Federal prosecutors in the United States have charged a Canadian national with exploiting vulnerabilities across two decentralized finance protocols, alleging he stole millions in cryptocurrency and attempted to cover his tracks.
Andean Medjedovic, a University of Waterloo mathematics graduate, has been indicted for wire fraud, computer hacking, attempted extortion, and money laundering in connection with the KyberSwap and Indexed Finance exploits, the Justice Department announced on Feb. 3.
According to the charges, Medjedovic manipulated smart contracts on both platforms, using deceptive trades to trick automated systems into miscalculating key values. By exploiting these flaws, he allegedly drained $48.8 million from KyberSwap in 2023 and swiped $16.5 million from Indexed Finance in 2021.
Through his deceptive trades, Medjedovic managed to “withdraw millions in investor funds at artificial prices,” the indictment said. This left victims with effectively worthless investments.
Prosecutors added that Medjedovic meticulously planned the KyberSwap exploits over several months, maintaining a directory of files labeled with terms like “KYBER_KILL” and “templateexploit.”
He created a “POOL HIT LIST” to identify liquidity pools to target and timed the attack strategically, writing notes such as “Find time to Strike! CEO is in Ho-Chi.” He even calculated the optimal time for the attack to coincide with when Americans and Europeans would likely be asleep.
After the attack, prosecutors say Medjedovic attempted to extort KyberSwap developers, investors, and DAO members by demanding control of the protocol in exchange for returning 50% of the stolen funds.
At the same time, he was working to cover his tracks. Medjedovic and an associate allegedly laundered the stolen crypto through crypto mixers and blockchain bridges, shuffling the funds across multiple networks to obscure their origin. He also opened accounts at crypto exchanges using fake identities, attempting to liquidate his holdings without raising red flags.
Furthermore, when one bridge protocol froze his transactions, Medjedovic allegedly paid an undercover law enforcement agent $85,000—believing they were a developer who could bypass the restrictions and unlock $500,000 of his frozen crypto.
If convicted, Medjedovic faces significant penalties, including up to 20 years in prison for each count of wire fraud, attempted extortion, and money laundering, as well as 10 years for unauthorized damage to a protected computer.
Law enforcement agencies, including the Dutch National Police Cybercrime Unit and U.S. prosecutors, continue to pursue Medjedovic, who remains at large.
On Dec. 20, 2023, KyberSwap announced a treasury program to compensate users affected by the hack.
In a recent. X post, the protocol said the grant has been fully distributed to 1,371 recipients. (See below.)
