# Update #3: Indexed Finance Attack
If you are reading this, it means that the [ultimatum](https://twitter.com/ndxfi/status/1449373158583279622) that we presented to the Indexed Finance attacker was not met, and that alternate attempts at negotiating with the attacker have failed.
It did not have to be this way.
## Introduction & Action
We have spent a great deal of time and effort conducting research into the identity of the attacker. In this post we'll lay out how we conducted this research and the conclusions drawn.
We have instructed an attorney retained by members of the Indexed core contributor team to bring this to the attention of relevant law enforcement agencies in the US and Canada.
In [a previous update](https://hackmd.io/fSTndeFZQPOPKYxlafaNIA), we established a link between the attacker address and the wallet which funded it, thanks to members of the Code 423n4 team who shared their knowledge of the attacker with us.
This update will detail several profiles we have found which we believe belong to the attacker, and which link back to a real world identity.
## A Disclaimer
We are convinced beyond reasonable doubt that our research is solid, and previously showed it to various respected parties in the space, who echoed their agreement (including [banteg](https://twitter.com/bantg/status/1449370241637703695), [Julien Bouteloup](https://twitter.com/bneiluj/status/1449394599764574214), and [Lefteris Karapetsas](https://twitter.com/LefterisJP/status/1449408651458977796)) before the initial ultimatum deadline expired.
With that said, let us begin.
The GitHub profile [mtheorylord1](https://github.com/mtheorylord1) registered as a Code 423n4 (C4) Warden under the account `tensors` via [this commit](https://github.com/mtheorylord1/code423n4.com/commit/4a855b11aea74bd2ac4c3f33427262e4adaf3b89). This is information that was passed to us by a C4 member yesterday, and is important because we have already established that the Indexed attacker and `tensors` are [one and the same](https://hackmd.io/@laurenceday/H1OylawSF#Summary).
This account had no previous or future activity on GitHub. However, searching the username yielded another account - [mtheorylord](https://github.com/mtheorylord) - which had created a repository in 2016 called [Grade-12-Project](https://github.com/mtheorylord/Grade-12-Project). This establishes that the account is likely owned by someone outside of the US (Grade 12 instead of 12th Grade) and that they were finishing high school in 2016.
Looking at the [single commit made by this account](https://github.com/mtheorylord/Grade-12-Project/commit/1f591355a934dbca8288fae2aac5e6ce9bc7c6f9) will not immediately reveal much. In the Git CLI, however, we find the email address that was used to submit it.
The email in question is firstname.lastname@example.org, which includes a domain owned by a high school in Hamilton, Ontario, Canada.
Searching the username again, we found an account by the username [mtheorylord](https://stackexchange.com/users/8787868/mtheorylord) on StackExchange which has been active since 2016.
This account has almost exclusively posted about mathematics since 2016; however, there are some noteworthy posts in other topics:
[One year ago in the Academia stack](https://academia.stackexchange.com/questions/156221/emailing-potential-supervisors-in-the-us-before-submitting-application), `mtheorylord` stated that he had a master's degree in mathematics, and was seeking out advice on applying to PhD programs. In it, he asked how he should go about reaching out to supervisors, and whether it was different in the US than it was in European countries.
[3 months ago in the Ethereum stack](https://ethereum.stackexchange.com/questions/103661/converting-static-variable-to-memory), he asked a question about executing flash loans with Aave on Ethereum.
Searching the username we found an [mtheorylord account on Wikipedia](https://en.wikipedia.org/wiki/Special:Contributions/Mtheorylord), which was active between 2016 and 2017.
This account's first post was:
After that, also in 2016, it [made an edit](https://en.wikipedia.org/w/index.php?title=Reach_for_the_Top&diff=prev&oldid=729487079) to a wiki page about a game show for high school students called "Reach for the Top". It edited the "Alumni" section to add a name which matches the previously found email address, with the descriptor "Notable mathematician".
This edit was subsequently removed by a bot due to suspected vandalism. The account then made a second edit to the page to add the name of the high school which owns the domain in the email address found on Github to the "National Champions" section of the article. This edit was also deleted by another contributor, who stated the high school "did not win 2016 nationals". `mtheorylord` then commented on the editor's page, requesting it be changed back and linking back to an article on the high school's website.
Aside from these edits, the account posted on a page for cannabis culture and several mathematics articles until January 2017.
## Personal Websites
*See update at bottom of section*
Googling the name that was found in the Wikipedia edit to the Alumni section of the Reach for the Top article, we found that the top result was a website [nontrivial.xyz](https://nontrivial.xyz). This website was down for several days after the attack, but had last been cached by Google on October 14th, 2021 at 00:15:18 GMT - about 16 hours before the attack on Indexed Finance.
The cached version stated that the owner is a master's student at the University of Waterloo studying pure mathematics, and that he has an interest in "cryptocurrency and other decentralized open source software".
Executing a [reverse IP search on the domain](https://reverseip.domaintools.com/search/?q=nontrivial.xyz) revealed that the same server also hosted a website [urbitstar.xyz](https://urbitstar.xyz), which is similarly down. A [WHOIS lookup on this domain](https://whois.domaintools.com/urbitstar.xyz) indicates it was registered on February 1, 2021.
The attacker, who we have established went by the Discord handle BogHolder#1688, was a member of the Urbit Discord using the nickname `~libmud-bonted` - corresponding to an Urbit planet - and posted a link in the community on February 28, 2021 to this planet.
The [address](https://etherscan.io/address/0xFC99e43b8D4aA2E87726c10f19785616907e5FC7#tokentxns) owning the associated Azimuth point can be traced back to [an address](https://etherscan.io/address/0x7be53cac08462853476e26cc242f502293e52e97) that we have previously identified as being associated with the attacker, which we had previously sent [a message](https://etherscan.io/tx/0xa30c8b1e6c3c45cff9b0673cc76de006115fa025c63444f21fd1ed7122a5c75e) requesting to talk.
20 minutes before the ultimatum deadline, the personal website was put back online with the references to cryptocurrency stripped out. The website contained a resume which stated the owner of the website's birthday, which indicated he is currently 18 years old. We searched again for his name after this, thinking something was off, and found a news article from 2016 which mentions the name of the website owner in reference to an accelerated learning program, stating that he was a 13 year old in grade 12. The name of the school referenced matches the domain from the original email address found on GitHub.
## Update on BogHolder Connection
As mentioned in the previous post, for several weeks prior to the attack, the Discord user BogHolder#1688 was in communication with the team about development of an arbitrage bot which would automate certain areas of the management of index pools (specifically, selling unbound tokens). As this was an area that no one else had developed bots for, we were excited someone was taking a deep interest in the protocol to develop such a bot, and even hoped we could work with him on other aspects of the project in the future.
We offered to send a bounty of $2k if he would agree to share the code with us in the event that he decided to stop running the bot himself, as it would help automate some parts of the index pool maintenance. He agreed, and we then decided to up it to $4k to further motivate him, and as a show of good faith and desire to work together. We told him we would send $2k up front if he provided a code sample to prove he was working on said bot and $2k when it was ready. He said he would send it later, and two days after that he did provide a code sample which sufficiently demonstrated to us that he had done work on the project.
We asked for an Ethereum address to send funds to, and he sent the address `0xb7e77cdaf7ebf76db72571f2d6e43aa5e84a5e64`. This address was only known by Laurence, Dillon and the attacker. We sent $2k in USDC to the provided address in [this transaction](https://etherscan.io/tx/0x95fc640647a3fed71e843b1755c90278c124a10955a35086d25f01d90164d490). He subsequently deleted the chat logs after the attack.
After we had learned the identity of the attacker and proven to him we had identified him, his information and an earlier version of this document were shared internally with members of the team and trusted parties. Pr0, an angel investor of Indexed and founding team member, sent the attacker an email to his personal email address listed on his website, offering to give him $50k if he returned the funds stolen.
The attacker responded to Pr0 from his personal email address using the same Ethereum address as he had sent to collect the bounty before the attack.
We have established that the Wikipedia, StackExchange and Github profiles for the username `mtheorylord` are owned by the same person, as is the `mtheorylord1` github account which submitted the attacker's Warden registration to the C4 github.
We have established that the owner of these accounts has a personal website expressing interest in crypto, that this website was taken down the day of the attack, that it was later put back up with references to cryptocurrency removed, that it was hosted on the same server as a website for a community that the attacker was a member of, and that the attacker was active in the community at the time the website was registered.
We had previously established that the attacker had a tendency for using mathematical jargon as usernames (ZetaZeroes, UmbralUpsilon, tensors), and the identified party is a master's student in mathematics.
We had previously established that the attacker and BogHolder were one and the same, and we have now established that the identified party in this document possessed information which no one other than BogHolder, Laurence and Dillon knew of.
We hope this information will be useful, and as mentioned previously we have instructed our personal attorney to forward the information to law enforcement.