Hacker pleads guilty to $12M Solana DeFi hacks in first smart contract fraud conviction
Shakeeb Ahmed, a security engineer who exploited two Solana DeFi apps, has pleaded guilty, according to statements from authorities on Dec. 14.
Damian Williams, United States Attorney for the Southern District of New York (SDNY), announced a guilty plea from the perpetrator. He stated:
“Five months ago, my Office announced the first ever arrest involving an attack on a smart contract. Today … Shakeeb Ahmed pled guilty and agreed to return all of the stolen crypto to his victims … Today’s conviction shows that no matter how sophisticated the methods used, fraud is fraud, and we will swiftly catch and convict you.”
Ahmed launched the first of two attacks starting on July 2, 2022, when he targeted an unnamed decentralized exchange to generate $9 million through inflated fees. Ahmed agreed to return all but $1.5 million of the stolen funds if the exchange refrained from reporting the attack to law enforcement. However, SDNY authorities ultimately arrested and charged Ahmed in July 2023.
Later proceedings revealed that Ahmed had carried out a second attack on Nirvana Finance, a Solana-based decentralized finance platform, around July 28, 2022. In that attack, Ahmed manipulated flash loans to purchase Nirvana’s ANA token at a low price, then resold those tokens at a higher price to obtain $3.6 million. After a failed bounty negotiation with Nirvana, Ahmed refused to return the stolen funds, and Nirvana shut down due to a nearly complete loss of funds.
Though the hack against Nirvana Finance was reported as it occurred, Ahmed’s involvement in the attack was not known until today.
Over $12M stolen
The announcement states that Ahmed stole over $12 million from the two platforms and attempted to hide the theft through several actions.
Notably, Ahmed swapped his ill-gotten gains for Monero (XMR), moved funds through crypto mixers such as Samourai Whirlpool, used a blockchain-hopping strategy, transferred funds to the Ethereum blockchain, and transacted on international crypto exchanges. He also searched for information related to legal defenses and the possibility of fleeing the United States.
Authorities said that Ahmed has pleaded guilty to one count of computer fraud for a maximum sentence of five years in prison. His sentence will be determined in March 2024. Ahmed has agreed to pay restitution of $5 million to his victims.