Saturday, April 13, 2024

Former Security Engineer Sentenced To Three Years In Prison For Hacking Two Decentralized Cryptocurrency Exchanges


Damian Williams, the United States Attorney for the Southern District of New York, announced that SHAKEEB AHMED was sentenced to three years in prison by U.S. District Judge Victor Marrero for hacking two separate decentralized cryptocurrency exchanges and stealing cryptocurrency worth over $12 millionAHMED previously pled guilty to computer fraud.  

U.S. Attorney Damian Williams said: “Shakeeb Ahmed was sentenced to prison in the first ever conviction for the hack of a smart contract and ordered to forfeit all of the stolen crypto.  No matter how novel or sophisticated the hack, this Office and our law enforcement partners are committed to following the money and bringing hackers to justice.  And as this sentence shows, time in prison — and forfeiture of all the stolen crypto — is the inevitable consequence of such destructive hacks.” 

According to the charging documents and other filings and statements made in court:

On or about July 2 and 3, 2022, AHMED carried out an attack on a decentralized cryptocurrency exchange (the “Crypto Exchange”), in which he used fake pricing data to generate approximately $9 million worth of inflated fees, then withdrew those fees in the form of cryptocurrency.  After he stole the fees, AHMED had communications with the Crypto Exchange in which he agreed to return all of the stolen funds except for $1.5 million if the Crypto Exchange agreed not to refer the attack to law enforcement.

On or about July 28, 2022, a few weeks after the hack of the Crypto Exchange, AHMED carried out an attack on a second decentralized cryptocurrency exchange called Nirvana Finance (“Nirvana”).  AHMED used an exploit he discovered in Nirvana’s smart contracts to allow him to purchase cryptocurrency from Nirvana at a lower price than the contract was designed to allow.  He then immediately resold that cryptocurrency to Nirvana at a higher price.  Nirvana offered AHMED a “bug bounty” of as much as $600,000 to return the stolen funds, but AHMED instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds.  The $3.6 million AHMED stole represented approximately all the funds possessed by Nirvana, which as a result shut down shortly after AHMED’s attack.

AHMED laundered the millions that he stole from the Crypto Exchange and from Nirvana to conceal their source and ownership, using sophisticated techniques including token-swap transactions; “bridging” fraud proceeds from the Solana blockchain over to the Ethereum blockchain; exchanging fraud proceeds into Monero, an anonymized cryptocurrency that is particularly difficult to trace; using overseas cryptocurrency exchanges; and using cryptocurrency mixers, such as Samourai Whirlpool.

At the time of both attacks, AHMED, a U.S. citizen, was a senior security engineer for an international technology company, whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills AHMED used to execute the hacks.  

In addition to the prison term, AHMED, 34, of New York, New York, was sentenced to three years of supervised release.  AHMED was also ordered to forfeit approximately $12.3 million and a significant quantity of cryptocurrency and pay restitution to the Crypto Exchange and Nirvana in the amount of over $5 million. 

Mr. Williams praised the outstanding work of Homeland Security Investigations and Internal Revenue Service – Criminal Investigation.

No comments:

Post a Comment