A former Amazon engineer who scammed more than $12 million from two decentralized cryptocurrencies exchanges in 2022 was sentenced to three years in prison in a case that the U.S. Justice Department (DOJ) called the first conviction for hacking a “smart contract.”
Shakeeb Ahmed, who was indicted last year, also will serve three years of supervised release, a federal court judge ruled. He was accused of using the skills he developed as a cybersecurity professional at Amazon – including the ability to reverse engineer smart contracts and blockchain audits – to hack into the exchanges and steal the money.
“Ahmed conducted the Attack by exploiting a vulnerability in the (unnamed) Crypto Exchange and inserting fake pricing data to fraudulently generate millions of dollars’ worth of inflated fees that Ahmed did not in fact earn, but which Ahmed was able to withdraw from the Crypto Exchange in the form of cryptocurrency,” according to the indictment handed up last year.
Through this, he not only stole from the exchange but also its users, the prosecutors wrote.
Attacks in July 2022
Ahmed attacked the unnamed crypto exchange on July 2 and 3, 2022, and, on July 28, 2022, launched a second attack on the Nirvana Finance exchange, exploiting a flaw in Nirvana’s smart contracts that allowed him to buy crypto from Nirvana at a lower price than the contract outlined. He then immediately resold the crypto to Nirvana at a higher price, according to the DOJ.
In each case, Ahmed communicated with the exchanges, offering to return most of the stolen money. In the first case, he agreed to keep $1.5 million of the $9 million he stole and return the rest if the exchange agreed to not contact law enforcement. He eventually did return most of the money. According to the defense’s sentencing memo, the exchange offered Ahmed an $800,000 bug bounty if he returned the stolen money and later upped the offer to $1.3 million.
In the case of Nirvana, the exchange offered Ahmed a $600,000 bug bounty in exchange for the stolen $3.6 million, but he demanded $1.4 million instead. No agreement was reached and he kept all the money he stole, which represented all fund that Nirvana had. The exchange shut down shortly after Ahmed’s attack, the DOJ said.
When Ahmed was indicted, prosecutors didn’t disclose where Ahmed worked. However, at the time of this arrest he listed being an engineer at Amazon and a New York address.
Smart contracts are programs on blockchains that automate required actions in an agreement or contract, enabling trusted transactions and agreements to be completed among anonymous parties without the need for a central authority or external enforcement mechanism.
Admits to Second Fraud
Ahmed was indicted for the fraud against the unnamed crypto exchange – though news sites said that Ahmed’s hack coincided in timing and other details with one on Crema Finance – and in December 2023, he pleaded guilty to one count of computer fraud. As part of the plea, he told authorities about the hack into Nirvana, according to the defense sentencing memo.
“Although Shakeeb knew that disclosing another hack would result in additional consequences, and could take his favorable plea deal off of the table, Shakeeb voluntarily came forward anyway,” his lawyers wrote in their sentencing memo.
The defense requested a sentence of probationwhile prosecutors in their sentencing memo sought a four-year prison sentence, pointing to the seriousness and damage done, and the “critical need to achieve general deterrence in this precedential, first-of-its-kind conviction for the hack of a smart contract.”
They noted that rise in frauds run against DeFi crypto exchanges, pointing to reports of $53.3 billion lost to such scams in 2022 and more than $1.3 billion last year.
Post-Attack Actions
Prosecutors also noted Ahmed’s actions after the first attack, saying he took several steps to launder the money and conceal the crime, including conducting numerous transactions that exchange one cryptocurrency for another, bridging the stolen fund from one blockchain to another, and laundering the proceeds through a swap aggregator to other crypto wallets on the Solana blockchain.
In addition, four months after the attack, he exchanged the stolen crypt into Monero, which prosecutors described as “anonymized and particularly difficult cryptocurrency to trace.” In May 2023, Ahmed laundered fraud proceeds via overseas cryptocurrency exchanges.
Prosecutors also pointed to his internet browsing history in the days following the first hack, including searches for such terms as “defi hack,” “embezzled,” “defi hacks prosecution,” and “wire fraud.” Other searches included the phrases “how to prove malicious intent” and “evidence laundering” and information about bug bounties and white collar criminal defense attorneys.
His searches also delved into crossing borders with crypto, how to keep the federal government from seizing assets, and countries where money can buy a person citizenship.
Along with the prison time and ensuing probation, Ahmed also had to forfeit the stolen $12.3 million and pay the victims $5 million in restitution.
Recent Articles By Author
GIPHY App Key not set. Please check settings