Ex-amazon engineer guilty of $12.3M crypto theft in landmark smart contract hack

The ingenious exploits

Former Amazon engineer pleads guilty to hacking crypto exchanges

Shakeeb Ahmed used his knowledge from working as a security engineer at Amazon to plan out his illegal operations with amazing accuracy. Targeting the flaws in both the anonymous Solana blockchain-based^[1] exchange and the decentralized cryptocurrency exchange Nirvana Finance, the accused engineer planned a two-pronged attack.

Ahmed used clever contract manipulation to insert fake pricing data, causing the secret exchange to collapse. The result of this deception was an increase in fees of about $9 million. With a measured demeanor, Ahmed withdrew the illicit proceeds but not before making a bold promise to return the majority of the money, keeping only $1.5 million withheld, provided that law enforcement remained at bay.

Ahmed's boldness continued after the initial assault. He carried out a complex flash lending scam by taking advantage of a flaw in the decentralized finance (DeFi) protocol of Nirvana Finance. By using this strategy, Ahmed was able to borrow ANA cryptocurrency tokens at a deliberately discounted cost and then sell them at a higher price, making a whopping $3.6 million.

Nirvana Finance launched a counterattack in reaction to the breach, promising a $300,000 reward^[2] for the safe return of the pilfered goods. However, Ahmed, unyielding and determined, demanded a hefty $1.4 million in ransom, resulting in a deadlock. Due to this deadlock, Nirvana Finance was compelled to decide to close its doors after losing all of its money.

Ahmed used a complex web of obfuscation to hide the digital trail of his illegal riches. With cryptocurrency mixers like Samourai Whirlpool, he was able to switch between the Ethereum and Solana blockchains with ease. In addition, he used foreign exchanges to exchange the pilfered money for Monero, a cryptocurrency that is highly valued for its improved privacy qualities.

Pleading guilty and the conviction

The story took an unexpected turn when Ahmed pled guilty to a single charge of computer fraud in the face of overwhelming evidence. Given that this admission represents the first conviction^[3] in a smart contract hacking case, it is a historic occasion. The news was welcomed by U.S. Attorney Damian Williams, who also brought Ahmed's admission of a second, multi-million dollar hack on Nirvana Finance to light.

Ahmed might potentially face a five-year prison sentence as the judicial process progresses. In addition to incarceration, he is obligated to compensate his victims with a substantial sum, totaling $5,071,074.23. The financial reckoning extends further as Ahmed is set to forfeit over $12.3 million, including approximately $5.6 million in fraudulently obtained cryptocurrency.

The courtroom drama is poised for its climax on March 13, 2024, when United States District Judge Victor Marrero will preside over the sentencing. In addition to upholding justice, the decision will establish a standard for similar cases involving smart contract violations in the future.

The broader implications

Ahmed's exploits expose the weaknesses in smart contracts, which were once intended to increase security by doing away with middlemen. The case emphasizes how urgently the developing bitcoin market needs stronger security measures.

After it was discovered that Decentralized Finance (DeFi) projects had lost over $2.2 billion by 2022, Ahmed's story became representative of a concerning pattern. The increasing popularity of decentralized financial systems necessitates strengthening them against malicious actors.