152: Stacc Attack

be at. So, I bought the cheap one and I used it for a few days, and then sold it for more than I bought it. I did that three times, and eventually had enough money to get the camera for myself. Basically, it was a free Canon Rebel, and I used the crap out of it. I probably took thousands of photos with it. I shot models sometimes, but my favorite was architecture. I especially loved derelict or abandoned buildings. After a year of taking all these photos, Canon was launching a new

camera, the 5D Mark II. Oh, how I started wishing I could get that, and for some reason, I just couldn't resist, and I pre-ordered it. The thing cost $2,500, and it was absolutely something I could not afford at the time, but I thought it was my ticket to becoming a professional photographer. So, I spent every last penny I had on it and even went into debt to buy it. Oh, it was amazing. Full-framed sensor, it took perfect photos, but here’s the problem;

I felt this thing was way too expensive to take anywhere. Like, if I’m walking around in abandoned buildings with thousands of dollars in camera gear around my neck, I might get robbed, and if it got scratched, I would have cried. So, I never took that camera anywhere, and brought my cheaper one with me instead, the one I didn’t mind if it got broke or stolen. But this changed my whole relationship with photography after that. I had all this camera gear, and because I was too

afraid to use it, I didn’t shoot much at all. I realized my dreams of being a pro photographer were done, and it was a dumb idea to buy this thing. I don’t know what I was thinking at the time. So, I tried selling it, but the thing is, selling something that expensive is tricky. You could easily get scammed or robbed, and it was very nerve-wracking. On top of that, nobody was really buying these super high-end cameras, so I ended up selling it for way less

than what I paid for it. Now, I say that was the dumbest thing I bought, because yesterday, I bought something way dumber. (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] Yeah, alright, so, let’s start at the beginning here. First of all, what do you want to be known as if I call you names? JARETT: Yeah, it’s fine — Jarett Dunn works.

I’m all over the internet and I’m totally doxed. It’s perfectly fine. Then, if not, then most people would know me as the Stacc, I guess, or Stacc Overflow. I’m gonna jump to the chase for you right now. Jarett, AKA Stacc, executed a wild and astonishing robbery. He stole millions of dollars in cryptocurrency, which is why I call this episode Stacc Attack. But his grand heist is so different that it had me questioning far more

than stolen money. It cracked open a door that I didn’t even know was there, leading me through a maze of questions that I’m still trying to find my way through, and it’s also a story I think a dozen people have told me to look into at this point. Have you heard of meme coins? They’re like jokes but in the form of cryptocurrency. They’re really weird and nobody seems to understand why they have any value at all. JARETT: Yeah, there’s no inherent value. The

whole pitch is that there is no pitch. JACK: You might say, oh, I would never buy something with no value. Oh yeah? Then are you saying you’ve never bought name-brand clothes or food or medicine? The store brand Ibuprofen has the exact same ingredients as the Advil brand, and it’s just as effective and is honestly the exact same product, yet people still prefer the Advil brand even though it costs twice as much, and that’s marketing for you. That’s storytelling

for you. Stories alone give value and meaning to otherwise meaningless or valueless things. So, anyway, people are buying cryptocurrencies simply as a joke, almost like they’re laughing at themselves. Like, they know they’re buying a meme coin and it’s a stupid idea, but they’re like,

yeah, let’s do that, and then they feel stupid even after doing it. It’s very strange. Now, are you into — do you like crypto and NFTs or is this something you’re just poking at and making fun of and being like, what idiots are buying all this stupid stuff?

with causing a lasting change, I guess. But I’ve kind of been disillusioned, and I’m not really sure where I fit in the spectrum of a believer or not these days, 'cause it pays the bills. However, I have this looming court case, and so, I don't really know where I stand. I’m a developer. I’m not a very great developer, and somebody recently described me as a savant programmer,

but I don't think so. I connect dots really well, and I’ve contributed, I guess, to Bitcoin, Ethereum, some — I contributed that way to Steam, and I was actually a block-producing whitness on a bunch of sidechains. I played around with eos for a while. I went to WAX. WAX is a gaming chain that is like an esport, kind of like a — very close to eos, and then — the thing is, Solana’s built different, and they really do tailor the entire thing to welcome and promote

new developers. So, once I found Solana, I kinda found a place for myself, I guess.

losses for everyone involved. The bug-hunting — I’m trying to get a square understanding of this because — are you looking for bugs and then reporting them so they get fixed, or are you looking for bugs and then exploiting them? JARETT: So, I will tell you. I have in the past reported any number of bugs that have gone on deaf ears. I’ve reported bugs all over the place. So, I reported a bug to Radeon and Orca Whirlpools at one point. Orca dismissed it as out of scope

because they don’t support that big of a program, I guess. I don't know why. Then, also, Radeon, they got ahold of me in the end and basically said, there’s nothing we could do to prevent good market behavior. So, that’s that kind of wall you hit. In short, no, I usually try to report these things. In total I’ve been paid, I think, two bug bounties that are significant. JACK: [Music] Jarett claims that he had

information about FTX’s downfall before it became public. FTX was a huge crypo exchange that was discovered to be mismanaging its money and lying about it, and the founder ended up going to jail. A lot of people lost a lot of money because of it, and Jarett tried to warn his government by telling them to look into FTX. JARETT: In November 2022, I withdrew my re-application to the Canadian Forces, hoping to bring my concerns to the right

people about FTX. Proud to make a difference. However, the recruitment process took too long, and when I finally withdrew my application, the damage had already been done to the larger crypto ecosystem. Knowing that should I ever be left in a moral conundrum with hundreds of millions in user funds at risk, surely leading to another bloodbath or worldwide suicides, the only way to be heard is through dramatic and impactful action, because without a

theatrical display, nobody ever really listens. JACK: He wished he could have been more dramatic and theatrical to warn people about the FTX collapse? That makes me wonder what he’s thinking here. Like, what does it mean to be more theatrical about warning people? What do you consider yourself? Are you trying to make things better? Are you securing the internet, the crypto, are you evangelizing it, or are you sticking your finger in someone’s eye?

so they put her out of her misery. JACK: Oh, my gosh, that was — that must have been so sudden and surprising. JARETT: Yes, it was. So, she was already on — we knew she was on the way out. It’s a very long story, but it is what it is, and it’s probably for the better. I still struggle with very important days of the year. I struggle.

He wanted me to add that the psychiatric report is questionable since the NHS screwed it up a little bit by putting the wrong ID on there and misspelled his last name. In February 2023, he was grieving her loss pretty hard because it was the one-year anniversary of her death, and he turned to his computer to cope. [Music] Perhaps that’s a safe outlet if he’s just playing video games or watching YouTube, but what he decided to do was attack the Solana network.

Solana is a type of cryptocurrency. It’s the fifth-biggest coin in terms of market cap. It’s kind of a big deal, and Jarett knew some of its weaknesses. So, he started messing with it.

recursive transactions. So, you’ll actually have a transaction that calls another transaction in the same slot, which, obviously, if you have enough money to pay the Pied Piper, that’s terrible for blockchains or any competing network. All went down again, and a couple days later, I was asleep or in a coma, and the entire Solana network went down when clockwork came back up.

have had a really beefy system. JARETT: No, it was just using their thread. So, I was queuing transactions that would then call themselves on a chain whenever there were certain conditions met. However, I then found out that I could just have them call themselves immediately, which is the recursion that I think broke it. JACK: Solana reported a twenty-hour outage on February 25, 2023. They experienced unusual block sizes which, when re-broadcasted through

the network, ended up degrading the service. So, they put Solana in maintenance mode to fix the problem. Essentially, no Solana transactions could occur pretty much that whole day. I can’t exactly confirm it was Jarett who took down Solana during that time. My guess is he contributed to whatever problems that were going on, but the thing is is that he was never blamed for this. Solana never came out and said they know who did it or anything like that. I have to admit, I didn’t think it was

possible to cripple a cryptocurrency’s network so badly that it can be taken offline like this. $2 billion are traded every day on Solana, and for all that to come to a halt because some guy is having a bad day? That’s just wild to me. How did you get started with Pump.fun?

but it filled immediately. I didn’t expect anything to happen. I went to go back to my bed; I went back to the computer. My two Sol had become ten Sol, which is significant. So, I guess I was hooked on the casino at that point. JACK: [Music] Pump.fun. To research this episode, I actually created an account on there and used the site for a few days. He’s absolutely right; it feels like a casino, and it’s pretty addictive because of that. The meme coins I bought on there

yesterday absolutely are the dumbest things I ever bought in my life. I kept finding myself lost in a daze, staring at the screen, watching my bags, then suddenly waking up, realizing I’m betting on memes. I say to myself, what in the world are you doing? So, what Pump.fun is — it’s a place that anyone could go to and make a meme coin on the Solana network. It’s very easy and fast.

Then others can buy your meme coin from you, if they want, on the site. The site looks a lot like 4chan, and as you’re there, you’re just bombarded with endless messages of new coins being created and what coins people are buying and selling, and it’s wildly popular. So, before your eyes, you’re watching a coin get created by someone, and then hundreds of people are buying that coin all in the first five minutes of it existing. I only went there to research this place. I only spent

a few bucks on meme coins. Like, for $2, you can buy 30,000 meme coins. As I used the site myself, I got familiar with the game. It’s called Pump.fun because the game is to pump and dump. A meme coin’s relevancy only lasts a few minutes sometimes, then it crashes into oblivion. So, the game is to jump in on a coin, hoping more people are gonna buy it after you do, and if they do, your holdings go up. Then you need to get out before that goes back down. So, the

people holding that coin will use every strategy they can to get others to buy it after them. As I played this game, I, too, became someone trying to convince others to get in on this coin. It’s hot. Pump it, and then as soon as they’d jump in, I’d jump out, dump it. It’s ruthless in that way because you see the other people who are buying the coin, and you want to think they’re on your team. They’re gonna help you pump it. But, no, they’re just looking for a way

to get out before you do. Everyone’s trying to take each other’s money, and that’s the game. That’s the gamble, and I think that’s what draws a lot of people to come play at the site. One of my favorite towns to visit is Las Vegas, and everyone knows when you gamble, the house always wins. It’s a rigged game, yet they still gamble. They put their luck on the

line and bet real money even after knowing the games they’re playing are not fair. But I love Las Vegas because there’s nowhere else in the world which is as wild and crazy as it. It’s incredibly entertaining and fascinating to experience, and I learned a lot from that town, such as how to stay focused in a chaotic environment, how to see through the glitz and glam and notice what something really is, and maybe even a glimpse of what humanity is really like.

I met some people who use Pump.fun regularly, and even they think what they’re doing is laughable. Like, he was telling me he made bank off of Fartcoin or a squirrel called Peanut the other day, or something ridiculous, because when you’re buying meme coins, you’re buying something that is just so bizarre that you end up question your own sanity, but it’s fun because it’s interesting and weird, and we all like interesting things. JARETT: You go there, you make a token,

you share it with your friends and family, and then they come in and buy it after you. It’s on a bonding curve, so, the first person that buys, buys it at the very cheapest, and as more people buy, if it was only buyers, for instance, the purchasing just continues to go up per token. So, the idea is that you eventually sell your tokens for a gain after you’ve shared it with close friends and family for them to buy it after you. Regardless if it's Twitter friends or not,

however you want to describe it, legally it is friends and family. Then you make a gain on their loss, essentially, and that’s basically it. It’s made to look like 4chan, I guess, with the comments and such, and there’s a cute, little interface with flashing lights on the landing page. JACK: You say ‘cute, little interface’. I’m looking at it now; it is ugly. JARETT: Yes, it is. It is horrifying.

got ahold of me and said, you should apply for a couple jobs. I said, sure, why not? Begrudgingly, actually. I had two or three interviews with Pump, different founders, and got an offer. So, they paid for my passport, paid for my flight, paid for a couple other things. I got a same-day renewal of my passport and a ticket — that was actually the same night — and then I flew over to the UK. I

only left Canada once in my life before this. JACK: So, Jarett got hired by Pump.fun and moved to the UK, and he knew this was a crazy idea to move to a new country for some wacky crypto project, but was excited about it, too. JARETT: I was just excited to work at a real office again. I’ve been a remote person since 2013. When I worked for Research In Motion, it was my last in-person job. The guys literally called themselves BlackBerry

and they’re now out of business. It’s a long career of isolation and addiction and stuff, and I just — I really wanted to be part of an organization that was young and fit and looking forward to achieving stuff. They were already one of the number-one earning apps anywhere in crypto. It’s a very long story. I don't really know, but the main thing is I wasn’t on my medication, probably not thinking straight — is one thing. Then…

What was the medication you’re on? JARETT: I’m on antipsychotics once a month via a depot, and I’m also on Elvanse or Vyvanse, or, which — you’re in America, so, Vyvanse, yeah, fifty milligrams a day. JACK: What does that treat?

for every trade that happens on the site. JARETT: So, I’ll send you this link in a sec. Let me just load it up for a sec. Yesterday they made — it’s actually gone down a whole bunch. They made $520,000 yesterday. JACK: Let me look at it. $340 million in fees they’ve collected? JARETT: Yes. That’s not including TBL. That’s just fees. JACK: [Music] The site is apparently crazy popular. Tens of thousands of meme coins are made every day there, and they were experiencing

explosive growth. No wonder they wanted to hire developers. The site was probably barely able to stay on the tracks. It’s strange to me that this is the wacky world we live in, where joke tokens have such a wild demand, where the site creators can make hundreds of millions of dollars from this. See, here’s the thing for me; I want to understand the wolrd. I want it to make sense, and whenever I learn about something that doesn't make sense at all, I used to dismiss it and say,

oh, those people are obviously stupid or that’s fake or that’s wrong or something. But now when I hear something really absurd, I lean into it and I stay there until it makes sense to me. Like, I still don’t understand why the game Banana is the third-most popular game on Steam. Can somebody please explain that to me? Most of the time when I figure out a mystery like that, it’s a big waste of time for me, because I’ll just learn that I was lied to on the onset and

I saw something fake or something which made me believe something else. But in this case, we can see exactly how much money this site is making because the blockchain is public for anyone to see. Yeah, they’ve made hundreds of millions of dollars on this site. How are meme coins so popular that millions of dollars are being spent on them every day? The more Jarett learned about

Pump.fun, the more concerned he grew with the whole company. To start with, one of the first things that happened when he arrived is they held a black-tie party, which was wild. JARETT: Outrageous. There was a horse, like a miniature horse, there was fire dancers, there was two hundred oysters that were bought. We spent like, $20,000 on the bar. JACK: He started thinking this

place is more crazy than he realized. JARETT: In short, I think they’re committing any number of felonies tens of thousands of times a day, actually, 'cause there’s like, 20,000 of these tokens launched every day. The first thing that I didn’t really give much thought to is there’s no KYC or AML across the entire board. JACK: Okay, so, KYC is know your customer,

and AML is anti-money laundering. Personally, I don't want anyone in the world to know I bought a meme coin from this place, so, I definitely don’t want to be putting my actual name as the owner of that. Think about if I went into a casino in Vegas to gamble; there’s nobody collecting my name before I can gamble there. But regulations are starting to come up everywhere in cryptoland, and it’s very difficult to know what to follow and how. So, I’m just not sure if the site is

required to do any KYC or not. Then Jarett also thinks that there’s a whole financial advice problem on the site. See, the government has made it illegal for me to give you financial advice. If I wanted to give you financial advice, I’d have to be registered with the SEC. Jarett tells me that there are loads of people on Pump.fun who are, in fact, giving financial advice, saying things like ‘buy this cryptocoin and you’ll get rich’. Is that illegal? Jarett thinks so.

So, he tells me the site’s official stance is that we’re all friends and family on the site, because you can give financial advice to your friends, and that’s not illegal. I looked on the site for a privacy policy or a terms of service, and they don’t exist. So, from what I can tell, the site does not post any rules of what’s allowed or not allowed. But there’s one part of the site which is worth mentioning. To launch a coin, you need to create

an account, name the token, and give it a logo or something. But to pump it, you can go live, flip on your camera, and tell the world why they should be buying your token. Of course, because you’re the creator, if the token goes up, you make money. But can you think of any problems that might arise on a site where you can make money livestreaming and everyone is

anonymous and no age checks are required? JARETT: So, the live-streaming feature — so, if you go and create a coin — and actually, it’ll show you on that landing page if anybody’s live streaming, and you can kinda get the gist. This was one of the things that caused me very much grief. I remember I said to my friend’s boyfriend, how could I work on

this feature? Their live-streaming platform allows for the sexualization of young girls for financial gain, operating without KYC or AML protections, thus exacerbating the potential for

exploitation and abuse. So, basically, anybody can live stream on the site, and what that really means and how this came to be, in fact, having noticed it while I was there, is that questionably of-age girls were sexualizing themselves on camera as a live-streaming platform for sex cameras or whatever you call them, porn cams.

The point is there’s no KYC. There’s no even attempt to prove that anybody’s of age. So, for instance, when one of the founders joined one of these streams that were happening on Telegram at the time 'cause they were excited and wanted integrated live and the site gets a major boost in traffic and fees and all that — he joins, and somebody else is on the audio for this Telegram chat and says, this girl is twelve years old. She says, no, baby, I’m twenty-one,

and that was the extent of the KYC there. JACK: I did not ask Jarett to show me evidence of underage girls streaming on the site, and Jarett’s lawyers told him they didn’t want to see it, either. I did see sexual photos of adults, though, on the site. Let me read a tweet from you that the Pump.fun Twitter account wrote on June 13, 2024. ‘We at Pump.fun are fully committed to a family-friendly user experience. Trading memes should be a fun experience for the

whole family. That is why we resolutely condemn the porn meta that has taken over our site, but we can only accomplish that with your help. Please send all the porn you find to our intern.’ And it has the intern’s e-mail address. See, that’s what I mean about Pump.fun. You can't tell if what you’re looking at is a joke or real. But as I spent time on the site myself, I could

tell you it’s definitely not family friendly. I saw way too many buttholes while I was there, for sure, and the strong has a strong resemblance of 4chan, which is known for being the underbelly of the internet, where the scummiest of content is posted and shared. But heck, even 4chan has rules. I sat in on the very first Twitter Spaces that Pump.fun held. 10,000 people

joined it, and the craziest question got asked. This question actually contains a swear word, so, if you don’t want to hear swear words, skip ahead two minutes.

all, I think our ethos is we’re super-pro free speech. We want as much as — as much content as possible… SPEAKER: Correct. PUMP.FUN: …on our platform to go across. However, if there’s anything illegal or sort of outright illegal based on the platform, we have to take it down, right? We can't have that running both as a

moral obligation and as a business obligation. We don’t want to be distributing anything like that or have anything on the platform — so, yeah, that’s the way we stand… Have you guys ran into anything illegal yet? PUMP.FUN: Actually, no. Surprisingly, our — we’ve sort of had this moderation team and stuff like that, and surprisingly, there hasn’t been anything too shocking. But obviously we’ve prepared for the worst-case scenario. SPEAKER: I’m sorry, I just have one last

thing to say and then I’ll get outta here. For you saying the illegal stuff and basically moderating what happens on Pump.fun, I had an idea, and since I guess I’m talking to Pump.fun right now, can you guys tell me if this is illegal or not? It’s an idea for Pump.fun. I was thinking about — well, I was thinking about fucking a girl live on Pump.fun tonight 'cause my birthday’s tomorrow, so, I thought it’d be super exciting and crazy and different. But

is that illegal or not? I’m genuinely asking. It’s something that I’m very serious about. The girl is coming over. Is that illegal? Is this something I can put on Pump.fun, fucking a girl live? PUMP.FUN: Okay, so, yeah… SPEAKER: Very curious question. Very curious question. PUMP.FUN: Yeah, a very serious question. I mean, okay, let’s put it this way; we are very free-speech oriented. Obviously sexual content does exist on the web, so, yeah, I hope you take that answer as we

sort of say it, basically. So, yeah. SPEAKER: I love you guys so much. Thank you so much for having me up here. Sapuji and Alon. I love y’all.

on camera to pump a coin, and when he got it to pump, he sold his whole stake in it. Then there was another guy who went live after creating the Truth or Dare token, and someone dared him to cover himself in isopropyl alcohol and then shoot fireworks at himself. So, he did it. The guy set himself on fire and burned pretty bad. He was rushed to the Miami hospital where he suffered third-degree burns on a large portion of his body.

People do some pretty wild stuff on Pump.fun. We’re gonna take a quick ad break here, but stay with us, because cause Jarett’s gonna top all those stories and do something even more wild. [Music] So, he’s starting to have qualms with the ethics of this project and is questioning if this is even something he should be working on. Then, on top of that, he started to get upset with the team and decided to move out of the communal living space and get his own apartment.

Aside from all these long-standing concerns, I’m really bad with money. I was making good money, but the thing is, I just spent it all on just — 'cause I am bad with money and I do party. The point is, not anymore. I’m twenty-one days sober today. I’m trying…

I asked for them to square up to the day of that month that I had worked, which was halfway through the month, so I could get some money to find a better apartment. They said no. I said, can you — why? They said, 'cause it would look like preferential treatment. At this point we had three other people working now. Mind you, the CEO did mention — promised, rather — that I was gonna get weekly pays, which would help me out a lot. I would not have been

in this situation. However, it was monthly, eventually. What happened is I said, well, can you pay out bonuses? He says, no; bonuses to everyone — said this is preferential and stuff. [Music] So, with a head full of alcohol and the lack of ADHD meds and the depression from the loss of his mother and being in an apartment with mice and rats in a town he’s totally unfamiliar with and working for this mega-profitable crypto startup which wasn’t aligning with his ethics and

morals, everything swirled together into focus for Jarett. Did you know what you were about to do? Were you aware of your actions at all? JARETT: The psychiatric report confirms that I was aware of what I was doing but fully unaware of the illegality of my actions. I had no idea any of this fallout would happen. I had no idea the police would care. I didn’t think this through. I really didn’t. So, unfortunately, I am where I am. I gotta deal with the repercussions of my

actions. I gotta learn there are consequences to my actions. So, I’m just resigned to it. So, where does this begin? Do you see the vulnerability in the code and then just decide to exploit it as soon as you find it? JARETT: Yeah, and funny enough, I did report it a couple weeks before that. There was just no action to patch it or fix it. Well, you’re the developer. JARETT: I know, but I reported it. I tried to tell the CTO… JACK: Yourself — e-mail yourself; like,

hey, you should fix this. Eh, I’m busy. JARETT: Yeah, true, true. No, I mean — true enough, true enough. JACK: This hack is probably one of the more complex hacks I’ve ever talked about. I didn’t understand it when Jarett explained it. I didn’t understand it when I read an article explaining it. I didn’t understand it when I asked my degen friends to explain it, and it took a long time of me reading article after article,

trying to fully grasp what happened. I’ll summarize it just for the geeks out there who like the technical aspects like me. When a token is made on Pump.fun, it pretty much is just available on Pump.fun, but when enough people buy it, it then gets graduated to Raydium, which is a DEX, a decentralized exchange, and this makes it a little bit more official because it’s on this decentralized exchange now.