A former security engineer has pleaded guilty to charges related to hacks on two decentralized cryptocurrency exchanges this past July, including the high-profile collapse of Nirvana Finance.
Shakeeb Ahmed, who was employed by an international tech company as a senior security engineer, admitted to carrying out attacks on the exchanges by discovering and exploiting vulnerabilities in their smart contracts. This marks the first ever conviction for a smart contract breach.
- Ahmed exploited vulnerabilities in the exchanges’ smart contracts, inserting fake data to generate $9 million in fees from one exchange
- Ahmed conducted a $10 million flash loan attack on Nirvana Finance, manipulating prices to profit $3.6 million, leading to the protocol’s collapse
- Ahmed agreed to forfeit over $12 million and pay back victims, marking first conviction for a smart contract breach
- Ahmed used advanced techniques to launder money, like swapping crypto, using mixers and overseas exchanges, and bridging across blockchains
The first hack targeted an unnamed exchange in early July, where Ahmed cleverly inserted fake pricing data into one of the exchange’s smart contracts. This tricked the contract into generating around $9 million in vastly inflated trading fees, which Ahmed promptly withdrew.
Judge: How old are you?
Shakeeb Ahmed: 34. I have a B.S. from the University of Illinois.
Judge: Do you understand you are changing your plea to guilty?
Judge takes a break but will be back; thread will continue below pic.twitter.com/9C6AlXnStA
— Inner City Press (@innercitypress) December 14, 2023
After the successful heist, Ahmed opened communications with the hacked exchange, offering to return most of the funds in exchange for not getting law enforcement involved.
- Emboldened, Ahmed then set his sights on Nirvana Finance later in July.
- He took out an enormous $10 million flash loan, which he used to manipulate Nirvana’s smart contracts and conduct a sophisticated price arbitrage scheme.
- By briefly buying up Nirvana’s ANA tokens at rock bottom prices before selling them at vastly higher prices back to Nirvana, Ahmed managed to turn the $10 million loan into $13.6 million, netting himself a cool $3.6 million profit.
- Despite Nirvana’s offer of a bug bounty for reporting the vulnerabilities, Ahmed demanded a higher payout, leading to Nirvana Finance shuttering soon after the incident.
In total, Ahmed made off with over $12 million from the two audacious exchange hacks.
According to U.S. Attorney Damian Williams, Ahmed then utilized his extensive technical skills to cover his tracks, employing sophisticated money laundering techniques. These included bridging between cryptocurrency networks, using mixers, making exchanges to privacy coins like Monero, and accessing overseas crypto exchanges.
However, law enforcement still managed to identify and apprehend Ahmed for the breaches. The 34-year old New York resident has now pleaded guilty to computer fraud charges.
As part of his plea deal, Ahmed will forfeit over $12 million, including returning $5 million to his victims, marking a major win for authorities seeking to prosecute complex crypto-related cybercrimes.
Ahmed faces up to 5 years in prison when he is sentenced in March 2024. The case underscores that despite the growing sophistication of hackers exploiting vulnerabilities in the crypto sector’s expanding attack surface, justice can still catch up to perpetrators who believe they can cleanly get away with brazen cybercrimes and money laundering.