Funds Returned to DeFi Exchange Nirvana in First Ever DeFi Hack Prosecution

According to TRM Labs, today about USD 2.6 million in cryptocurrency was returned to decentralized exchange Nirvana. Nirvana was the victim of a July 2022 hack which resulted in the first ever prosecution and conviction for a DeFi hack. TRM Labs is proud to have supported law enforcement throughout this investigation and the victim during the incident response.

TRM's Global Investigations team received an alert in TRM Detect indicating that the stolen funds - in the stablecoin DAI - moved back to the exploited DeFi protocol.

According to court documents, in July 2022, Shakeeb Ahmed, a trained security engineer, carried out an attack on an unidentified cryptocurrency exchange by exploiting a vulnerability in one of the exchanges' smart contracts.

In addition, Ahmed, who pleaded guilty late last year, attacked DeFi protocol Nirvana. Nirvana bought and sold its cryptocurrency token, ANA, and was designed so that when a user purchased a substantial quantity of ANA, the price of ANA increased, and when a user sold a substantial quantity of ANA, the price of ANA decreased.

On July 28, 2022, a few weeks after the hack of the Crypto Exchange, Ahmed carried out the Nirvana exploit in which he took out a flash loan for approximately USD 10 million, used those funds to purchase ANA from Nirvana, and used an exploit he discovered in Nirvana’s smart contracts to purchase the ANA at its initial, low price, rather than at the higher price that Nirvana was designed to charge him in light of the size of his purchase.  When the price of ANA updated to reflect his large purchase, Ahmed resold the ANA he had purchased to Nirvana at the new, higher price, resulting in a profit to him of approximately USD 3.6 million.  

Nirvana offered Ahmed a “bug bounty” of as much as USD 600,000 to return the stolen funds, but Ahmed instead demanded USD 1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds.  The USD 3.6 million Ahmed stole represented approximately all the funds possessed by Nirvana, which as a result shut down shortly after Ahmed’s attack.

Ahmed laundered the millions that he stole from the Crypto Exchange and from Nirvana using various on-chain obfuscation techniques including the use of mixers, cross chain swaps, and privacy coin Monero.

Below, we’ll discuss the exploit on the Crypto Exchange, the incident response and the investigation using TRM’s blockchain intelligence.

The Exploit‍

According to the indictment, at the time of the attack, the defendant “was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the attack.” The Crypto Exchange, also according to the indictment, is an “automated market maker” which relies on smart contracts for its customers to exchange assets on the Solana blockchain. Specifically, the Crypto Exchange created a market for trading by pooling liquidity from its customers (eg, Customer deposits 100 USDC on the exchange at market price, the exchange pays the customer fees for making liquidity available).

On July 2, 2022, the Crypto Exchange notified the public that it was experiencing an attack and that it would take quick remedial measures to protect customer funds. That attack was allegedly carried out by the defendant who exploited the smart contract associated with the exchange by providing false data to make it appear that he had supplied a large volume of liquidity to the exchange, which he had not actually done. As a result, the defendant fraudulently received substantial fees from the Exchange. 

Additionally, after figuring out how to exploit the Exchange’s smart contract, the defendant allegedly used funds from “flash loans” to make a series of deposits into the exchange, generating additional fraudulent fees. The defendant then created another fraudulent account on the exchange and further manipulated the smart contract so he could quickly withdraw the principal funds from the Exchange.

Ahmed is believed to have fraudulently obtained, in total, over USD 9 million dollars worth of cryptocurrency from the Exchange by manipulating the smart contract. Using TRM Labs Graph Visualizer, you can see the exploit coming from the exploiter address, crossing blockchains from Solana to Ethereum, and moving to subsequent ETH addresses.

Subsequent to the exploit, the defendant  needed to obfuscate the flow of the fraudulently obtained funds, so he began using sophisticated money laundering techniques to hide the destination of the funds. The defendant  appears to have swapped funds across blockchains a number of times, used cryptocurrency “mixers” and moved funds into privacy enhanced cryptocurrencies in order to conceal the flow of funds.‍

The Response‍

Following the hack, the Exchange worked with TRM’s incident response team, and investigators from HSI and IRS-CI to track and trace the flow of funds both before and after the exploit.

During the course of the investigation and incident response, the defendant returned all of the funds other than USD 1.5 million worth of cryptocurrency, which he claimed he was due for highlighting the vulnerability in the smart contract protocol.

According to the indictment, investigators used this on-chain data with an off-chain investigation to ultimately identify and arrest the defendant. That off-chain investigation revealed that, following the attack, the defendant searched online for information about the attack, his own criminal liability, criminal defense attorneys with expertise in similar cases, law enforcement’s ability to successfully investigate the attack, and fleeing the United States to avoid criminal charges.  

For example, according to the indictment, two days after the attack, the defendant conducted an internet search for the term “defi hack,” read several news articles about the hack of the Crypto Exchange, and conducted internet searches or visited websites related to his ability to flee the United States, avoid extradition, and keep his stolen cryptocurrency: he searched for the terms “can I cross border with crypto,” “how to stop federal government from seizing assets,” and “buying citizenship”; and he visited a website titled “16 Countries Where Your Investments Can Buy Citizenship . . .”

On December 14, 2023, Ahmed pled guilty in connection with the two hacks and agreed to forfeit over USD 12.3 million, including forfeiture of approximately USD 5.6 million in fraudulently obtained cryptocurrency.

This case exemplifies the sophisticated and coordinated efforts of U.S. law enforcement agencies such as HSI and IRS-CI, using blockchain intelligence, to disrupt and punish fraud in the cryptocurrency ecosystem. It also highlights the importance of being able to trace and track the flow of funds across blockchains to stop illicit actors who seek to obfuscate transactions.

‍