Ex-Amazon Engineer Pleads Guilty To Hacking Crypto Exchanges

An anonymous reader quotes a report from BleepingComputer: Former Amazon security engineer Shakeeb Ahmed pleaded guilty this week to hacking and stealing over $12.3 million from two cryptocurrency exchanges in July 2022. The two affected companies are Nirvana Finance, a decentralized crypto exchange, and an unnamed exchange on the Solana blockchain platform that Ahmed hacked using his blockchain audit and smart contract reverse engineering skills. He first targeted the undisclosed crypto exchange by manipulating a smart contract to introduce false pricing data, generating roughly $9 million worth of inflated fees. Ahmed later withdrew the funds and offered to return all but $1.5 million on the condition that the exchange refrained from involving law enforcement.

Although not explicitly named by the Justice Department, the details of the attack match those of a July 2022 breach impacting the Crema Finance decentralized finance (DeFi) platform. Shortly after this first hack, Ahmed exploited a Nirvana Finance DeFi protocol smart contract loophole to take a flash loan of ANA cryptocurrency tokens at a low price and sell it back at a higher rate, yielding him approximately $3.6 million. Despite being offered a $300,000 bounty to return the stolen crypto assets, Ahmed kept everything he stole (representing all the funds owned by Nirvana Finance) after demanding $1.4 million and not reaching an agreement, forcing the exchange to shut down.

Seeking to conceal his actions and obscure the digital trail of the stolen funds, Ahmed used several cryptocurrency mixers (including Samourai Whirlpool), the Solana and Ethereum blockchains, and foreign exchanges to convert the millions he stole into Monero, a cryptocurrency known for its enhanced privacy and anonymity. Wary of being apprehended, Ahmed actively sought ways to elude detection and extradition. His online searches revealed his interest in strategies to flee the United States, thwart asset seizures, and secure citizenship in different nations, clearly showcasing Ahmed's intention to sidestep legal repercussions for his actions. [...] Ahmed entered a guilty plea for a single computer fraud charge, an offense with a maximum imprisonment term of five years. Additionally, he committed to compensating his victims with a sum totaling $5,071,074.23.

Does this qualify as a "hack"?

[DrMrLordX]

If the smart contracts contain loopholes and someone exploits them, is that even hacking(or cracking)? Also if the "code is law" did he actually break any laws?

Re:

[Errol backfiring]

Hacking is letting a system do things it was not intended for. Like colour printing on your old black and white matrix printer using coloured carbon paper. Or like SQL injection.

Re:

[Mr D from 63]

Its not really code or cyber system hacking, more just manipulation of a loophole and blackmail.

Re:

[DrMrLordX]

That was my general thought. I'm surprised he's even facing charges. Both "hacks" involve exploiting smart contract code. The smart contracts are only doing what they were designed to do, technically. Whoever drafted those contracts really needed better auditing.

Re:

[Mr D from 63]

Yeah, it seems more like creating a false contract to manipulate value, maybe that involved a hack but maybe they didn't have any type of validation/verification and it was simply fraud.

Re:

[DrMrLordX]

Though I do see your point about blackmail. That would lead him into some legal trouble.

Re:

[trawg]

Despite the noise from the cryptoasset crowd as part of their general machinations, code is not law, a fact most of us are probably pretty thankful about

Re:

[Slayer]

Lots of these poorly written DeFi smart contracts fail under extreme asset inflow, which changes asset prices in a chaotic fashion that can be exploited for personal gain. While on the surface this looks like a "normal trade with big profit", it can be also seen as market manipulation, which is quite illegal. That's how many DeFi exploiters end up in legal trouble.

What is a "smart contract"?

[sinij]

Why would an IT person have such level of access that would allow him to unilaterally a) change billing, b) redirect funds to a personal account?

Re:

[NFN_NLN]

Maybe, and I'm just thinking outside the box here, no one intended for him to have that access and he implemented some sort of.... hack, to bypass security.

Re:

[NFN_NLN]

There are public blockchains and their are private blockchains. The public blockchains are the way they are to enable external scrutiny and guard against decentralizing so they can't be shut down by authorities. Private block chains are the opposite - not necessarily open to scrutiny and are controlled.

5 years?

[sevenfactorial]

Penalty in Florida for using a stack of 100 counterfeit $20's: Five years.

Penalty for this guy who stole $12 million and wrecked two businesses and an unknown number of small investors: Five years.

Would you take 12 million for a 20% chance of serving five years in prison? Rationally, maybe you would.

This penalty is insanely lenient.

Re:

[fahrbot-bot]

Penalty in Florida for using a stack of 100 counterfeit $20's: Five years.

Penalty for this guy who stole $12 million and wrecked two businesses and an unknown number of small investors: Five years.
... This penalty is insanely lenient.

It's even worse than that. The first guy is in Florida. :-)

citizenship in multiple nations

[backslashdot]

Many people have that idea, or are curious about it. I'm not sure how searching how to do that can necessarily construe wanting to escape. I'm not saying he isn't guilty .. but I don't like the way they use shit you search for as proof of something. Curiosity isn't a crime is it? It's mean, if you search for a jacket they'll be like "this dude clearly wanted to escape to Canada disguised in a jacket". There are people who like to get multiple passports, to them it's like collecting coins or traveling to every country.

Re: citizenship in multiple nations

[ToasterMonkey]

"Your honor, lots of people research leaving the country! It has nothing to do with where I was on the 6th" - backslashdot apparently

"Bail declined, dumbass" - judge probably

Re:

[backslashdot]

"I forgot my medication so I ate a giant 'capsule' of shit instead" - ToasterMonkey surely

Re:

[vux984]

" but I don't like the way they use shit you search for as proof of something."

Its not 'proof', but it is 'evidence'.
By itself its not, and should never be sufficient to convict, but in context, with all the other pieces, it forms part of the solution to the puzzle.

According to cellular data you were in the area where the murder took place when the murder took place.
Lots of people were in that area. It means nothing.

Then security camera footage shows that your car travelled to the somewhat remote location w

Only was a matter of time...

[ctilsie242]

I knew it was only going to be a matter of time before the bad guys started converting holdings of BTC into Monero, because that offers a solid way to scrub off the taint of coinage. I'm surprised he got caught, but even then, his maximum time is less than most armed robbery sentences, and most likely because he coughed up a chunk of the change, he likely will get probation or maybe a finger waggle.

Now its obvious that the bad guys are (ab)using Monero, I wonder what regulators will do. Banning a cryptocu

Re:

[GameboyRMH]

He probably slipped up somewhere before he got to the Monero step. if he could keep his real identity separate from his wallets and otherwise keep it secret up to that step, he would've been able to stop worrying about the money being traced, and then it's just a matter of escaping to a non-extraditing jurisdiction while retaining access to the Monero. His plan generally seemed pretty solid.

The fact that any cryptocurrencies, even the relatively traceable ones like Bitcoin, were allowed to take off under th

Re:

[ctilsie242]

I don't think either previous administration really cared about it while it was sailing high, because people were not losing money. However, once the press was rife with grandmothers losing their life's savings because of throwing their stuff in Bitcoin, it pretty much forced regulation to be done.

Of all the cryptocurrencies out there, I'd say Monero is the most relevant, because it provides privacy and anonymity. No tumbling needed, if worried, just move coins to a couple wallets, and call it done. Bitc

I'd take this deal any day

[sentiblue]

Really? Stole more than $12M and pays back $5 plus 5 years in jail? Shit... I'll take that and not have to work for the rest of my life!

Re:

[ghoul]

His lawyers took the other 7 million as legal fees /s