Former security engineer for international technology company pleads guilty to hacking two decentralized cryptocurrency exchanges

 

Date: December 14, 2023

Contact: newsroom@ci.irs.gov

Damian Williams, the United States Attorney for the Southern District of New York, announced the guilty plea today of Shakeeb Ahmed in connection with his hack of two separate decentralized cryptocurrency exchanges, one of which was the July 2022 hack of Nirvana Finance. Ahmed pled guilty to computer fraud before U.S. Magistrate Judge Ona T. Wang. Ahmed also agreed to forfeit over $12.3 million, including forfeiture of approximately $5.6 million in fraudulently obtained cryptocurrency.

U.S. Attorney Damian Williams said: "Five months ago, my Office announced the first ever arrest involving an attack on a smart contract. Today, senior security engineer Shakeeb Ahmed pled guilty and agreed to return all of the stolen crypto to his victims. That arrest is now the first ever conviction for such a hack. Ahmed's plea has also resulted in him further admitting that he carried out a previously unsolved second multimillion-dollar hack, this time of decentralized finance protocol Nirvana Finance. In total, Ahmed used his technical knowhow to steal over $12 million and tried to cover his tracks by swapping stolen crypto for Monero, using cryptocurrency mixers, hopping across blockchains, and utilizing overseas crypto exchanges. Today's conviction shows that no matter how sophisticated the methods used, fraud is fraud, and we will swiftly catch and convict you."

According to the charging documents and other filings and statements made in court:

In July 2022, Ahmed executed hacks on two separate decentralized cryptocurrency exchanges, an exchange referred to herein as the "Crypto Exchange" and Nirvana Finance ("Nirvana"). In July 2023, Ahmed was publicly charged with the hack of the Crypto Exchange. Today's guilty plea is the first public filing acknowledging Ahmed's responsibility for a second sophisticated, multimillion dollar hack he executed in July 2022 of Nirvana.

At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the hacks.

The Crypto Exchange allowed users to exchange different kinds of cryptocurrencies, and paid fees to users who deposited cryptocurrency to provide liquidity on the Crypto Exchange.

On or about July 2 and 3, 2022, Ahmed carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange's smart contracts and inserting fake pricing data to fraudulently cause that smart contract to generate approximately $9 million dollars' worth of inflated fees that Ahmed did not legitimately earn. Ahmed was able to withdraw said fees from the Crypto Exchange in the form of cryptocurrency. This conduct defrauded the Crypto Exchange and its users whose cryptocurrency Ahmed had fraudulently obtained.

After he stole the fees he never legitimately earned, Ahmed had communications with the Crypto Exchange in which he agreed to return all of the stolen funds except for $1.5 million if the Crypto Exchange agreed not to refer the attack to law enforcement.

Nirvana was a second decentralized finance protocol. Nirvana bought and sold its cryptocurrency token, ANA. Nirvana was designed so that when a user purchased a substantial quantity of ANA, the price of ANA increased, and when a user sold a substantial quantity of ANA, the price of ANA decreased.

On or about July 28, 2022, a few weeks after the hack of the Crypto Exchange, Ahmed carried out an attack on Nirvana in which he took out a flash loan for approximately $10 million, used those funds to purchase ANA from Nirvana, and used an exploit he discovered in Nirvana's smart contracts to purchase the ANA at its initial, low price, rather than at the higher price that Nirvana was designed to charge him in light of the size of his purchase. When the price of ANA updated to reflect his large purchase, Ahmed resold the ANA he had purchased to Nirvana at the new, higher price, resulting in a profit to him of approximately $3.6 million. Nirvana offered Ahmed a "bug bounty" of as much as $600,000 to return the stolen funds, but Ahmed instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds. The $3.6 million Ahmed stole represented approximately all the funds possessed by Nirvana, which as a result shut down shortly after Ahmed's attack.

Ahmed laundered the millions that he stole from the Crypto Exchange and from Nirvana to conceal their source and ownership, using sophisticated techniques including token-swap transactions, "bridging" fraud proceeds from the Solana blockchain over to the Ethereum blockchain, exchanging fraud proceeds into Monero, an anonymized and particularly difficult cryptocurrency to trace, using overseas cryptocurrency exchanges, and using cryptocurrency mixers such as Samourai Whirlpool.

After the attacks, Ahmed searched online for information about the hacks, his own criminal liability, criminal defense attorneys with expertise in similar cases, law enforcement's ability to successfully investigate the attacks, and fleeing the U.S. to avoid criminal charges. For example, approximately two days after the hack of the Crypto Exchange, Ahmed conducted an internet search for the term "defi hack," read several news articles about the hack of the Crypto Exchange, and visited several pages on the Crypto Exchange's website. In the days after the hack of Nirvana, Ahmed conducted internet searches for the term "defi hacks prosecution" and searches related to the charges in the Indictment, including the terms "wire fraud" and "evidence laundering." Finally, Ahmed conducted internet searches or visited websites related to his ability to flee the U.S., avoid extradition, and keep his stolen cryptocurrency. He searched for the terms "can I cross border with crypto," "how to stop federal government from seizing assets," and "buying citizenship." He also visited a website titled "16 Countries Where Your Investments Can Buy Citizenship . . ."

Ahmed of New York, New York, pled guilty to one count of computer fraud, which carries a maximum sentence of five years in prison. Ahmed also agreed to pay restitution to his victims totaling $5,071,074.23.

The maximum potential sentence is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by a judge.  Ahmed is scheduled to be sentenced by United States District Judge Victor Marrero on March 13, 2024.

Mr. Williams praised the outstanding work of Homeland Security Investigations and Internal Revenue Service Criminal Investigation (CI). Mr. Williams also thanked the U.S. Attorney's Office for the Southern District of California for its assistance in the investigation.

The case is being prosecuted by the Office's Money Laundering & Transnational Criminal Enterprises Unit and Complex Frauds & Cybercrime Unit. Assistant U.S. Attorneys David R. Felton and Kevin Mead are in charge of the prosecution.

CI is the criminal investigative arm of the IRS, responsible for conducting financial crime investigations, including tax fraud, narcotics trafficking, money-laundering, public corruption, healthcare fraud, identity theft and more. CI special agents are the only federal law enforcement agents with investigative jurisdiction over violations of the Internal Revenue Code, obtaining a more than a 90 percent federal conviction rate. The agency has 20 field offices located across the U.S. and 12 attaché posts abroad.