Crypto Robin Hood stole $50 million and says he’ll it donate to charity. But the victims just want their money back
Staring at his computer screen, Blaine couldn’t help but start sweating. The $50,000 in cryptocurrency he once had in his account was now worthless.
Months from getting his law school degree, Blaine, 25, had invested all the money that he had made from trading NFTs over the past year in the hopes of putting it toward starting a life with his fiancé. He had put $50,000 of a stablecoin, USD Coin (USDC), into a liquidity pool of assets for stablecoins USDC and Cashio nine days prior, but when he tried to take his money out on Wednesday it was worth nothing.
“I just went outside and went for a walk,” he said.
Blaine, who asked that only his first name be published for privacy reasons, was just one of dozens of victims of a hack that netted a scammer more than $50 million. Those responsible exploited a vulnerability in the underlying technology of Cashio, a stablecoin pegged to the price of the U.S. dollar.
According to CashioApp, the hacker or hackers exploited an “infinite mint” glitch to create counterfeit CASH, Cashio’s stablecoin token. The attacker created about 2 billion additional tokens of the cryptocurrency, which the hacker swapped for other kinds of stablecoins via CashioApp, according to an investigation by blockchain intelligence company TRM Labs.
Through several other stablecoin swaps and by using the so-called “bridges,” Jupiter and Wormhole, the hacker moved the funds from the Solana blockchain to the Ethereum blockchain and exchanged it for the cryptocurrency, Ether. The funds were sitting in the attacker’s crypto wallet as of 4 p.m. Friday, said Rita Martin, a blockchain investigator at TRM Labs.
Within hours of the heist, in a Robin Hood-esque move, the scammer put a message in an Ethereum transaction that said he would return stolen funds to those who had less than $100,000 in the affected liquidity pools, where people can exchange one type of cryptocurrency for an equal amount of another from a pot of collective funds. The scammer went on to say that “all other money will be donated to charity,” a claim that cannot be verified.
But instead of sending the money to individual crypto wallets, which would give the victims their money immediately, the hacker sent the money back to the liquidity pool accounts, which the victims can’t access.
It’s as if a robber took money from everyone in a gated community, said a Twitter user who goes by the name Ceteris. Some of the houses have more than $100,000 and others have less, but the robber only wants to return money to the latter. The robber takes the money owed to only those victims and gives it to the community manager, but those victims don’t have immediate access to their money.
However, because the value of Cashio dropped so quickly, people who had put, for example USDC, into a liquidity pool involving Cashio would theoretically not be able to take their USDC out because they can’t put up an equal amount in Cashio, Martin said. The liquidity pools are coded such that a withdrawal has to be balanced with a deposit of equal value so the pot never dries up.
For people to get their money out of these liquidity pools, the price of Cashio would have to recover, Martin said.
“With our experience with other DeFi hacks, that’s something that, if it happens, would take a pretty significant amount of time,” she said.
Because they’re tied to the value of the U.S. dollar, stablecoins are perceived in the crypto community as a “safe” asset that can be used to avoid the volatility of other cryptocurrencies like Ether or Bitcoin. Yet, shortly after the heist, the price of Cashio dropped to around two thousandths of a cent, according to CoinGecko.
When Blaine saw the money refunded in his liquidity pool account, he hoped everything would be settled in a couple hours. But since then, he has heard nothing from Cashio while a representative from Sunny Aggregator, the entity that he said technically has control over the funds in his liquidity pool account, told him he “had no information.”
“It’s beyond frustrating,” Blaine said. “It almost feels like losing the money a second time.”
Now, Blaine says, an argument is breaking out on social media about whether the returned funds, which is a comparatively small amount of the total amount stolen, should be split among all the victims or given to the individuals with less than $100,000 at stake, as the scammer intended.
Although Blaine accepts responsibility for his losses based on his decision to invest his money with Cashio instead of putting it in another asset, he thinks the money should be refunded as the scammer intended. Blaine said following the scammer’s wish could allow Cashio or the authorities to get more money back from the scammer for everyone.
More than anything, though, Blaine hopes that the scammer has a change of heart and decides to return all of the stolen funds.
“I get the idea of wanting to be giving back and all of that stuff, but this guy didn’t really go and take from the Trump’s, the Nancy Pelosi’s—the people that have like a crazy amount of money and power. He just took it from people,” he said.
This story was originally featured on Fortune.com