A former security engineer for an international tech company pleaded guilty in federal court to hacking two decentralized cryptocurrency exchanges.
As a result of these hacks in July 2022, U.S. citizen Shakeeb Ahmed, 34, illegally obtained over $12 million, according to the U.S. Department of Justice. Ahmed agreed to forfeit those funds, including more than $5 million in restitution to victims. He faces a maximum sentence of five years in prison.
Ahmed exploited vulnerabilities in the smart contracts of the two exchanges: one called Nirvana Finance and another unspecified exchange based on the currency Solana. Smart contracts are digital agreements with the terms of the contract directly written into code. Decentralized exchanges allow people to trade cryptocurrency directly, peer-to-peer, with an intermediary.
Ahmed’s case is the first-ever conviction involving an attack on a smart contract, said Damian Williams, the U.S. attorney for the Southern District of New York.
In his first attack on the unnamed crypto exchange, Ahmed exploited a vulnerability in one of its smart contracts by inserting fake pricing data, causing the contract to generate approximately $9 million in inflated fees.
After withdrawing these fees, Ahmed agreed to return all of the stolen funds, except for $1.5 million, if the crypto exchange agreed not to refer the attack to law enforcement.
Although the targeted platform wasn’t named, several cryptocurrency experts previously linked Ahmed’s previous indictment to the July 2022 attack on Crema Finance, where about $9 million in cryptocurrency was stolen.
A few weeks after his first hack, Ahmed also targeted Nirvana Finance by using an exploit in its smart contract to purchase the platform’s own crypto token at a low price and sell it back to the platform at a high price. In this way, he obtained approximately $3.6 million in illegal profit, almost all the funds possessed by the exchange.
Nirvana offered him a bounty of up to $600,000, but Ahmed demanded more. With no agreement reached, Ahmed kept all the stolen funds, leading to the platform’s shutdown.
In a statement on Friday, Nirvana Finance said that if Ahmed returns the stolen money, the cash will be distributed to those affected by the hack based on their exposure at the time of the theft.
At the time of both attacks, Ahmed worked for a tech company in New York. Prosecutors did not name the company, but TechCrunch reported in July that he was an Amazon employee at some point. His resume stated that he was well-versed in reverse engineering of smart contracts and blockchain audits — skills he used to execute the hacks.
After the thefts, Ahmed tried to cover his tracks by exchanging the stolen money for Monero — a cryptocurrency designed to offer enhanced privacy and anonymity for its users, making transactions difficult to trace. He also utilized cryptocurrency mixers, switched between different blockchains, and used overseas crypto exchanges.
Worried about getting caught, he considered leaving the U.S. Police discovered that he searched online for information about his hacks, as well as websites related to his ability to flee the U.S., avoid extradition, and keep his stolen cryptocurrency.
For example, he searched for terms like “can I cross the border with crypto,” “how to stop the federal government from seizing assets,” and “buying citizenship.” He also visited a website titled “16 countries where your investments can buy citizenship.”
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.