Security engineer pleads guilty to Nirvana Finance exploit and one other hack

A software engineer pleaded guilty to one count of computer fraud in connection with the hacking Nirvana Finance and an unnamed decentralized cryptocurrency exchange in the Southern District Court of New York on Dec. 14. The United States Attorney’s Office said the case was the first-ever conviction for hacking a smart contract.

Shakeeb Ahmed, described as a “senior security engineer for an international technology company,” was arrested in July in connection with the hack of the unnamed exchange on or about July 2 and 3, 2022. According to the U.S. Attorney’s Office statement:

“AHMED carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange’s smart contracts and inserting fake pricing data to fraudulently cause that smart contract to generate approximately $9 million dollars’ worth of inflated fees.”

Ahmed returned all but $1.5 million to the exchange, which “agreed not to refer the attack to law enforcement.” The exchange “allowed users to exchange different kinds of cryptocurrencies, and paid fees to users who deposited cryptocurrency to provide liquidity on the Crypto Exchange.”

Related: Platypus exploiters walk free after claiming to be ‘ethical hackers’

It was only after his arrest that Ahmed admitted to the $3.49 million Nirvana Finance flash loan exploit, which took place later that month. Nirvana offered him a $300,000 white-hat bounty for the return of the hacked funds by Twitter (now X).

According to the statement, Ahmed and Nirvana Finance haggled over the bounty, but Ahmed eventually sold all of its ANA coin for a profit, resulting in Nirvana Finance’s closing.

“Ahmed used his technical knowhow to steal over $12 million and tried to cover his tracks by swapping stolen crypto for Monero, using cryptocurrency mixers, hopping across blockchains, and utilizing overseas crypto exchanges.”

Ahmed, a U.S. citizen and New York City resident, was released on bail after being charged in July. He will be sentenced on March 13, 2024.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story