The Current - How a Canadian math prodigy allegedly stole millions in crypto
Episode Date: April 15, 2025Canadian math prodigy Andean Medjedovic is on the run, after hacking the code of finance platforms and allegedly stealing $65 million US in cryptocurrency. The Globe and Mail’s Alexandra Posadzki ex...plains how he did it, and why he argues he’s entitled to the funds thanks to a controversial cyber philosophy known as “Code is Law."
Transcript
Discussion (0)
When a body is discovered 10 miles out to sea, it sparks a mind-blowing police investigation.
There's a man living in this address in the name of a deceased.
He's one of the most wanted men in the world.
This isn't really happening.
Officers are finding large sums of money.
It's a tale of murder, skullduggery and international intrigue.
So who really is he?
I'm Sam Mullins and this is Sea of Lies from CBC's Uncovered, available now.
This is a CBC Podcast.
Hi, it's Mark Kelly here.
You might know me from my regular gig as co-host of the CBC's The Fifth Estate.
You'll be hearing more from me when I fill in for Matt as he crosses the country talking
to Canadians about the election.
I hope you tune in, and please enjoy the current podcast.
In the fall of 2021, owners of a cryptocurrency platform called Index Finance realized they
were under attack.
Someone was buying crypto at an enormous discount that essentially tricked the platform into
giving them tokens on the cheap.
The owners eventually found the alleged culprit, an 18-year-old math prodigy from Hamilton,
Ontario named Andian Medvedevic, but they were already out more than $16 million.
Two years later, he allegedly struck again, this time at a different crypto platform.
In total, Medvedevik is accused of fraudulently acquiring 65 million US dollars of crypto
assets.
Alexandra Pazesky has been following the story closely.
She's the financial and cyber crime reporter with the Globe and Mail, and she joins me
in our Toronto studio.
Alex, good morning.
Good morning.
So who is this Andi and Midjedevik? Well essentially when this all started he was a teenager from
Hamilton who was extremely, is extremely gifted at mathematics. He had done his
high school, it looks like he finished high school in about a year and then was
not even 15 years old when he started his undergrad in pure mathematics at
the University of Waterloo.
Wow.
Breezed through that in three years, then had his master's degree, which only took him a year by the time he was 18 and starting to
perform allegedly these exploits on these decentralized finance platforms.
Well, tell us about that transformation from going this math prodigy whiz kid into an alleged crypto thief.
Well, it looks like he got some practice on these techniques
through this sort of coding competition called Code Arena,
where essentially participants would practice
finding these vulnerabilities in the code
of these decentralized finance platforms,
and you could win prizes.
And he did, he actually placed in two of these contests
and that seems to have occurred
shortly before the first alleged exploit
that he took part in.
It's a complex world cryptocurrency.
So what do we know about how he allegedly pulled off
the first attack back in 2021?
So according to this indictment
that was unsealed by the US, what he essentially did was he
took out a flash loan, which in the sort of decentralized finance world is an uncollateralized
loan in which the assets are borrowed and then repaid within the same series of transactions.
And it's a massive loan, $157 million US in borrowed assets.
And then using those borrowed assets he
executes this complex sequence of trades that essentially manipulates token
prices in two of indexed finances liquidity pools and through all of those
transactions he's able to essentially transfer out 16 and a half million
dollars US of digital tokens into his own wallet. So when index finance leaders
figured out what had happened,
according to your reporting, they made them an offer.
Tell us about that.
So they essentially sent him this email,
and it was kind of like, through gritted teeth, good job.
Give us back the money.
You can keep 10% as what's known as a bug bounty.
We can pretend that this was all sort of staged as, you know,
a white hat hacking sort of a transaction.
And then you can go off and start your career as a white hat hacker.
And Andean, who goes by Andy, decided not to take that offer and essentially at that
point went into hiding.
Did he explain why he didn't take the offer?
So we don't know exactly why he didn't take the offer, but he did have some sort of cryptic
tweets that he posted online at the time that gave kind of a hint into his mentality, his
thinking, and it seems he sort of hints he doesn't overly state this, but it seems that
he believes in this controversial philosophy in the world of decentralized finance known
as code is law. And the idea behind code is law is that essentially
if there's sort of a weakness or a vulnerability in the code and you as a
trader are able to manipulate that vulnerability into giving you crypto at
highly favorable to you terms then those coins or tokens are lawfully gotten.
Essentially, you deserve them because you were smart enough
to outwit the code.
The code is the law, the regular law doesn't apply.
And I wanna talk more about code is law,
but first, he strikes again more recently.
I mean, was the same similar situation?
He's applying his same principles
and exploiting a weakness in another platform is that how we did it the
second time exactly so roughly two years later he does a very very similar thing
on a platform called the Kyber swap and this time he makes off with 48.4 million
US so an even larger windfall and he hasn't been too bashful or too you know
quiet about his exploits.
What has he been saying online about what he's done?
So he says things like, you know, you are out traded, there's nothing you can do about
that, such as crypto.
And you know, after the indexed exploit, he says, you know, if they want to resort to
name calling, lol, I didn't do anything wrong is kind of the implication of what he's saying.
And he's also occasionally surfaced and spoken to reporters.
Um, I spoke to him.
He also spoke to Bloomberg at one point and he told them that he wasn't too
concerned about getting a job because waging in a cage was not his idea of a
good life.
And, um, you know, ironically, I suppose, he did actually, at one point,
he told me, end up in a cage.
That means he was arrested in some country in Europe, he told me.
He did not say what country that was.
And after, I think he said hundreds of days, they actually released him and decided not
to extradite him to the United States for some reason.
Okay.
How did you get in touch with him in the first place or somebody who claims to
be him? How did that come about?
So because he was in hiding, the courts were using email to serve him with legal documents
and they were sending these documents to several email addresses. They were all disclosed in
the court filing. So I just kept on emailing him over and over again until finally he got
in touch and said, or someone claiming to be him responded to one of my emails and said, you know, I can try to answer some of your questions
on Signal. And so we had a chat on Signal. And I know it's a limited exchange and hard to read
into every word, but did you get any sort of idea of the profile, the character of the individual?
I mean, he did use some sort of racist slurs in describing his fellow inmates.
And he also talked about the previous US administration as the liberals.
He was like, the worst thing that's come out of this is the liberals have all my stuff,
meaning I think his computer and his phone was actually sent off to the US and he now
wants to get them back.
He was sort of an interesting guy to talk to.
He said things like things didn't go exactly as planned,
but then he didn't really want to elaborate
on what the plan had been.
He did also say that getting arrested was not the worst
of all possible outcomes, but still not great,
and described the whole thing as being
pretty terrible.
So let's go back to code is law.
So code is law because he's basing the fact that he's obtained these assets that they
are his because he outsmarted the platforms so therefore they belong to him.
Is there any law to the idea of code is law?
I mean the analogy that often gets trotted out is this idea of code is law. I mean, the analogy that often gets trotted out
is this idea of high frequency trading.
So the idea is if one hedge fund is able to sort of exploit
a pattern in another hedge fund's trading
and profit off of it, then nothing illegal has happened.
Essentially, that's just like the risk of playing the game
of being a high frequency trader.
In terms of actual law, I mean,
this has never been tested in Canada, which is why this case was so interesting had it actually gone to court in Canada, as it would have been the first legal case to test the Code as Law theory here.
It did get tested in the US, which is actually where Andy has been indicted, in a case called Mango Markets, where the trader actually ended up being convicted.
And he had made a similar argument,
or it was at least part of his argument,
was that he hadn't hacked Mango Markets,
he had just exploited a vulnerability,
and the court actually ended up sentencing him to jail.
So it did not stand up there.
Was there any possibility or pursuit
of actually indicting him here in Canada?
There was a civil court process.
So there was a large investor in Index
who had actually gone to court and tried to sue him.
And then separately the Index
finance co-founders had launched a separate suit.
Those lawsuits sort of ended up becoming combined
and he did sort of seem like he was willing to participate early on in the process
but then he just kind of went AWOL and there was an arrest warrant out for him but he was never
located here. By the time the large investor in indexed got a civil search warrant and the lawyers
showed up to search Andy's parents home he was already gone. And what do his parents know about his whereabouts or what are his parents sharing about their son's whereabouts?
They've generally said that they're not in touch with him and that they don't know where he is.
The judge in that case has said that he doesn't necessarily find that credible.
There was one voicemail where Andy's father did say he had been in touch with him, but he also sort of hinted that Andy might commit suicide if people sort of
come after him.
I understand from some of the statements his father made that Andy was getting
death threats as well. And so this is, you know,
an 18 year old boy who's done something that is being,
or allegedly done something that, you know,
he's taking a lot of heat for and he's, you know,
potentially getting death threats from investors.
And so his father said something about how like, he may commit something that you're
all going to regret and then I won't have my child anymore and none of you will have
the money because nobody else knows how to get it.
Well tell us, I mean, the crypto world is a bit of the Wild West and sometimes people
who behave like this are seen as sort of heroic outlaws.
So how are people in the crypto world seeing him
in this whole story unfold?
I think watching with fascination,
I mean, when I did go through old tweets and stuff,
I did see there were some people
who were expressing support for him,
but then there are also people who really are just not buying
this whole code is law thing.
They're like, no, this is market manipulation.
Because, you know, at the end of the day, there are investors, right, in these
platforms whose tokens effectively, you know, became worth a lot less.
And so they feel like they've been robbed, like something has been taken from them.
And so there is a real tension, I think,
in the crypto world about how much the law should apply
and when and where.
And some of the cynics would say, you know,
crypto is supposed to be this kind of lawless place.
And then as soon as you get had, you know,
then all of a sudden now you want the police involved.
And so there's accusations of hypocrisy.
And so this has always been a sort of source of tension,
is like when to get the courts involved
and when to get the police involved.
And like anything these days, every story
has to have a Trump angle.
Yes, of course.
And this one does, I mean, from your exchange with him,
where as you've been going back and forth communicating
with him or someone who claims to be him on Signal,
what did he mention about Trump?
Well, he said the silver lining to all of this was that he's hopeful his whole case
may get thrown out because Trump has promised to stop the persecution of crypto people.
And indeed, we have seen US regulators sort of walking back from a lot of crypto enforcement
cases.
And so there is some truth to that.
He actually said that half of the people who are involved in his case are no longer there.
That being said, what I have read most recently is that there is a desire to kind of pull back from doing regulatory cases against the owners of crypto exchanges,
but regulators are still looking to go after people who are involved in theft. And so I guess if you define this case as a theft, then Andy may not be off the hook. It's, you know, hard to read the tea leaves here.
Very quick last word on reading the tea leaves. Do you think this guy's going to be caught?
I mean, he already got arrested and let go. And so I think he knows where to go,
where there isn't maybe such a broad extradition treaty with the United States. So if he's smart
and he keeps his wits about him, maybe not.
The mystery continues.
Alex, great story, great reporting.
Thanks for having me.
Alexandra Pacecki is the financial and cybercrime reporter with The Globe and Mail.