On or about October 11, Eisenberg attacked Mango Markets, a decentralized exchange (DEX) on the Solana chain by manipulating the price of MNGO, the platform’s governance token, and taking out a loan based on the manipulated price. Then, he took the money off the exchange, which left depositors without access to their funds.
In December, Avraham Eisenberg was arrested in Puerto Rico and has been charged with fraud by prosecutors in New York. Now, the CFTC is suing him in civil court for fraud, market manipulation, and violating the Commodity Exchange Act. The CFTC seeks monetary penalties, a ban on trading, and a restitution of almost $50 million.
October was a mighty good month for cyber thieves like Eisenberg. Right before the Mango exploit, a hacker exploited Binance’s BNB blockchain for $80 million, which must have been a relief to Changpeng Zhao, CEO of Binance, because the hacker had created $570 million worth of the BSC token.
Hackers netted at least $718 million in October alone, according to blockchain specialist Chainalysis, taking the gross tally for the year past $3 billion and putting 2022 on course to be a record for the total value hacked.
Manipulating the Oracle
Eisenberg’s attack scheme is called “oracle manipulation,” according to the CFTC’s complaint. The complaint states, “Defendant purchased over 400 million MNGO-USDC Swaps on Mango Markets with a position size of approximately $19 million.”
Eisenberg’s exploit started with two anonymous accounts on Mango Markets. He deposited $5 million of USDC in both accounts. In the first account, he set up a $19 million long position with leverage, using 400 million MNGO/USDC swaps. With the second account, he set up an opposing $19 million short position with the same number of MNGO/USDC swaps.
The CFTC stated, “In this way, Defendant placed himself on both sides of the same transaction, which effectively resulted in a ‘wash’ transaction. Because Mango Markets did not require any identifying information to trade on the platform, Eisenberg was able to create both accounts anonymously, thereby concealing from Mango Markets that he was on both sides of this transaction.”
Eisenberg used shadowy deception to establish the strategy. Now, the stage was set to carry out highly profitable financial crimes, but he still needed to drive up the price of MNGO, so he bought large swathes of MNGO on several different digital exchanges, totaling more than 20 million MNGO tokens.
During 30 minutes, this wash trade caused MNGO’s price to skyrocket about 13-fold from $.04 to .54$. In that window of artificially inflated price movement, Eisenberg borrowed $144 million in bitcoin, ether, and Tether, basically all of Mango Market’s available liquidity.
Then, he turned around and withdrew them from the platform into various anonymous wallets. Then, he sold the massive stake in MNGO tokens he had acquired, crashing the price. Like that, a lifetime’s supply of digital wealth was created, extracted, and deposited into Eisenberg’s digital coffers.
“I stole it fair and square”
On October 15, 2022, Eisenberg tweeted that his fraud scheme was totally legit as a “highly profitable trading strategy.”
Twitter users were not so sure.
Eisenberg stole more than 10% of all value locked on the Solana blockchain that Mango is based on, according to DeFi Llama. However, after being taunted by tweets about jail time, Eisenberg seemed to question his highly profitable strategy.
As such, he backpedaled, tweeting “Unfortunately…Mango Markets became insolvent as a result… this led other users being unable to access their funds.” So, he negotiated to return more than half of the money to Mango Markets, which is governed by a DAO (Decentralized Autonomous Organization), keeping a massive “bug bounty,” for himself.
As with any exploit where the attacker negotiates a return of part of the loot, it was a messy and fraught process. Although some members objected, the DAO eventually voted to allow him to keep $47 million, waiving their right to make any claims on the “bad debt” and promising not to “pursue any criminal investigation or freezing of funds.”
The attacker himself was able to vote to give himself the largest “bug bounty” in history, and the insolvent DAO’s community had no choice but to accept this devil’s bargain in order to make their users whole.
The CFTC didn’t take kindly to Eisenberg’s antics, stating, “Notably, Eisenberg publicly acknowledged his manipulation, and even brazenly proposed to the Mango Markets user community that he would return some of the funds he stole in exchange for an agreement not to pursue him criminally.”
Debates on Discord
On Mango’s Discord server, members of the Mango DAO celebrated the arrest of “the exploit guy.” A member called Deaneedog stated, “The exploit guy just got arrested, perhaps there is a chance of the DAO getting some funds back? The promise not to take legal action doesn’t mean shit because it was under duress.”
Security in the DeFi space is especially lax. Even the forum where decisions are often made, Discord, is open to the public and famous for its vulnerability to exploits. We at Disruption Banking already wrote about the misfortune of CityDAO, which fell victim to an ingenious exploit because of vulnerabilities on Discord.
Michael Lewellen, head of solutions at OpenZepelin, told Bloomberg, “If an attacker can steal enough tokens to vote themselves a reward, it sends a signal that DAOs can be hacked successfully using stolen tokens to avoid repercussions. This signals the need for better governance security that accounts for malicious token voters.”
Mango members would likely agree. On Discord, Deaneedog also said that business was trending down. “Concerns are MNGO has never been able to produce much revenue compared to cash burn, not unusual for growth businesses but revenue has been trending down and now basically nonexistent with outlook looking poor (liquidity on Solana has dried up). Regulatory risk is large, this could all be outlawed and the devs would disappear along with any serious volume / traders.”
What Mango really needs is their money back. After Eisenberg was arrested, a member of the DAO mocked him on Twitter.
A member of the DAO, who preferred to remain anonymous, stated in a Discord message, “Personally wish for him to return the funds and get a lesser sentence.” When asked how the internal negotiations proceeded, the member said, “Negotiations will most likely become public during the continued investigation of DoJ.“
CFTC v. SEC, again
On January 9, the CFTC acknowledged that the SEC is also investigating Eisenberg. You might ask, “Why are two regulatory agencies duplicating investigative work?” Great question! It’s because they’re engaged in an ongoing turf war over the crypto space.
Adam C. Pritchard, a professor of law at the University of Michigan who specializes in SEC enforcement, said in an email with Disruption Banking, “Cryptocurrency sits at the intersection of commodities and securities, so there is room for jurisdictional squabbles between the SEC and CFTC. DOJ is not similarly constrained.”
Bitcoin was claimed by the CFTC because it is a commodity, but for the rest of the 19,000 crypto tokens, the field is open and the SEC and the CFTC have been jostling each other for the territory.
As Disruption Banking has previously reported, the leaders of each agency are enmeshed in a Beltway-style Cold War, where they publicly deny there is any beef, but for the seasoned C-SPAN wonk, the tension is painfully obvious.
Officials at the CFTC have previously warned that the DeFi ecosystem could become the target of regulatory enforcement, partially because DEX platforms are unregulated and do not have the TradFi intermediaries that monitor fraud, safeguard deposits, and prevent money laundering.
Eisenberg’s Prior Criminal Exploits
In fact, this wasn’t Eisenberg’s first rodeo. He had already carried out a multi-million dollar heist back in the Spring of 2022 when he defrauded almost 6,000 FortressDAO investors out of $14 million bucks, of which he allocated $7 million for himself. He probably would have kept more, but the members of the DAO spoke out on Twitter, so he placated them with $7 million so they would keep quiet.
Before exploiting FortressDAO, he had already conned WavesProtocol and AaveAave.
Amazingly, these exploits flew under the radar of law enforcement, which is a sign of how little the FBI, the SEC, and the CFTC actually know what’s going on in this space. In fact, Eisenberg had been minting millions for more than a year before law enforcement finally dragged him away in handcuffs, and he was bragging about it on Substack.
On October 12, Chris Brunet, an independent journalist on Substack, doxxed Eisenberg, which spooked the fraudster. He fled from Puerto Rico to Israel the very next day. Eisenberg cooled his heels for a bit, but then he came back to Puerto Rico, thinking the coast was clear.
The lack of reaction likely emboldened Eisenberg to go bigger in the scale of his DeFi protocol exploits.
Eisenberg finds out who makes the rules
The last tweet Eisenberg liked before he was carted off to the slammer really illustrates the ethos of people like him.
“Chad” is a moniker used by lonely, insecure guys who admire so-called alpha males and view themselves as “Betas.” Alpha Chad-type guys have big muscles and hang out with girls in bikinis at the beach, and Betas must be resigned while Chads kick sand in their faces and laugh with girls hanging ornamentally on both arms. It’s very sad.
The idea that Chads exploit protocols while traders are losers is noxious, but it’s also stupid. In a room lit by candles in Old San Juan, Eisenberg would have probably had better luck telling a woman that he is an accountant than saying “I exploit protocols and hack” while puffing out his chest.
Netizens were quick to point out that Eisenberg liked this tweet before being arrested.
In any case, we can bet Eisenberg is not feeling like a Chad right about now!
Author: Tim Tolka, writer, journalist, and BI researcher
The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is most definitely not financial advice.