A former security engineer has been sentenced to three years in prison in the United States on charges related to the hacking of two decentralized cryptocurrency exchanges in July 2022 and theft of more than $12.3 million.
Shakeeb Ahmed, the defendant in question, pleaded guilty to a computer fraud charge in December 2023 following his arrest in July.
“At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected expertise in, among other things, smart contract reverse engineering and blockchain audits, which are some of the Ahmed’s specialized skills used to carry out the hacks,” the US Department of Justice (DoJ) noted at the time.
While his company name was not disclosed, he resided in Manhattan, New York, and worked for Amazon before he was arrested.
Court documents show that Ahmed exploited a security flaw in the smart contracts of an unnamed cryptocurrency exchange to insert “false pricing data to fraudulently generate millions of dollars in inflated commissions,” which he was able to withdraw .
Subsequently, he initiated contact with the company and agreed to return most of the funds except $1.5 million if the exchange agreed not to notify law enforcement of the flash loan attack.
It is worth noting that CoinDesk reported in early July 2022 that an unknown attacker returned more than $8 million in cryptocurrency to a Solana-based cryptocurrency exchange called Crema Finance, keeping $1.68 million as a bounty “white hat”.
Ahmed was also accused of carrying out an attack on a second decentralized cryptocurrency exchange called Nirvana Finance, siphoning off $3.6 million in the process, ultimately leading to its closure.
“Ahmed used an exploit he discovered in Nirvana’s smart contracts to allow him to purchase cryptocurrency from Nirvana at a lower price than the contract stipulated,” the DoJ said.
“He then immediately resold the cryptocurrency to Nirvana at a higher price. Nirvana offered Ahmed a ‘bug bounty’ of as much as $600,000 to return the stolen funds, but Ahmed instead asked for $1.4 million, he did not reached a settlement with Nirvana and kept all the stolen funds.”
The defendant then laundered the stolen funds to cover the trail by using cross-chain bridges to move illicit digital assets from Solana to Ethereum and exchanging the proceeds into Monero using mixers such as Samourai Whirlpool.
In addition to the three-year prison sentence, Ahmed was sentenced to three years of supervised release and ordered to forfeit approximately $12.3 million and pay restitution of more than $5 million to both affected cryptocurrency exchanges.