A former senior security engineer, Shakeeb Ahmed, pled guilty to the hacking incident on the decentralized finance yield protocol, Nirvana Finance, along with another unnamed decentralized exchange (DEX).
Ahmed will also forfeit over $12.3 million in stolen assets, with the United States Attorney’s Office of the Southern District of New York (SDNY) describing the case as the “first-ever conviction for the hack of a smart contract.”
Two DEX Attacks in One Month
In a press release on Dec. 14, 2023, Ahmed used his expertise in reverse engineering smart contracts and blockchain audits to hack two decentralized crypto exchanges in July 2022. According to the statement, he laundered the stolen assets from both platforms, using various means such as crypto mixers and overseas exchanges.
The 34-year-old security engineer carried out the first hack on an unnamed Solana-based decentralized cryptocurrency exchange by exploiting a vulnerability in one of its smart contracts, thereby enabling him to generate around $9 million in inflated fees, which he withdrew from the platform.
United States authorities later arrested Ahmed in July 2023 in connection to the hack, making the arrest the first of its kind involving a smart contract. The security engineer at the time was charged with wire fraud and money laundering, with each offense carrying a maximum prison sentence of 20 years.
Ahmed was also responsible for the attack on Nirvana Finance, which also happened in July 2022. As previously reported by CryptoPotato, the attacker used a flash loan of $10 million to mint ANA tokens worth $10 million, which was later swapped for $13.49 million in USDT. The hacker eventually drained nearly $3.5 million from the platform’s treasury.
While Nirvana offered Ahmed a bug bounty of $600,000, as stated in the latest press release, the hacker refused the offer and wanted to receive $1.4 million in exchange for returning the stolen funds.
However, Ahmed and Nirvana Finance failed to reach an agreement, leading to the security engineer keeping all the funds and the eventual shutdown of the exchange.
Hacker to Forfeit $12.3 Million and Pay Restitution to Victims
In addition to pleading guilty to one count of computer fraud, Ahmed also agreed to forfeit over $12.3 million stolen from both hacks, in addition to a restitution of $5 million to affected victims. The security engineer faces a maximum sentence of five years imprisonment, with his sentencing scheduled to be held on March 13, 2024.
According to a statement by US Attorney Damian Williams:
“Five months ago, my Office announced the first-ever arrest involving an attack on a smart contract. Today, senior security engineer Shakeeb Ahmed pled guilty and agreed to return all of the stolen crypto to his victims. That arrest is now the first-ever conviction for such a hack.”
Attorney Williams further said:
“Today’s conviction shows that no matter how sophisticated the methods used, fraud is fraud, and we will swiftly catch and convict you.”