Engineer Admits to Exploits on Nirvana and Another DeFi Platform in First Ever Conviction for the Hack of a Smart Contract

On December 14, 2023, the United States Attorney for the Southern District of New York announced the guilty plea of Shakeeb Ahmed in connection with his hack of two separate decentralized cryptocurrency exchanges in July 2022 – one herein referred to as “Crypto Exchange” and the other, Nirvana Finance.

Ahmed pled guilty to computer fraud and agreed to forfeit over USD 12.3 million, including forfeiture of approximately USD 5.6 million in fraudulently obtained cryptocurrency.

TRM Labs is proud to have supported law enforcement throughout this investigation and the victim during the incident response.

While in July 2023, Ahmed was publicly charged with the hack of the Crypto Exchange, last week’s guilty plea was the first time that Ahmed was publicly tied to the Nirvana hack. This is the first criminal case involving an attack on a smart contract operated by a decentralized exchange. 

According to the indictment, in July 2022, Ahmed, a trained security engineer, carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange’s smart contracts. TRM breaks down the exploit below.  

The exploit was similar in the case of Nirvana which bought and sold its cryptocurrency token, ANA.  Nirvana was designed so that when a user purchased a substantial quantity of ANA, the price of ANA increased, and when a user sold a substantial quantity of ANA, the price of ANA decreased.

On July 28, 2022, a few weeks after the hack of the Crypto Exchange, Ahmed carried out the attack on Nirvana in which he took out a flash loan for approximately $10 million, used those funds to purchase ANA from Nirvana, and used an exploit he discovered in Nirvana’s smart contracts to purchase the ANA at its initial, low price, rather than at the higher price that Nirvana was designed to charge him in light of the size of his purchase.  When the price of ANA updated to reflect his large purchase, Ahmed resold the ANA he had purchased to Nirvana at the new, higher price, resulting in a profit to him of approximately $3.6 million.  

Nirvana offered Ahmed a “bug bounty” of as much as $600,000 to return the stolen funds, but Ahmed instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds.  The $3.6 million Ahmed stole represented approximately all the funds possessed by Nirvana, which as a result shut down shortly after Ahmed’s attack.

As discussed more fully below, Ahmed laundered the millions that he stole from the Crypto Exchange and from Nirvana using various on-chain obfuscation techniques including the use of mixers, cross-chain swaps, and privacy coin Monero.

Below, we’ll discuss the exploit on the Crypto Exchange, the incident response and the investigation using TRM’s blockchain intelligence.

The Exploit‍

According to the indictment, at the time of the attack, the defendant “was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the attack.” The Crypto Exchange, also according to court documents, is an “automated market maker” which relies on smart contracts for its customers to exchange assets on the Solana blockchain. Specifically, the Crypto Exchange created a market for trading by pooling liquidity from its customers (eg, Customer deposits 100 USDC on the exchange at market price, the exchange pays the customer fees for making liquidity available).

On July 2, 2022, the Crypto Exchange notified the public that it was experiencing an attack and that it would take quick remedial measures to protect customer funds. In the course of the attack, Ahmed exploited the smart contract associated with the exchange by providing false data to make it appear that he had supplied a large volume of liquidity to the exchange, which he had not actually done. As a result, the defendant fraudulently received substantial fees from the Exchange. 

Additionally, after figuring out how to exploit the Exchange’s smart contract, Ahmed used funds from “flash loans” to make a series of deposits into the exchange, generating additional fraudulent fees. He then created another fraudulent account on the exchange and further manipulated the smart contract so he could quickly withdraw the principal funds from the Exchange.

According to court documents, Ahmed fraudulently obtained, in total, over USD 9 million dollars worth of cryptocurrency from the Exchange by manipulating the smart contract. Using TRM Labs Graph Visualizer, you can see the exploit coming from the exploiter address, crossing blockchains from Solana to Ethereum, and moving to subsequent ETH addresses.

Subsequent to the exploit, the defendant  needed to obfuscate the flow of the fraudulently obtained funds, so he began using sophisticated money laundering techniques to hide the destination of the funds. The defendant  appears to have swapped funds across blockchains a number of times, used cryptocurrency “mixers” and moved funds into privacy enhanced cryptocurrencies in order to conceal the flow of funds.‍

‍The Response‍

Following the hack, the Exchange worked with TRM’s incident response team, and investigators from HSI and IRS-CI to track and trace the flow of funds both before and after the exploit.

During the course of the investigation and incident response, the defendant returned all of the funds other than USD 1.5 million worth of cryptocurrency, which he claimed he was due for highlighting the vulnerability in the smart contract protocol.

According to the indictment, investigators used this on-chain data with an off-chain investigation to ultimately identify and arrest the defendant. That off-chain investigation revealed that, following the attack, the defendant searched online for information about the attack, his own criminal liability, criminal defense attorneys with expertise in similar cases, law enforcement’s ability to successfully investigate the attack, and fleeing the United States to avoid criminal charges.  

For example, according to the indictment, two days after the attack, the defendant conducted an internet search for the term “defi hack,” read several news articles about the hack of the Crypto Exchange, and conducted internet searches or visited websites related to his ability to flee the United States, avoid extradition, and keep his stolen cryptocurrency: he searched for the terms “can I cross border with crypto,” “how to stop federal government from seizing assets,” and “buying citizenship”; and he visited a website titled “16 Countries Where Your Investments Can Buy Citizenship . . .”

This case exemplifies the sophisticated and coordinated efforts of U.S. law enforcement agencies such as HSI and IRS-CI, using blockchain intelligence, to disrupt and punish fraud in the cryptocurrency ecosystem. It also highlights the importance of being able to trace and track the flow of funds across blockchains to stop illicit actors who seek to obfuscate transactions.