Recently, brothers Mohammed and Benamar M., accused of orchestrating the $8.5 million hack in February 2023 on Platypus Finance, an Automated Market Maker (AMM) protocol on Avalanche, have been acquitted by a French court.
The arrest of the siblings occurred a week post the cyber attack, with information from ZachXBT and Binance pivotal in guiding French authorities to apprehend them. According to Le Monde, Mohammed faced numerous charges related to the hack, while his brother was implicated in receiving stolen goods.
Platypus Finance Hackers Defended Themselves in Court
Le Monde also reported that prosecutors aimed for a five-year prison sentence for Mohammed. However, the case took a turn when Mohammed asserted that he operated as an ethical hacker, intending to return the funds to the protocol. He hoped to secure a 10% bonus of the total sum.
Despite the prosecution’s pursuit of charges, the tribunal judges considered Mohammed’s claim seriously.
They noted that as he accessed a publicly available smart contract, charges related to unauthorized access to a computer system were deemed inapplicable. The court further delved into Mohammed’s use of Platypus’s emergency withdrawal smart contract, the very one housing the vulnerability he exploited.
Defendants Found Favor From the Court
Surprisingly, the court concluded that this utilization did not constitute fraud. Similarly, the court also dropped the charges against Benamar. However, the judges told the brothers that the protocol could still pursue them in civil court, noting that their decision was not a complete freedom for the brothers.
The legal proceedings shed light on the evolving landscape of cyber security ethics and the interpretation of hacking activities. Meanwhile, Mohammed’s argument as an ethical hacker, coupled with the publicly accessible nature of the smart contract, swayed the court in favor of the defendants.
Meanwhile, the case underscores the complexities of addressing cybercrimes within the framework of existing laws and the challenges in discerning malicious intent from purported ethical hacking endeavors.
How the Hack Happened
Recall that in February, the French police detained two suspects in connection to the Platypus exploits.
As per Platypus Finance, the first assault led to the theft of assets worth about $8.5 million. In the latter case, assets worth roughly $380,000 were transferred to the Aave v3 contract. Likewise, about $287,000 was taken during the third assault. As a result of the attack, the Platypus USD (USP) stablecoin was de-pegged from the United States.
According to Platypus, the attackers used a flash loan technique to investigate a logic error in the USP solvency check mechanism within the collateral holding. However, the protocol made plans to reimburse impacted customers.