The US Department of Justice said Ahmed used ‘specialised skills’ including reverse engineering smart contracts to execute these hacks, which were conducted while he was working for Amazon.
Shakeeb Ahmed, a former Amazon security engineer, has pleaded guilty to hacking two decentralised cryptocurrency exchanges and stealing roughly $12.3m.
Ahmed conducted the attacks in July 2022 while he was still working for an “international technology company”, according to a statement by the US Department of Justice. He has agreed to forfeit more than $12.3m – including roughly $5.6m in cryptocurrency.
The department said Ahmed exploited a vulnerability in one of the crypto exchange’s smart contracts and inserted “fake pricing data”.
This caused the smart contracts to generate roughly $9m worth of inflated fees, which were not legitimately earned. Ahmed then withdrew the stolen crypto before he conducted a flash loan attack on Nirvana – another crypto exchange – a few weeks later.
The flash loan attack involved Ahmed borrowing $10m and using an exploit he discovered to purchase the exchange’s ANA cryptocurrency at an initial low price, rather than the higher price that Nirvana was designed to charge due to the scale of his purchase.
After the cryptocurrency’s price went up from the purchase, Ahmed quickly resold the cryptocurrency he had purchased and gained a profit of roughly $3.6m. The crypto exchange shut down shortly after this attack.
The US department said Ahmed used “specialised skills” including reverse engineering smart contracts and experience in blockchain audits to execute these hacks. Ahmed also contacted both crypto exchanges after the attacks and attempted to make his own deals to keep the funds without law enforcement getting notified.
US attorney Damian Williams said Ahmed was his office’s first ever arrest involving a smart contract and the result marks the “first ever conviction for such a hack”.
“In total, Ahmed used his technical knowhow to steal [more than] $12m and tried to cover his tracks by swapping stolen crypto for Monero, using cryptocurrency mixers, hopping across blockchains and utilising overseas crypto exchanges.
“Today’s conviction shows that no matter how sophisticated the methods used, fraud is fraud, and we will swiftly catch and convict you.”
Earlier this year, an Amazon spokesperson confirmed to Gizmodo that Ahmed was no longer employed with the company but did not provide further details about his role.
Last month, Binance and its CEO Changpeng Zhao pleaded guilty to various charges in the US and the crypto exchange agreed to pay more than $4bn.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.