After orchestrating a series of hacks on two decentralized cryptocurrency exchanges (DEXs) that stole more than $12 million worth of crypto, former security engineer Shakeeb Ahmed was sentenced today to three years in prison, this is the first-ever smart contract hacking conviction in the US.
Ahmed was also ordered to forfeit the stolen crypto and pay restitution to the affected exchanges.
Engineer Exploits Crypto Vulnerabilities In $12 Million Hacks
According to charging documents and court filings, Ahmed conducted two separate attacks on decentralized exchanges. In the first incident, which took place on July 2 and 3, 2022, he manipulated fake pricing data to generate approximately $9 million in inflated fees. Subsequently, Ahmed withdrew these fees in the form of cryptocurrency.
Following the theft, Ahmed communicated with the exchange, offering to return the stolen funds, except $1.5 million, if the exchange did not involve law enforcement.
Shortly after, on July 28, 2022, Ahmed targeted another decentralized exchange called Nirvana Finance. Exploiting a vulnerability in Nirvana’s smart contracts, he purchased crypto assets at a lower price than intended and promptly resold them back to Nirvana at a higher price.
Despite Nirvana offering a substantial “bug bounty” of up to $600,000 for the return of the stolen funds, Ahmed demanded $1.4 million. This led to the collapse of the exchange, which had lost all its possessed funds, approximately $3.6 million, due to Ahmed’s attack.
From Security Expert To Cybercriminal
The investigation revealed that Ahmed used “advanced money laundering techniques” to conceal the source and ownership of the stolen funds.
These included token swap transactions, transferring fraud proceeds from the Solana (SOL) blockchain to the Ethereum (ETH) blockchain through “bridging,” converting the funds to Monero, and then using overseas exchanges and cryptocurrency mixers such as Samourai Whirlpool.
Ahmed, a US citizen, held a senior security engineer position at an international technology company at the time of the attacks. His resume showcased expertise in reverse engineering smart contracts and conducting blockchain audits, skills that he utilized to execute the hacks.
In addition to the three-year prison term, Ahmed was sentenced to three years of supervised release. He must forfeit approximately $12.3 million, including a significant amount of cryptocurrency, and pay the affected exchanges over $5 million in restitution. Commenting on Shakeeb Ahmed’s sentencing, US Attorney Damian Williams said
Today, Shakeeb Ahmed was sentenced to prison in the first-ever conviction for the hack of a smart contract and ordered to forfeit all of the stolen crypto. No matter how novel or sophisticated the hack, this Office and our law enforcement partners are committed to following the money and bringing hackers to justice. And as today’s sentence shows, time in prison — and forfeiture of all the stolen crypto — is the inevitable consequence of such destructive hacks.
Featured image from Shutterstock, chart from TradingView.com