The Decibel - How a math prodigy-turned-fugitive siphoned millions in crypto
Episode Date: May 2, 2025At 18 years old, Andean Medjedovic was a math prodigy, finishing his master’s degree in mathematics at the University of Waterloo before most young Canadians can legally drink. Medjedovic was involv...ed in cryptocurrency trading – and according to the U.S. Department of Justice – engaged in “cryptocurrency hacking schemes” that allegedly netted him US$65-million in digital tokens. Now, he’s on the lam.Alexandra Posadzki, The Globe’s financial and cybercrime reporter, is on the show to talk about how Medjedovic allegedly pulled off the trades, the cases against him, and how the controversial philosophy of “Code is Law” in the world of decentralized finance plays into his story.Questions? Comments? Ideas? E-mail us at thedecibel@globeandmail.com
Transcript
Discussion (0)
Andean Medvedevic was a very bright student, very skilled in mathematics from Hamilton,
Ontario.
That's Alexandra Pizadsky.
She covers financial and cybercrime for the Globe and Mail.
He was finishing his master's degree at the University of Waterloo at just 18 years old.
But then he got into a bit of trouble. In the fall of 2021, Andián Medvedovic
managed to exploit the code of a decentralized finance platform. He transferred millions of
dollars worth of tokens to his digital wallet. And then he went on the run. Today, Alexandra is on the show to tell us about this Canadian math prodigy, the charges
that he's facing, and the questions a story like this raises about when law enforcement
gets involved in the world of decentralized finance.
I'm Manika Raman-Wilms and this is The Decibel from The Globe and Mail.
Alex, thanks for being here.
Thank you for having me.
So tell me more about Andian Midjetovic. Who is he?
So Andian, who goes by Andy, is this exceptionally bright young man who, it seems like, raced through high school in about a year and then was
just shy of his 15th birthday when he started his undergraduate degree
at the University of Waterloo in pure mathematics.
Did his undergrad in about three years, then did a masters in a year, and so
essentially was around 18 years old when he
completed his master's degree in math. Okay so very bright young guy it sounds like. So what
do we know about his upbringing? So Andy grew up in Hamilton Ontario with his
parents and his younger brother and according to his CV which I found in
some court documents he had some pretty interesting hobbies,
which included cryptocurrency trading, meditation,
and even playing chess while blindfolded.
That cannot be easy, okay.
Okay, so we have a sense of who Andy is here then,
but what happened in the fall of 2021?
So in the fall of 2021, Andy allegedly
goes onto this platform called Indexed Finance, which
is a decentralized finance platform.
So decentralized finance is essentially
like a peer-to-peer financial system, which
is intentionally designed to not have a central authority.
And it relies on blockchain or digital ledger technology
and allows users to do things like trade cryptocurrencies.
Okay.
And so Index Finance was this platform that allowed users to trade kind of multiple different kinds of virtual currencies
through a single token, so it kind of functions like a mutual fund with many stocks in it.
And Andy goes on Index Finance and allegedly takes out a flash loan,
which is an uncollateralized loan in which assets are borrowed and then are
repaid within the same series of transactions and using roughly $157
million U.S.
in borrowed assets, allegedly executes this complex series of
trades that manipulates the token prices in two of Index Finance's liquidity pools, which
allows him to transfer $16.5 million US of digital tokens to his own wallet, allegedly.
Okay, so the mechanics there sound a little bit complicated, but bottom line is basically
he managed to siphon off approximately $16.5 million then, allegedly of course.
Once Index Finance realized that this had happened, that their platform had been exploited
in this way, what did they do?
They launched an investigation to try to find out who was behind it. And through following the digital paper trail
in various ways, they were able to trace the exploit back
to Andy and saw that he was a master's student
at University of Waterloo.
And so they made him an offer.
Essentially they offered him a bug bounty.
So they said, you know, give us back 90% of the funds.
You can keep the other 10% as effectively a reward
for having identified this flaw
in the code governing our platform.
We'll pretend that this was all intentional,
a white hat operation and, you know, no charges
and you're free to go on and start your career
as a white hat hacker.
What does white hat mean here?
So a white hat hacker is essentially the flip side of a black hat hacker.
So a black hat hacker is what you would traditionally think of as a hacker who
goes on to the Internet to various places to hack them in order to make money or
create mayhem.
A white hat is like a good guy.
It's like a white knight.
It's a hacker who essentially also uses
the same hacking techniques, but in order
to effectively help companies or online platforms protect
themselves by identifying vulnerabilities that
could be exploitable by black hackers.
OK.
So they made him an offer to pretend
this was all intentional.
They would just say that he was helping
them find flaws in their code.
How did Andy respond to that?
He did not take the offer and he essentially went into hiding at that point.
Huh. Okay. Let's talk a little bit more about just this this exploit as we know it, Alex,
and then we can get into what's going on with Andy right now. I believe that Andy actually
had some practice with this kind of exploit before when it comes to exploiting
Flaws and code can you tell me about that?
So shortly before he allegedly performed this exploit on indexed finance. He had taken part in a couple of
coding contests run through this organization called code arena
And so what code arena does is essentially it's a contest for participants
to try to identify and exploit vulnerabilities in the code governing decentralized finance
platforms. And he had actually placed highly in at least two of these competitions.
Okay. How common is this kind of exploit? Like the kind of thing that he was able to
do where he is was allegedly siphoning millions of dollars. Yeah. How common is that?
I mean, it's hard to say definitively how often this sort of thing happens, but
it's definitely not the only time that it's happened.
There's a pretty well-known case in the U.S.
where a decentralized finance platform called Mango Markets was exploited in a
similar way. And so one of the sort of experts, crypto lawyers that I spoke to talked about how it's these
flash loans that often create this opportunity for what some would characterize as market
manipulation.
Huh.
OK, so let's go back to Andy now.
And what's happened once he's allegedly siphoned off millions of dollars worth of tokens from
index finance?
What does indexed finance do when Andy refused to give those back?
So index finance, two of index finance's leaders essentially had assumed that as
a master student Andy must be an adult.
And so they end up actually identifying him as the person responsible for
the exploit online.
And that's when they actually discover that they're dealing with a teenager,
because Andy, at the time, was 18 years old.
18-year-old who allegedly syphoned off millions of dollars
from them.
Wow.
Was he eventually charged?
So eventually, he was charged.
The first thing that sort of happened
is there's this large investor in indexed finance, which
we don't know this investor's identity,
but they ended up incorporating this company
called Cicada 137.
And Cicada essentially says that they have lost
north of $9 million US as a result of this exploit.
And so Cicada goes to court in Ontario
and launches a civil proceeding against Andy and is ultimately
able to obtain something called an Anton Pillar order, which is like a civil search warrant.
And so lawyers for Cicada, they go to Andy's parents' house in Hamilton. It's this, you
know, townhouse on this quiet residential street and essentially start seizing all of
the things that they can find.
By that point, however, the evidence that they would have been able to find likely would have
been limited because Andy had actually left by that point and he had taken his devices,
his phone, and his laptop with him. Around the same time, Indexed finance also takes Andy to court and attempts to launch a class action lawsuit.
And so there's these two kind of legal proceedings in the Ontario courts and they kind of end up combining,
meaning indexed finance actually ends up becoming part of the Cicada lawsuit.
OK, so what's happened with those lawsuits?
What's the status of them?
The judge had actually wanted him to physically appear in court and to
also put the tokens, the disputed tokens into some kind of neutral custody and he
did not do that and so the judge ended up issuing an arrest warrant so that
Andy could be brought in front of the court for contempt of court. Okay so
we've been talking about this incident from 2021, Alex, where he allegedly siphoned off
millions of dollars a year from index finance,
but he actually did this again, didn't he?
That's the crazy part is that two years later,
Andy allegedly goes on to perform a very similar exploit
on another platform, this one called KyberSwap,
and this time he's actually able to siphon out $48.4
million US.
He ended up actually being indicted in the US where he now faces five criminal charges
including wire fraud, attempted extortion, and money laundering.
Okay, so there's big legal ramifications in the US now.
Potentially.
So now he's done something similar twice now.
He has millions of dollars in digital tokens. Can he actually use this then like cash?
It's a little bit unclear.
What we do know is that he has actually had some difficulty getting access to some of the funds.
There's kind of this myth around crypto that it's untraceable.
And this is why people use crypto to launder the proceeds of crime.
But the truth is that every cryptocurrency transaction is actually recorded in this digital
ledger that is publicly accessible.
What you don't necessarily know is the identities of who is behind different wallet addresses.
But it's not that difficult for a cryptocurrency exchange or platform to actually link back
funds to a specific hack or exploit. And so in
this case what we know through some US court documents is that after the
Kyber swap attack Andy actually runs into some challenges trying to get
access to some of his funds. There's a number of service providers who actually
block some of his transactions because they can see that the money is linked
to this Kyber swap exploit and they don't necessarily want to be complicit in what could
potentially be classified as money laundering.
And so at one point he's having all this difficulty trying to get access to the funds and at one
point according to this US core file he actually unwittingly enlists the help
of an undercover law enforcement official to try to move some of the funds for him.
Of course, none of these allegations against him have been proven in court.
But I wonder, Alex, what has Andy said about these allegations, if anything?
So I spoke to Andy.
He spoke into journalists a couple of times in the past.
And so in the immediate aftermath of the first attack, he actually went on Twitter, now known
as X, and he made some posts that were actually pretty telling in terms of his sort of views on the situation.
And so he says a number of things like, you know, if indexed finance wants to insinuate that I did something wrong
and resort to name calling, then LOL. And so he's kind of saying like, hey, I didn't do anything wrong.
And he says things like, you were out traded. There is nothing that you can do about that such as crypto and so while he never actually says the phrase code is law
There's this kind of philosophy out there in some parts of the decentralized finance world called code is law
Which is essentially a belief that the code is the law and And so if the code governing one of these decentralized finance
platforms allows for a certain transaction or series
of transactions in this case to be executed,
if it makes those transactions possible,
then those transactions are legal.
One of the analogies that's often made
is actually to something like high-frequency
trading.
So if you have one hedge fund and they happen to spot some kind of a pattern in the trades
of another hedge fund and they're able to exploit that pattern and make a bunch of money
and the other hedge fund loses a bunch of money, it's sort of like, oh, well, that's
like the cost of playing the game.
That's the cost of, you know, being of being a high frequency trader or a hedge fund. And so some of the folks in decentralized finance have said that a similar policy kind
of applies to this world, and that is code as law. Meaning if the code has enabled this,
if it's allowed it to happen, then you haven't broken any laws.
So the argument here essentially is that he just exploited the vulnerability in the platform
essentially. So the idea behind that is I didn't do anything wrong. I just exploited this vulnerability.
And the platform was the one that created the vulnerability. And every other person
who's using the platform could also have gone and looked at the code because the code is
all open source. And they should have done that. And they should have seen that there's
this glaring vulnerability before they decided to transact with this platform.
So I wonder though, this idea of code is law, has that been tested in court? Not in Canada, which is why this case against Andy would have been really interesting had it ever
gone to court. I suppose there is always the possibility it still could, but he decided not
to participate in the legal process. In the states, however, there is a very interesting case
that did go to court, and that is the Mango Markets case.
It's a very similar case in which there was a trader
who essentially exploited a vulnerability,
and that was part of his defense,
was that he was able to do this.
He didn't gain unauthorized access to anything
that he wasn't authorized to access.
And the court actually did not agree with Cota's law.
It struck that down.
And it said, well, no, what you've done here
is market manipulation.
And he was sentenced.
OK.
There's an interesting tension here.
It seems like in this world of crypto,
the idea is this whole thing is decentralized.
There's no governing body. That's kind of the appeal of it. But then there's
this other question of, well, when something has been exploited like this, when do you involve law
enforcement? I guess, how do people think about that equation there? It's a real tension in the
crypto space because on one hand, the crypto space wants legitimacy, right? They want people to feel
confident, transacting in
cryptocurrencies and doing cryptocurrency trading and in order to
have that confidence you do need some kind of you know regulations or some
kind of sort of certainty that like you're safe playing in this space, right?
And then there are others who are like well no the whole point of crypto is
that you know we don't trust the financial system.
You know, Bitcoin was essentially created in the wake of the 2008 global financial crisis.
And it was this idea of like central banks just like printing cash and bailing out the
financial institutions who would cause the entire crisis.
And so, you know, the whole ideology behind crypto is to have this system that is separate from
the financial system doesn't have a central authority who can do something corrupt or
something that people disagree with.
The whole ethos is that it's governed by the code.
And so when you have something like that, then some people would argue that it's essentially
hypocritical to want to partake in that system.
And then as soon as something happens that affects you, you've lost a bunch of money. Now you want the
authorities to get involved. Now you want law enforcement to get involved to
protect you. And so there is this real tension in the crypto space where there
are some people who believe that there should be oversight and other people who
are very opposed to that.
Yeah. Alex, a few minutes back, you dropped a really interesting little nugget
that I want to come back to. You mentioned that you actually had a chance to correspond
with Andy. So let's let's talk about that. Like, first of all, how did you manage to
get in touch with him?
Yeah. So I was going through all of the court documents that have been filed in Ontario.
And I noticed that because Andy was essentially in hiding, his location was
unknown.
The courts were not able to serve him with legal documents in the usual way.
So they were serving him legal documents via email.
And they had four or five different email addresses that they were using to serve him
with legal documents.
And so I just started emailing those email addresses. And so someone who
I believe was Andy eventually responded to my email and said, hey, I can answer some
of your questions on Signal. Let me know your username there. And so I did. And then, you
know, a couple days later he reached out and we had a bit of a chat. And, you know, I had
this whole list of questions prepared of like what I wanted to ask him and then it basically went completely out the window
the moment that he told me that he had actually been arrested in some European
country he says which he would not name last summer and had spent he said
hundreds of days locked in a cage and then had essentially been released Wow
and it was unclear to me why he'd been released.
He said ultimately the country that had arrested him was debating whether or not to extradite
him to the United States because he had been indicted and ultimately decided not to for
some reason.
But they did take his stuff, he told me, so like his devices, and sent that to the US. I asked
him what's next for him and he said now he's essentially trying to get his stuff back,
but he thinks it will be an uphill battle.
Wow. Okay, so this is a very interesting turn here. Do we know why he was arrested in this
country?
No, and he was kind of evasive sometimes when I asked him certain questions. It was a very strange conversation, I will tell you.
He used some racist slurs in describing some of the inmates who he was in jail with, and
that also got pretty inappropriate during moments of the conversation.
So those were some of the things that he would do if I was trying to like press him on a
question that he didn't seem to want to answer.
Wow. Okay. So we're at this point now where he is still on the run. What would happen
if he got caught, Alex?
Well, I guess that depends on the extradition treaty that the country that he is apprehended
in has with the United States. So essentially, he's been indicted, that indictment was unsealed several months ago, but that case against him by the US, it can't
proceed unless he's actually in the US. And so if he's smart, he will obviously
avoid the kind of countries that have very broad extradition treaties where
he's almost guaranteed to be extradited. But Andy has actually told me that he hopes
the whole case against him will be thrown out
because the new US president, Donald Trump,
has actually talked about stopping persecution
against crypto people.
And we actually have seen a really big shift in focus
in enforcement in crypto cases.
We've seen some crypto cases paused
or investigations that have
been dropped and so he's hopeful that he could be part of that. Wow. Okay so he's
been criminally indicted in the US. There's two cases brought against him in
Canada but these are civil cases but essentially if he gets caught we would
have to wait and see then what actually happens. Just before I let you go here
Alex, so Andy was he was only 18 when all of this started. He's a few years older now.
He's clearly a very intelligent individual.
From the people involved in this situation, the people that you've managed to talk to,
did you get a sense of what they think of him?
Yeah, that was a really interesting part of this whole story, right?
This is a kid who is obviously so exceptionally bright when it comes to mathematics. He,
according to his CV, has a Putnam score of like 39. Which is... What is that? So the
Putnam is like this mathematics competition for undergraduates and it's
renowned for how difficult it is. And so while the maximum score that you can get
is I believe like 120, most years the median score will be like in the low single digits.
And he got 39. He got 39.
And so this was this kind of like recurring theme,
like even one of indexed finance's own lawyers wrote on Twitter that,
you know, essentially, if your Putnam score of what you see is your Putnam
score is true, like you're a math genius. Like don't ruin your incredibly bright future
for some crypto that you might not even
be able to access anyway.
The judge that was overseeing the case in Ontario
gave Andy every single opportunity
to participate in the legal process.
He kept urging him to just participate,
saying our justice system is fair,
our legal system is fair, you know,
if you wanna make an argument, like it will be heard.
And so there was this real push by a lot of folks involved.
Even one of the co-founders of this code arena contest
was kind of chatting with him online,
according to an affidavit he filed in court
and like trying to convince him to just like, you know,
take the white hat bounty, take the bug bounty, give the money back and don't start your career this way. But he is
kind of an interesting guy. And you know, at one point, he told Bloomberg that he doesn't,
he's not concerned about getting a job, because waging in a cage is not his idea of a good life.
And you know, I find that really telling and interesting because he later actually ended up spending
hundreds of days, he says, in an actual cage.
Yeah, there's some irony there.
There is a little bit of irony there.
But he probably, in his mind, has some kind of a plan
where he's gonna have a big crypto windfall.
Alex, this has been really interesting.
Thank you so much for taking the time to be here.
Thank you so much for having me.
That was Alexandra Pizadsky.
She covers financial and cyber crime for the globe.
That's it for today.
I'm Maynika Ramon-Wilms.
Our associate producer is Aja Souter.
Our intern is Olivia Grandy.
Our producers are Madeleine White, Michal Stein,
and Ali Graham. David Crosby edits the show. Adrian Chung is our senior producer, and Matt
Fraynor is our managing editor. Thanks so much for listening, and I'll talk to you next week.