Ex-Security Engineer Jailed 3 Years for $12.3 Million Crypto Exchange Thefts
14.4.24 Crime The Hacker News
A former security engineer has been sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million.
Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July.
"At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the hacks," the U.S. Department of Justice (DoJ) noted at the time.
While the name of the company was not disclosed, he was residing in Manhattan, New York, and working for Amazon before he was apprehended.
Court documents show that Ahmed exploited a security flaw in an unnamed cryptocurrency exchange's smart contracts to insert "fake pricing data to fraudulently generate millions of dollars' worth of inflated fees," which he was able to withdraw.
Subsequently, he initiated contact with the company and agreed to return most of the funds except for $1.5 million if the exchange agreed not to alert law enforcement about the flash loan attack.
It's worth noting that CoinDesk reported in early July 2022 that an unknown attacker returned more than $8 million worth of cryptocurrency to a Solana-based crypto exchange called Crema Finance, while keeping $1.68 million as a "white hat" bounty.
Ahmed has also been accused of carrying out an attack on a second decentralized cryptocurrency exchange called Nirvana Finance, siphoning $3.6 million in the process, ultimately leading to its shutdown.
"Ahmed used an exploit he discovered in Nirvana's smart contracts to allow him to purchase cryptocurrency from Nirvana at a lower price than the contract was designed to allow," the DoJ said.
"He then immediately resold that cryptocurrency to Nirvana at a higher price. Nirvana offered Ahmed a 'bug bounty' of as much as $600,000 to return the stolen funds, but Ahmed instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds."
The defendant then laundered the stolen funds to cover up the trail using cross-chain bridges to move the illicit digital assets from Solana to Ethereum and exchanging the proceeds into Monero using mixers like Samourai Whirlpool.
Besides the three-year jail term, Ahmed has been sentenced to three years of supervised release and ordered to forfeit approximately $12.3 million and pay restitution amounting more than $5 million to both the impacted crypto exchanges.