Shakeeb Ahmed, a seasoned security engineer affiliated with a global technology corporation, admitted to computer fraud on December 14, acknowledging his involvement in hacking two decentralized cryptocurrency exchanges.
The announcement of Ahmed’s guilty plea was disclosed by Damian Williams, the United States Attorney for the Southern District of New York, this Thursday.
Ahmed’s admission is significant as it represents the inaugural conviction for hacking a smart contract. The charges stem from the July 2022 breaches of two exchanges—one simply referred to as the “crypto exchange” and the other affiliated with the decentralized finance (DeFi) protocol Nirvana Finance.
During the incidents, Ahmed, a 34-year-old US citizen, held the position of a senior security engineer, leveraging his specialized expertise in reverse engineering smart contracts and conducting blockchain audits, as stated by the prosecutor in the official announcement.
Crypto exchange hack
The cryptocurrency exchange facilitated the trading of diverse cryptocurrencies and incentivized users for contributing liquidity.
Ahmed took advantage of a vulnerability within the exchange’s smart contracts, resulting in the illicit creation of approximately $9 million in trading fees.
Subsequent to the unauthorized acquisition, Ahmed engaged in negotiations with the exchange, stipulating that he would return a significant portion of the misappropriated funds on the condition that the exchange refrained from involving law enforcement.
Nirvana Finance attack
In a separate incident in July 2022, Ahmed set his sights on Nirvana Finance. Employing a “flash loan” tactic, he acquired around $10 million, skillfully manipulated Nirvana’s smart contracts, and reaped profits totaling approximately $3.6 million.
Despite Nirvana Finance extending a “bug bounty” as an offer, Ahmed insisted on a $1.4 million payment, ultimately leading to the shutdown of Nirvana after he retained all the pilfered funds.
Following these attacks, Ahmed employed sophisticated laundering methods, including token-swap transactions, transferring illicit gains across blockchains, and converting funds into the privacy-focused cryptocurrency Monero (XMR).
Facing five years in prison
Ahmed entered a guilty plea for a single charge of computer fraud, a crime that carries a maximum prison sentence of five years.
Under the terms of the plea agreement, Ahmed has committed to forfeiting more than $12.3 million, encompassing approximately $5.6 million in stolen cryptocurrency.
Scheduled for sentencing on March 13, 2024, Ahmed’s case will be deliberated before United States District Judge Victor Marrero.