Key Takeaways
- Ahmed has agreed to forfeit $12.3 million and pay $5 million in restitution
- The hacker could face a maximum sentence of five years in prison
In a groundbreaking development, Shakeeb Ahmed, a senior security engineer for an international technology company, pleaded guilty in a New York court on Thursday in connection with two significant cryptocurrency hacks. Ahmed, arrested in July, was linked to the attacks on decentralized exchanges Nirvana Finance and an unnamed crypto exchange.
The first hack involved the decentralized finance (DeFi) protocol Nirvana Finance, which suffered a flash loan exploit in 2022 resulting in a loss of approximately $3.5 million. Ahmed, employing a sophisticated approach, utilized a flash loan and exploited vulnerabilities in Nirvana’s smart contracts.
Smart contracts are code on a blockchain that automatically executes the terms of an agreement or contract from outside the chain. Despite Nirvana’s attempt to negotiate a return through a $600,000 bounty, an agreement was not reached, leading to the closure of Nirvana Finance.
The second hack, targeting an undisclosed crypto exchange, occurred in July 2022. Ahmed manipulated a smart contract vulnerability, injecting fake pricing data to generate around $9 million in inflated fees. Despite returning most of the funds, Ahmed retained $1.5 million. The exchange chose not to involve law enforcement in exchange for Ahmed returning the majority of the funds.
As part of his guilty plea, Ahmed has agreed to forfeit $12.3 million in assets and further pay $5 million in restitution to the victims. This marks a landmark case as it’s the first time the U.S. Department of Justice (DOJ) has convicted someone for hacking smart contracts, highlighting the growing scrutiny on cybercriminals exploiting vulnerabilities in the crypto space.
Ahmed’s actions extended beyond the actual hacks; he employed sophisticated techniques to launder the stolen funds. This included token-swap transactions, bridging fraud proceeds between blockchains, exchanging funds into the privacy-focused cryptocurrency Monero, and leveraging cryptocurrency mixers for anonymity.
The hacker, now facing wire fraud and money laundering charges, could face a maximum sentence of five years in prison. His sentencing is scheduled for March 13, 2024.
