Shakeeb Ahmed, a computer security engineer, has been sentenced to three years in prison followed by three years of supervised release by the Southern New York District (SDNY) Court. Ahmed was found guilty of executing flash loan attacks on the decentralized Crypto Exchange and Nirvana exchanges in 2022. U.S. Attorney Damian Williams mentioned in a statement that Ahmed’s verdict marked the first conviction for hacking a smart contract. As part of his sentence, Ahmed has to give up $12.3 million and a significant amount of cryptocurrency, as well as pay the exchanges $5 million in restitution. Ahmed had offered to return all stolen funds, except for $1.5 million, to the Crypto Exchange if they didn’t involve law enforcement. Nirvana refused Ahmed’s demand of $1.4 million for the return of $3.6 million, resulting in no agreement. Following the hack, Nirvana’s NIRV stablecoin lost its peg to the U.S. dollar, and its native ANA coin dropped by 85% before closing down.
According to the SDNY statement, Ahmed laundered the stolen funds using various methods such as token-swap transactions, moving the proceeds from the Solana blockchain to the Ethereum blockchain, converting the proceeds into Monero through cryptocurrency mixers like Samourai Whirlpool, and utilizing overseas cryptocurrency exchanges. Another exchange, Crema, experienced a similar attack in July 2022 using the same techniques, but Ahmed was not connected to that specific incident in the federal charges against him. At the time of the attacks, Ahmed was employed as a senior security engineer at an international technology company and also served as the technical lead for Amazon’s bug bounty program.
Bloomberg reports that Ahmed, who is currently out on bail, now works for a mental health care startup, according to Inner City Press. Ahmed allegedly stated during his trial, “I witnessed hacks, I found a way to exploit an exchange’s smart contracts. I went into therapy.” Ahmed was arrested in New York in July and faced charges of wire fraud and money laundering related to the hacks. He ultimately pleaded guilty to a single charge of computer fraud in December.
How can Shakeeb Ahmed, who was once responsible for securing systems, justify his actions by claiming to have witnessed hacks? This excuse is unacceptable! He knew the consequences of his actions and must face the full extent of the law.
The impact of the hack on Nirvana’s stablecoin and native coin is truly unfortunate.
As a senior security engineer and the technical lead for Amazon’s bug bounty program, Ahmed had a responsibility to protect systems and contribute to the safety of the online world. His actions are a betrayal of his profession and a stain on the reputation of ethical hackers who genuinely work towards enhancing cybersecurity. 😡🔓