In a landmark case for cryptocurrency regulation, former security engineer Shakeeb Ahmed was sentenced to three years in prison for hacking two decentralized cryptocurrency exchanges, causing losses exceeding $12 million. The sentencing, announced by Damian Williams, U.S. Attorney for the Southern District of New York, marks the first conviction involving the hack of a smart contract.
Sophisticated Hacks and Substantial Forfeiture
According to official court documents, in early July 2022, Ahmed executed sophisticated attacks on two separate exchanges. Utilizing his advanced skills in reverse engineering and blockchain audits, Ahmed manipulated pricing data to siphon off approximately $9 million in inflated fees from the first victim, a crypto exchange. He later engaged with the exchange to negotiate the return of the stolen assets, except for a $1.5 million cut, provided they refrained from notifying law enforcement.
A few weeks following the initial hack, Ahmed targeted Nirvana Finance, another decentralized exchange. Exploiting a vulnerability in the exchange’s smart contracts, he manipulated transactions to buy and then resell cryptocurrency at manipulated prices, ultimately stealing around $3.6 million, nearly the entire holdings of Nirvana. Despite Nirvana’s offer of a $600,000 “bug bounty” for the return of the funds, Ahmed demanded $1.4 million and ultimately did not return the stolen funds.
Extensive Laundering Efforts
Post-theft, Ahmed engaged in elaborate money laundering to disguise the origins of the stolen funds. His methods included token-swap transactions across blockchains, converting stolen proceeds to the hard-to-trace cryptocurrency Monero, and using international crypto exchanges and mixers to further obscure the money’s trail.
Legal Consequences and Industry Impact
Ahmed, a 34-year-old New York resident and U.S. citizen, was not only sentenced to prison but also ordered to three years of supervised release. He must forfeit an estimated $12.3 million along with a significant amount of cryptocurrency. Further, he is required to pay restitution exceeding $5 million to the affected exchanges.
U.S. Attorney Williams emphasized the dedication of law enforcement to pursue and prosecute individuals exploiting cryptocurrency platforms, regardless of the sophistication of their methods. He stated, “No matter how novel or sophisticated the hack, this Office and our law enforcement partners are committed to following the money and bringing hackers to justice.”
The case was successfully prosecuted by the Office’s Illicit Finance and Money Laundering Unit and Complex Frauds and Cybercrime Unit, showcasing the increasing focus on cybersecurity in the financial sector, particularly within decentralized finance.