Title: 《Former Security Engineer For International Technology Company Arrested For Defrauding Decentralized Cryptocurrency Exchange》

Compiled by: Wu Says Blockchain

The U.S. Department of Justice announced the first criminal case involving an attack on a smart contract governing a DEX. Shakeeb Ahmed, a senior security engineer at an international technology company, used his expertise to defraud a decentralized exchange on Solana and its users, stealing approximately $9 million in cryptocurrency. After stealing fees that were never legally obtained, he negotiated with the cryptocurrency exchange, deciding that if the exchange agreed not to report the attack to law enforcement, he would return the stolen funds but demand to keep $1.5 million. Ahmed is charged with wire fraud and money laundering, with a maximum penalty of 20 years in prison for each count.

Although the name of the DEX is not mentioned in the indictment, it may be related to the Crema Finance hack that occurred on Solana infrastructure last year. At that time, a hacker stole $9 million in crypto assets through a flash loan attack but later returned most of the cash.

Here is the full Chinese translation of the U.S. Department of Justice press release:

U.S. Attorney for the Southern District of New York Damian Williams, Homeland Security Investigations ("HSI") Special Agent in Charge Chad Plantz, and Internal Revenue Service Criminal Investigation ("IRS-CI") Special Agent in Charge Tyler Hatcher announced the unsealing of an indictment charging SHAKEEB AHMED with wire fraud and money laundering in connection with his attack on a decentralized cryptocurrency exchange ("crypto exchange"). AHMED was arrested this morning in New York and is scheduled to appear this afternoon before U.S. District Judge Robert W. Lehrburger.

U.S. Attorney Damian Williams stated, "This is the second case we have announced this week to expose fraud in the cryptocurrency and digital asset ecosystem. As alleged in the indictment, Shakeeb Ahmed, as a senior security engineer at an international technology company, exploited his expertise to defraud the exchange and its users, stealing approximately $9 million in cryptocurrency. We also allege that he then laundered the stolen funds through a series of complex transfers on the blockchain, exchanging cryptocurrencies, cross-chain transactions across different cryptocurrency blockchains, and using overseas cryptocurrency exchanges. However, these actions did not cover the defendant's tracks, nor did they fool law enforcement, who certainly did not stop my office or our law enforcement partners from tracing the money."

HSI Special Agent in Charge Chad Plantz said, "Financial crime strikes at the heart of our nation's and our economy's banking security. In the face of attacks of this scale, we must ensure that consumers continue to have confidence in our financial system. Ruthless and reckless attempts to undermine legitimate businesses for the sake of greed must be stopped. Cases like this demonstrate HSI's commitment and ability, in partnership with willing allies, to dismantle these complex and highly technical fraud schemes and hold accountable those who operate regardless of where they are."

IRS-CI Special Agent in Charge Tyler Hatcher said, "It is alleged that AHMED used his skills as a computer security engineer to steal millions of dollars. He then allegedly attempted to hide the stolen funds, but his skills were no match for the IRS Criminal Investigation's Cyber Crime Unit. Together with our partners at HSI and the Department of Justice, we are at the forefront of cyber investigations, and no matter where these fraudsters try to hide, we will track them down and hold them accountable."

According to the allegations in the indictment:

The crypto exchange is registered overseas and operates on the Solana blockchain. At all relevant times, the crypto exchange allowed users to exchange different types of cryptocurrencies and paid fees to deposit users providing liquidity on the exchange.

In July 2022, AHMED launched an attack on the crypto exchange, exploiting a vulnerability in a smart contract of the exchange and inserting false price data to fraudulently generate approximately $9 million in excess fees, which AHMED did not legally obtain, allowing him to withdraw these fees from the crypto exchange in cryptocurrency. This conduct defrauded the crypto exchange and its users, whose cryptocurrencies were fraudulently obtained by AHMED. Additional details about the attack, including AHMED's use of "flash loans" in cryptocurrency to further defraud the exchange, are described in the indictment filed today.

After stealing the fees he did not legally obtain, AHMED communicated with the crypto exchange, deciding that if the exchange agreed not to report the attack to law enforcement, he would return all the stolen funds, except for $1.5 million.

At the time of the attack, AHMED was a senior security engineer at an international technology company, and his resume reflected skills in reverse engineering smart contracts and blockchain auditing, which were specialized skills used by AHMED to execute the attack.

AHMED laundered the millions of dollars he stole from the crypto exchange to conceal its source and ownership, including by: (i) conducting token swap transactions, (ii) "bridging" the fraud proceeds from the Solana blockchain to the Ethereum blockchain, (iii) converting the fraud proceeds into Monero, a cryptocurrency that is anonymized and particularly difficult to trace, and (iv) using overseas cryptocurrency exchanges.

After the attack, AHMED searched online for information about the attack, his own criminal liability, criminal defense attorneys specializing in similar cases, the ability of law enforcement to successfully investigate the attack, and information on fleeing the U.S. to avoid criminal charges. For example, about two days after the attack, AHMED searched for the term "defi hack," read several news articles about the exchange being hacked, and visited several pages of the exchange's website. Another example is that AHMED searched for or visited websites related to the allegations in the indictment, including searching for the terms "wire fraud" and "evidence laundering." Finally, AHMED also searched for or visited websites about his ability to flee the U.S., avoid extradition, and retain the stolen cryptocurrency: he searched for terms like "Can I cross borders with cryptocurrency?", "How to stop the federal government from seizing assets?", and "Buying citizenship"; he also visited a website titled "16 Countries Where Your Investment Can Buy Citizenship…"

34-year-old AHMED, residing in New York, is charged with wire fraud and money laundering, with a maximum penalty of 20 years in prison for each count.

The maximum possible sentence is prescribed by Congress and is provided here for reference only, as the actual sentence for the defendant will be determined by the judge.

Mr. Williams praised the outstanding work of HSI and IRS-CI. Mr. Williams also thanked the U.S. Attorney's Office for the Southern District of California for their assistance in the investigation.

The case is being prosecuted by the office's Money Laundering and Transnational Criminal Enterprises Unit and the Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys David R. Felton and Kevin Mead are in charge of the prosecution.

The charges in the indictment are merely allegations, and the defendant is presumed innocent until proven guilty.