A former Amazon engineer named Shakeeb Ahmed has pleaded guilty to hacking two cryptocurrency exchanges, making it the first-ever conviction involving the hacking of a smart contract. This news comes from the United States Attorney for the Southern District of New York, who announced that Ahmed is now facing the possibility of up to five years in prison and the forfeiture of $12.3 million worth of stolen cryptocurrency.
Hacks Targeting Crypto Exchanges
The hacks occurred in 2022 and specifically targeted Nirvana Finance and an undisclosed crypto exchange on the Solana blockchain. Ahmed manipulated the contracts by submitting falsified data, resulting in the generation of millions of dollars in inflated fees that he had not rightfully earned. Smart contracts are digital programs that execute predetermined functions when specific conditions are met. These contracts operate on blockchain platforms and offer increased security and automation.
“Smart contracts are digital programs that execute predetermined functions when specific conditions are met.”
Ahmed, leveraging his skills from Amazon, reverse-engineered the necessary steps to manipulate the exchanges into paying out substantial sums. To avoid detection, Ahmed engaged in negotiations with the unnamed crypto exchange, offering to return all stolen funds, minus $1.5 million, under the condition that the exchange refrained from involving law enforcement. Prosecutors revealed this attempt to evade accountability.
Exploiting Cryptocurrency Features
After successfully hacking the first exchange, Ahmed turned his attention to Nirvana’s cryptocurrency, ANA. He exploited a feature designed to inflate the token price after a significant purchase. By exploiting a workaround in Nirvana’s smart contract, Ahmed acquired $10 million worth of ANA tokens at an artificially lowered price and sold them for a $3.6 million profit.
“Nirvana offered AHMED a ‘bug bounty’ of as much as $600,000 to return the stolen funds, but AHMED instead demanded $1.4 million, did not reach an agreement with Nirvana, and kept all the stolen funds,” stated the US Attorney.
To further complicate the tracing of his activities, Ahmed attempted to obfuscate the stolen crypto by converting it into Monero. He leveraged cryptocurrency mixers, jumped across different blockchains, and utilized overseas crypto exchanges, according to US Attorney Damian Williams.
The recent security incidents highlight the ongoing issue of hacks and scams within the crypto industry. According to a report by blockchain security platform Immunefi, there were 76 hacks on crypto and Web3 projects and firms in Q3 2023. This is a significant increase compared to the 30 hacks reported in the same period in 2022. In total, approximately $332 million has been lost to various exploits, hacks, and scams throughout September, marking a record-high month for crypto exploits.