Full Text: US announces first criminal case involving attack on DEX smart contract

US announces first criminal case for attack on DEX smart contract.

Compiled by: Wu Shuo Blockchain

The US Department of Justice announced the first criminal case involving a smart contract attack on a DEX operation. Shakeeb Ahmed, a senior security engineer at an international technology company, used his expertise to defraud a decentralized exchange on Solana and its users, stealing approximately $9 million worth of cryptocurrencies. After stealing the unlawfully obtained fees, he negotiated with the cryptocurrency exchange that if it agreed not to report the attack to law enforcement, he would return the stolen funds, but requested to keep $1.5 million. Ahmed was charged with telecommunications fraud and money laundering, with a maximum penalty of 20 years in prison for each charge.

Although the name of the DEX was not mentioned in the indictment, it may be related to last year’s Crema Finance hack on the Solana infrastructure. At that time, a hacker stole $9 million worth of cryptocurrency through a flash loan attack, but later returned most of the cash.

Below is a Chinese translation of the full text of the US Department of Justice press release:

• Web3 Industry Survival Guide: 5 Simple to Incredible Methods for Preventing Sudden Death and Fighting Depression
• A New Opportunity Emerges? What is the Controversial Bitcoin Rollup?
• Under the trend of modularity, should applications build their own chains?

Damian Williams, the federal prosecutor in the southern district of New York, Chad Prantz, the special agent in charge of the San Diego office of Homeland Security Investigations (“HSI”), and Taylor Hach, the special agent in charge of the criminal investigation department of the Los Angeles office of the US Internal Revenue Service (“IRS-CI”), announced the unsealing of an indictment charging SHAKEEB AHMED with telecommunications fraud and money laundering in connection with his attack on a decentralized cryptocurrency exchange (“crypto exchange”). AHMED was arrested this morning in New York and will appear before US District Judge Robert W. Lehrburger this afternoon.

US prosecutor Damian Williams said: “This is the second case we have announced this week to expose fraud in the cryptocurrency and digital asset ecosystem. As described in the indictment, Shakeeb Ahmed, as a senior security engineer at an international technology company, used his expertise to defraud the exchange and its users, stealing approximately $9 million worth of cryptocurrencies. We also charged him with then laundering the money through a series of complex transfers on the blockchain, exchanging cryptocurrencies, cross-chain in different cryptocurrency blockchains, and using overseas cryptocurrency exchanges. However, these actions did not cover the defendant’s tracks, did not deceive law enforcement agencies, and of course did not prevent my office or our law enforcement partners from tracking the money.”

HSI Special Agent in Charge Chad Pradelli said: “Financial crimes strike at the heart of our nation and our economy’s banking security. Faced with attacks of this magnitude, we must ensure that consumers continue to have confidence in our financial system. Ruthless and reckless attempts to disrupt legitimate business to satisfy greed must be stopped. Cases like this demonstrate HSI’s commitment and ability to work with willing alliances to dismantle these complex and highly technical fraudulent schemes and identify those who are responsible, no matter where they operate.”

IRS-CI Chief Taylor Hatch said: “Ahmed allegedly used his skills as a computer security engineer to steal millions of dollars. He then allegedly attempted to hide the stolen funds, but his skills were no match for the IRS Criminal Investigation Division’s Cyber Crime Unit. Working together with our partners at HSI and the Department of Justice, we are at the forefront of cyber investigations and will track down these fraudsters and hold them accountable, no matter where they try to hide.”

According to the charges in the indictment:

The encrypted exchange was registered overseas and operated on the Solana blockchain. At all relevant times, the encrypted exchange allowed users to exchange different types of cryptocurrencies and paid fees to depositing users who provided liquidity on the exchange.

In July 2022, Ahmed launched an attack on the encrypted exchange, using a vulnerability in a smart contract of the exchange and inserting assumed price data to fraudulently cause the smart contract to generate excess fees of approximately $9 million, which Ahmed did not lawfully obtain, and was able to extract these fees from the encrypted exchange in the form of cryptocurrencies. This behavior defrauded the encrypted exchange and its users, whose cryptocurrencies were fraudulently obtained by Ahmed. Additional details about the attack, including Ahmed’s further use of “flash loans” of cryptocurrency to defraud the exchange, are described in the indictment filed today.

After he stole the unlawfully obtained fees, Ahmed communicated with the encrypted exchange and decided that if the exchange agreed not to report this attack to law enforcement, he would return all of the stolen funds, except for $1.5 million.

During the attack, AHMED was a senior security engineer at an international technology company, and his resume reflects his skills in reverse engineering smart contracts and auditing blockchain, which are the specialized skills AHMED used to carry out the attack.

AHMED laundered the millions of dollars he stole from a cryptocurrency exchange to disguise its source and ownership, including by (i) conducting token exchange transactions, (ii) “hopping” the fraudulently obtained funds from the Solana blockchain to the Ethereum blockchain, (iii) exchanging the fraudulently obtained funds into Monero, a particularly difficult-to-trace and anonymized cryptocurrency, and (iv) using overseas cryptocurrency exchanges.

After the attack, AHMED searched online for information about the attack, his own criminal liability, criminal defense lawyers specializing in similar cases, law enforcement’s ability to investigate the attack, and information on how to flee the United States to avoid criminal charges. For example, approximately two days after the attack, AHMED searched for the term “defi hack,” read several news articles about exchanges being hacked, and visited several pages on the exchange’s website. Another example is that AHMED searched for or visited websites related to the charges in the indictment, including searching for the words “telecom fraud” and “evidence laundering.” Finally, AHMED also searched for or visited websites regarding his ability to flee the United States, avoid extradition, and retain the stolen cryptocurrency: he searched for terms such as “can I travel with cryptocurrency,” “how to prevent federal asset seizure,” and “buying citizenship”; and he visited a website titled “16 Countries Where Your Investment Can Buy Citizenship…”.

34-year-old AHMED, who resides in New York, is charged with telecommunications fraud and money laundering, with a maximum sentence of 20 years in prison for each charge.

The maximum possible sentence is set by Congress and is provided here only for the reader’s reference, as the defendant’s actual sentence will be determined by the judge.

Mr. Williams commended HSI and IRS-CI for their outstanding work. Mr. Williams also thanked the Southern District of California U.S. Attorney’s Office for its assistance in the investigation.

The case is being prosecuted by the Office’s Money Laundering and Transnational Criminal Enterprises Unit and Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys David R. Felton and Kevin Mead are in charge of the prosecution.

The charges in the indictment are only allegations, and the defendant is presumed innocent until proven guilty.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!