Inside Job: Security Engineer Behind Multi-Million Dollar Crypto Exploits
Shakeeb Ahmed, a senior security engineer associated with an international technology company, pleaded guilty on December 14 to computer fraud in connection with his hacking of two decentralized crypto exchanges.
The announcement of the guilty plea was made by Damian Williams, the United States Attorney for the Southern District of New York, on Thursday this week.
Ahmed’s guilty plea is noteworthy as it marks the first-ever conviction for hacking a smart contract.
The charges relate to the July 2022 hacks on two exchanges, one of which was simple referred to as the “crypto exchange,” and the other a part of the decentralized finance (DeFi) protocol Nirvana Finance.
Former security engineer for international technology company pleads guilty to hacking two decentralized cryptocurrency exchangeshttps://t.co/KPciTKIRNB
— US Attorney SDNY (@SDNYnews) December 14, 2023
At the time of the attacks, Ahmed, a 34-year-old US citizen, served as a senior security engineer and possessed specialized skills in reverse engineering smart contracts and conducting blockchain audits, the prosecutor said in the announcement.
Crypto exchange hack
The crypto exchange allowed users to trade various cryptocurrencies and rewarded users for providing liquidity.
Ahmed exploited a vulnerability in the exchange’s smart contracts, leading to the fraudulent generation of approximately $9 million in trading fees.
Following the theft, Ahmed entered into discussions with the exchange, agreeing to return most of the stolen funds if the exchange did not contact the police.
Nirvana Finance attack
In another attack, Ahmed targeted Nirvana Finance in July 2022.
Using a so-called flash loan, he secured approximately $10 million, manipulated Nirvana’s smart contracts, and profited around $3.6 million.
Despite Nirvana’s offer of a “bug bounty,” Ahmed demanded $1.4 million, resulting in the closure of Nirvana after he retained all stolen funds.
After the attacks, Ahmed employed intricate laundering techniques, including token-swap transactions, bridging fraud proceeds between blockchains, and converting funds into the privacy coin Monero (XMR).
Facing five years in prison
Ahmed pleaded guilty to one count of computer fraud, carrying a maximum sentence of five years in prison.
As part of the plea agreement, he agreed to forfeit over $12.3 million, including about $5.6 million worth of stolen crypto.
Ahmed is scheduled for sentencing on March 13, 2024 before United States District Judge Victor Marrero.