosecution.
And I'm quoting from the indictment here.
He Googled for wire fraud, which is, I guess, ironically, the crime that he was indicted for.
He also allegedly searched for how to prove malicious intent.
And then he also searched for like how to get citizenship.
other countries.
Yeah.
Even visited a website that, like a blog titled 16 countries where your investments can
buy your citizenship.
So, you know, not only he was searching for terms that are, there are suggests that
he was sort of like trying to figure out how much trouble he was in, but also then he
moved on to, okay, what can I do about this?
You know, he probably realized that it was in trouble.
I mean, it's hard to believe that he did not know that what he was doing was a
crime. But, you know, we'll see what him and his lawyer argue. I can imagine a universe,
and this is me speculating, but I can imagine a universe in which he claims that he found those
flaws and maybe he was worried that they could be exploited by somebody else. So he decided
to exploit them and then get in contact with the target, which is something that actually has
happened in the world of crypto and Web3. But, you know, in any other.
of those cases, it's really hard for prosecutors especially to really believe that these people
actually were just sort of white hats, you know, looking for flaws and trying to alert the targets
on how to fix these flaws. But it's, you know, we can get into it a little bit later
more if you want. But yeah, this does happen. It does happen. There's even like some companies
that have talked about it publicly, about how they noticed there was a bug in a smart country.
contract and because smart contracts live on the blockchain as well.
And so they're completely, basically, open source and anyone can read them.
They were worried that somebody else could steal the money or in some cases they even saw
that someone started stealing the money.
And so they stole it back or they stole it first and then contacted the target.
So I think there is a universe in which Ahmed and his lawyer argued that that's what he did.
But even in, you know, even in that case, I don't think the law does.
care. I don't think the law cares about the intent of doing something like this. At the end of the day, you're stealing money, you're hacking a smart contract and a company. And that's kind of all it matters in a case like this. Yeah, let's talk about that a little bit because I was worried someone was going to steal this so I stole it is a very interesting defense. And yet it doesn't sound like this is the first time that argument has been made. We don't know that's what they're going to argue. But it feels like it's going that way.
So in the days after this hack happens,
Shikip is Googling the series of terms.
And then the crypto exchange, Krima,
sends a message publicly on the blockchain to the hacker,
to which allegedly Shikip responds,
starting some kind of a dialogue,
almost a negotiation, to give back some portion
of this stolen $9 million.
Take me through that.
And a little bit about why a person in the situation
might offer to do that.
Yeah, so I think this is an important step because, you know, in that universe that I was
talking about before, I think one of the key things would be for him to have reached out
to the cryptocurrency exchange proactively.
Sure.
I think it's going to be much harder to argue that that was his intent because, you know,
he didn't do it.
So the exchange did the first, made the first step, took the first step.
They posted on the blockchain, basically pleading for the hacker to return the money.
money, which is super common.
This happened more times than I can count and more times that I can, they have even written
about.
But this has become a very common technique, a common strategy, rather, because it's actually
worked a few times.
Perhaps the most well-known case of a hacker that returned all the stolen crypto was
the polynetwork hack in 2021.
one. In that case, the hacker or hackers stole $600 million in crypto. That was the valuation
at the time. The Polynetwork started a negotiation that was in this case all on the blockchain,
so everyone could follow it. And it was pretty bizarre. They called the hacker like,
dear hacker, dear White Hat, please return the money. And eventually they did. The hackers
returned all the money. Whereas in this case, going back to Ahmed and the Kremant,
Kramer posted the message on the blockchain, then Ahmed sent an encrypted email to the exchange.
So we don't know exactly, or rather the indictment doesn't show us the whole dialogue.
But basically, Ahmed is allegedly emailed Kramer and started a dialogue, and he agreed to return most of the money.
Around $8 million, he kept something like $1.5 million.
The exchange in their message reaching out told Ahmed, you know, if you return the money, we're not going to press charges.
You might like, well, you're going to avoid prosecution, which it's definitely a promise that, you know, they cannot make because that's not how the law works.
But somehow Ahmed was convinced by this.
He returned most of the money.
He told him that he was going to keep some.
And in return, he was going to tell them the flaws.
So the indictment doesn't use these words, but this seems like, you know, they were,
Ahmed was sort of like try to set this up as some sort of like bug bounty.
You know, more traditional, I found these flaws.
Give me a bug bounty and, you know, and you can fix them.
And the amount of money that he got is a lot.
But the bug bounties for blockchain and Bitcoin and Web 3 crypto project.
can be very high because, you know, some of these smart contracts contain a lot of money,
a lot of liquidity, a lot of crypto that's worth millions and millions, if not hundreds of
millions of dollars. So a lot of these companies see back bounties of like even $10 million
dollars as something that is worth it because it, you know, it will save you from losing much,
much more. And so long story short, Kramer and Ahmed negotiate and eventually, yeah, Ahmed returned
some of the money. And that's kind of how, you know, that's how it ended, at least between them,
as far as we know. I mean, you used a really interesting word there, which is negotiation.
Is, in most cases, and I know you can't speak to all bug bounties, but is it a negotiation?
Because that seems relevant to me. Yeah. You know, I found a vulnerability and pay me some money
for it is different than I found a vulnerability. And now we're going to negotiate over whether
it's worth two and a half million, 1.8 million, 1.5 million. That sounds a little bit more
like a hostage situation. Yeah, exactly. I mean, obviously the listeners here know, but
like a bug bounty usually just works like this. The company whose software is, you know,
we're talking about, sets a set of, publishes a set of rules, a set of like, you know,
limits and boundaries for what people can look for, for where people can look for bugs.
and they establish a very clear list of rewards for the type of bugs that people find.
I think there may have been some cases where the impact of the bag was so high
that the company decided to give the person more money,
but this is really, it's not what happened here.
It's completely different.
Like in this case, the person stole the money so they exploited the bug.
Usually in bug bounties you don't exploit the bug.
At least maybe you do a proof of concept, but you don't like hack into the servers.
of Facebook, for example, to, like, show them that you found a bug.
So, yeah, I think the hostage situation is a great way to look at it.
I didn't think about it that way.
But, yeah, it's essentially, you know, you can imagine, like, I don't know,
someone stealing a car and saying, hey, I have your car.
Just, you know, I found that it was unlocked and I ran away.
But now it's been a couple of days, and how about I return it to you?
You give me, I don't know, $5,000 and we, you know, we forget about all this.
And again, that's something that that would work either in the real world outside of the internet.
But yeah, this is what happened here.
And I don't think, I haven't checked this, but I don't think Kramer had a bug bounty program.
So, you know, this is really like, I don't think anyone can call this a bug bounty, you know, in good faith.
It's clearly, you know, this was a cyber attack.
This was a theft.
And then the hacker somehow, who.
that by returning some of the money, they could get away with it,
which he didn't or they didn't.
It does raise the question of whether or not, how do I put this,
whether or not Kremah honored the arrangement.
And again, it's an agreement made kind of at gunpoint a little bit,
so you couldn't really blame them for making the deal
and then immediately turning around and turning him in.
But you do wonder how the feds got on to the case
and whether or not Kremah was involved in it.
Yeah, I'm not a legal expert,
but I think that it doesn't matter.
In a case like this, it doesn't matter if Kramer presses charges
because presumably some of the users on the exchange are Americans,
and so those are actually, you know, those are victims as well.
So even if Kramer doesn't press charges, the DOJ investigates
because there's a bunch of Americans who have lost quite a lot of money, potentially.
You know, we don't know how much, you know, we don't know how many users were affected
or if it was just like money that Kramer owned.
But, you know, essentially if there's a theft and the DOJ can get involved,
even though, you know, even if Kramer doesn't press charges or decides not to press charges,
that's my understanding at least.
Like, basically what I'm saying is that when Kremma promised this,
they were, you know, either lying or they didn't know how these things work.
That makes sense.
Even if they were honest, I don't think they realized that that's not how it works.
Well, it's an easy promise to be able to make. It's like, sure. Whether or not we make these, whether or not we refer this on the law enforcement is relevant to, but ultimately distinct from whether or not law enforcement decides to pursue it.
Yeah, and I think that you suggested this, you know, they were trying everything they could to get the money back because as we were discussing, you know, the blockchain doesn't forget. And also cryptocurrency transactions are usually irreversible.
And so once the crypto is gone, you really need to get it back.
You know, it's not like a bank that has some sort of insurance.
So, you know, pleading with the hackers to get the crypto back
is the easiest way to solve the problem and get the money back for your user or customers.
This story partially caught my attention because the government referred to it as a first of its kind.
And I think what they mean when they say that is that it is the first charges
laid concerning the hack of a specifically decentralized crypto exchange.
I think that's what they mean when they say it's a first.
Is that your sense of it?
How was it a first?
And as a journalist who has covered these kinds of stories,
how is it also maybe familiar?
That's interesting.
I forgot that they claimed that it was the first case.
I mean, I don't really understand why they call it the first case
because a lot of smart contracts have been exploring in the past.
maybe nobody has gotten caught yet.
But I don't see how this is different from, you know,
exploiting the Polly Network or Ronan,
which was like that sort of video game,
where the North Koreans stole a lot of crypto.
So, yeah, it's strange.
I don't know exactly why they called it the first.
It's also like only in the title of the press release.
It hasn't really been explained.
So, yeah, honestly,
I don't know exactly what the DOJ meant here.
It's a little unclear.
I wonder if it has to do with charges being laid against an American,
but it does seem like a pretty in the weeds distinction.
Yeah, I mean, maybe you're right that it's because it's a decentralized exchange
rather than a coin-based sort of exchange.
I don't see how that distinction is very, very relevant to most of the public, to be honest.
It brings up an interesting question.
So decentralized exchanges, especially ones using,
like big liquidity pools governed by smart contracts versus the older order book style.
This whole tech really lives and dies by the quality of the smart contract.
And some smart contracts are upgradable.
But my understanding is once they're deployed,
once they're out in the world and people are using them,
they're either immutable or much harder to change than server-side software.
Does this style of decentralization make sense?
fixing vulnerabilities in a design just a lot harder when it comes to things that deal with money?
Yeah, absolutely.
I mean, I don't know, maybe this shows my bias on, you know, my opinion on cryptocurrencies
and Web 3 and all this stuff.
But to me, it's ridiculous that you are essentially resting the future of a lot of money
that comes from, you know, people who at the end of the day are,
investors, you know, not all of them are millionaires or billionaires. A lot of them are
small investors who have read about crypto on some magazine, some newspaper, and they've seen
the returns that some people have made, and they decide to put maybe all their savings in it.
And all that money is, you know, that's the safety of that money depends on code that is
completely open source. It is public. And as you say, in many cases it's immutable because the
the developers don't even realize the risks, especially a couple of years ago or even last year when
crypto was still really, when most, you know, when most cryptocurrencies were incredibly valuable and were
growing in value constantly, there was a lot of interest not only from investors, but from developers
to create new financial products, basically new crypto projects, new everything, you know, Web 3 games.
anything that you can think of.
And so there was sort of a rush.
There was a gold rush to cash in.
And so a lot of people that had even limited, to be honest,
even limited software development knowledge,
launched projects, put these smart contracts online,
didn't even get an audit and just hoped
or didn't even realize that this is how it works.
Your code is out there.
If someone finds a flaw,
then there is nothing you can do to stop it.
And because cryptocurrency transactions,
are almost immediate.
I mean, Bitcoin is a little slower
and they're not like technically immediate,
but they're pretty quick.
And so if you're not monitoring what happens on your network,
you're not going to find out.
There are security companies now
that offer threat intelligence
and monitoring of this kind of attacks.
But at the end of the day,
these are just, or some of these are just, you know,
regular transactions.
And it's really hard to tell
whether someone is moving $9 million,
dollars in crypto because they're just moving them or it's because they're stealing them.
So yeah, someone a couple of years ago compared the smart contract with the mission critical
code. He was telling me that you could actually compare it to like the code that's used in
an F-35 or to launch a satellite in space. It's code that you really have to get right.
You know, one thing is to launch like, I don't know, threads, for example, Facebook launch
threads. There are some bugs in it. Sure, you know, maybe, you know, maybe some of them are
embarrassing or, you know, can have different kinds of impacts. But at the end of the day, it's a
social media network. You find the bugs, you fix them and life goes on. Here, if there are bugs,
if you get unlucky, if the bad people find those bugs, then all of a sudden you're out of
$9 million or $600 million or who knows how many million dollars. So, you know, to me,
to me it's still crazy that we're resting the fate of all this money on code that it's not only
public but a lot of times unfortunately developed by people that don't really understand security
and don't understand the risks involved. I appreciate you taking the time to chat with me about
this, Lorenzo. It's a very interesting one and I think we'll be following it. My pleasure.