After orchestrating a series of hacks on two decentralized cryptocurrency exchanges (DEXs) that stole more than $12 million in crypto, former security engineer Shakeeb Ahmed was sentenced today at three years in prison, it is the first ever conviction for smart contract hacking in the United States.
Ahmed was also ordered to confiscate the stolen crypto and pay restitution to the affected exchanges.
Engineer Exploits Crypto Vulnerabilities in $12 Million Hack
According to charging documents and court records, Ahmed carried out two separate attacks against decentralized exchanges. In the first incident, which occurred on July 2-3, 2022, he manipulated false pricing data to generate approximately $9 million in inflated fees. Subsequently, Ahmed withdrew these fees in the form of cryptocurrency.
Following the theft, Ahmed contacted the exchange, offering to return the stolen funds, except for $1.5 million, if the exchange did not involve law enforcement.
Shortly after, on July 28, 2022, Ahmed targeted another decentralized exchange called Nirvana Finance. Exploitation of a vulnerability in Nirvana smart contractshe bought crypto assets at a lower price than expected and quickly sold them back to Nirvana at a higher price.
Although Nirvana is offering a substantial “bug bounty” of up to $600,000 for returning the stolen funds, Ahmed demanded $1.4 million. This led to the collapse of the stock market, which lost all its funds, approximately $3.6 million, due to Ahmed’s attack.
From security expert to cybercriminal
The investigation revealed that Ahmed used “advanced money laundering techniques” to conceal the source and ownership of the stolen funds.
These included token swap transactions, transferring the proceeds of the Solana (SOL) fraud blockchain to the Ethereum (ETH) blockchain via “bridging,” converting funds to Monero and then using foreign exchanges and cryptocurrency mixers such as Samourai Whirlpool.
Ahmed, a US citizen, was working as a senior security engineer at an international technology company at the time of the attacks. His CV highlighted his expertise in smart contract reverse engineering and driving blockchain auditsskills he used to execute the hacks.
In addition to the three-year prison sentence, Ahmed was sentenced to three years of supervised release. He must forfeit approximately $12.3 million, including a significant amount of cryptocurrency, and pay the affected exchanges more than $5 million in compensation. Commenting on Shakeeb Ahmed’s sentencing, U.S. Attorney Damian Williams said
Today, Shakeeb Ahmed was sentenced to prison in the first ever conviction for smart contract hacking and was ordered to forfeit all stolen cryptocurrencies. No matter how new or sophisticated it may be, the Bureau and our law enforcement partners are committed to following the money and bringing hackers to justice. And as today’s sentence shows, prison time – and confiscation of all stolen cryptocurrencies – is the inevitable consequence of such destructive hacks.
Featured image from Shutterstock, chart from TradingView.com