Shakeeb Ahmed gets three-year sentence for Nirvana hack

A New York court has sentenced computer security engineer Shakeeb Ahmed to three years in prison for conducting flash loan attacks on decentralized cryptocurrency exchanges in 2022, marking the first-ever conviction for a breach involving smart contracts.

Shakeeb Ahmed gets three-year sentence for Nirvana hack

The U.S. Attorney Damian Williams announced that Ahmed, who targeted the two decentralized exchanges, will also undergo three years of supervised release. In addition to his prison sentence, Ahmed is required to forfeit $12.3 million and a substantial amount of cryptocurrency, as well as pay $5 million in restitution to the affected exchanges.

This case is noted as the first U.S. conviction for a smart contract hack. Ahmed’s illegal activities involved exploiting vulnerabilities in the exchanges’ smart contracts to divert funds, which he then attempted to launder across various blockchains and through cryptocurrency mixers.

During negotiations following the theft, Ahmed proposed to return all stolen funds from Nirvana Finance minus $1.5 million if the exchange refrained from involving law enforcement. In a separate incident with Nirvana, he demanded $1.4 million to return part of the $3.6 million stolen, but no settlement was reached. Following the hack, Nirvana’s NIRV stablecoin and ANA coin suffered massive value losses, and the exchange subsequently ceased operations.

The Southern District of New York (SDNY) highlighted that Ahmed used sophisticated methods to launder the stolen assets, including token-swap transactions and using offshore cryptocurrency exchanges. Despite links to a similar attack on Crema Exchange in July 2022, Ahmed has not been charged in connection with that incident.

At the time of the attacks, Ahmed was employed as a senior security engineer for a major international technology company. He now works for a mental health care startup, as reported by Inner City Press. Ahmed was initially charged in July with wire fraud and money laundering, but ultimately pleaded guilty to a single count of computer fraud in December.