Staring at his computer screen, Blaine couldn’t help but start to sweat. The $50,000 in cryptocurrency he once had in his account was no longer worth anything.
A few months after graduating from law school, Blaine, 25, had invested all the money he had earned trading NFTs over the past year in hopes of using it to start a life with. her fiance. He had placed $50,000 of a stablecoin, USD Coin (USDC), in an asset liquidity pool for USDC and Cashio stablecoins nine days prior, but when he tried to withdraw his money on Wednesday, it wasn’t worth nothing.
“I just went out and went for a walk,” he said.
Blaine, who asked that only his first name be published for privacy reasons, was just one of dozens of victims of a hack that netted a con artist more than $50 million. Officials exploited a vulnerability in the underlying technology of Cashio, a stablecoin pegged to the price of the US dollar.
According to CashioApp, the hacker(s) exploited an “infinite currency” glitch to create counterfeit CASH, Cashio’s stablecoin token. The attacker created about 2 billion more tokens of the cryptocurrency, which the hacker exchanged for other types of stablecoins through CashioApp, according to an investigation by blockchain intelligence firm TRM Labs.
Through several other stablecoin exchanges and using the so-called “bridges”, Jupiter and wormhole, the hacker moved the funds from the Solana blockchain to the Ethereum blockchain and exchanged them for the cryptocurrency, Ether. The funds were in the attacker’s crypto wallet as of 4 p.m. Friday, said Rita Martin, blockchain investigator at TRM Labs.
A few hours after the robbery, in a gesture à la Robin des Bois, the scammer put a message in an Ethereum transaction that said it would return stolen funds to those who had less than $100,000 in relevant liquidity pools, where people can exchange one type of cryptocurrency for an equal amount to another from from a pool of collective funds. The scammer went on to say that “all other money will be donated to charity”, a claim that cannot be verified.
But instead of sending the money to individual crypto wallets, which would give the victims their money immediately, the hacker sent the money back to the accounts in the liquidity pool, which the victims cannot access.
It’s like a thief taking money from everyone in a gated community, said a Twitter user called Ceteris. Some houses have more than $100,000 and some less, but the thief only wants to return the money to them. The thief takes the money owed only to these victims and gives it to the community manager, but these victims do not have immediate access to their money.
However, because the value of Cashio has fallen so rapidly, people who had invested, say, USDC in a liquidity pool involving Cashio theoretically could not withdraw their USDC because they cannot put an equal amount into Cashio, Martin mentioned. . The liquidity pools are coded such that a withdrawal must be balanced by a deposit of equal value so that the pot never runs dry.
For people to be able to withdraw their money from these liquidity pools, the price of Cashio would need to recover, Martin said.
“With our experience with other DeFi hacks, this is something that, if it happened, would take quite a significant amount of time,” she said.
Because they are tied to the value of the US dollar, stablecoins are seen in the crypto community as a “safe” asset that can be used to avoid the volatility of other cryptocurrencies like Ether or Bitcoin. Yet, shortly after the heist, Cashio’s price dropped to around two thousandths of a cent, according to CoinGecko.
When Blaine saw the money refunded to his cash pool account, he hoped it would all be settled within hours. But since then, he hasn’t heard from Cashio again while a representative from Sunny Aggregator, the entity he says technically controls the funds in his cash pool account, told him he “n had no information”.
“It’s beyond frustrating,” Blaine said. “It’s almost like losing the money a second time.”
Now, Blaine says, a row is erupting on social media over whether the returned funds, which represent a relatively small amount of the total amount stolen, should be split among all victims or given to those with less than $100,000 at stake. as the scammer wanted.
Although Blaine accepts responsibility for his losses based on his decision to invest his money with Cashio instead of putting it into another asset, he believes the money should be returned as the con artist intended. Blaine said following the scammer’s wish could result in Cashio or the authorities getting more of the scammer’s money for everyone.
But more than anything, Blaine hopes the scammer will change his mind and decide to return all the stolen funds.
“I have the idea of wanting to give back and all that, but this guy didn’t really go after the Trumps, the Nancy Pelosi, the people who have a crazy amount of money and power. He did. just taken from people,” he said.
This story was originally featured on Fortune.com