U.S. authorities make arrest in the first criminal case involving an attack on a smart contract operated by a decentralized exchange

On July 11, 2023, the United States Attorney for the Southern District of New York, the Special Agent in Charge of the San Diego Field Office of Homeland Security Investigations (“HSI”), and the Special Agent in Charge of the Los Angeles Field Office of the Internal Revenue Service - Criminal Investigation (“IRS-CI”), announced the unsealing of an Indictment charging Shakeeb Ahmed (the defendant) with wire fraud and money laundering in connection with his attack on a decentralized cryptocurrency exchange (the “Crypto Exchange”).  Ahmed was also arrested on that same morning in New York City. This is the first criminal case involving an attack on a smart contract operated by a decentralized exchange. TRM Labs is proud to have supported law enforcement throughout this investigation and the victim during the incident response.

According to the indictment, in July 2022, Ahmed, a trained security engineer, carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange’s smart contracts and inserting fake pricing data to fraudulently cause that smart contract to generate approximately $9 million dollars’ worth of inflated fees that Ahmed did not legitimately earn, which fees Ahmed was able to withdraw from the Crypto Exchange in the form of cryptocurrency. 

After he stole the fees, Ahmed had communications with the Crypto Exchange in which he decided to return all of the stolen funds except for $1.5 million if the Crypto Exchange agreed not to refer the attack to law enforcement.  

According to the indictment, Ahmed laundered the millions in fees that he stole from the Crypto Exchange to conceal their source and ownership, including token swaps, chain hopping, the use of privacy coins like Monero, and by utilizing offshore exchanges.

Below, we’ll discuss the exploit, the incident response and the investigation using TRM’s blockchain intelligence.‍

The Exploit‍

According to the indictment, at the time of the attack, the defendant “was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the attack.” The Crypto Exchange, also according to the indictment, is an “automated market maker” which relies on smart contracts for its customers to exchange assets on the Solana blockchain. Specifically, the Crypto Exchange created a market for trading by pooling liquidity from its customers (eg, Customer deposits 100 USDC on the exchange at market price, the exchange pays the customer fees for making liquidity available).

On July 2, 2022, the Crypto Exchange notified the public that it was experiencing an attack and that it would take quick remedial measures to protect customer funds. That attack was allegedly carried out by the defendant who exploited the smart contract associated with the exchange by providing false data to make it appear that he had supplied a large volume of liquidity to the exchange, which he had not actually done. As a result, the defendant fraudulently received substantial fees from the Exchange. 

Additionally, after figuring out how to exploit the Exchange’s smart contract, the defendant allegedly used funds from “flash loans” to make a series of deposits into the exchange, generating additional fraudulent fees. The defendant then created another fraudulent account on the exchange and further manipulated the smart contract so he could quickly withdraw the principal funds from the Exchange.

The defendant is believed to have fraudulently obtained, in total, over USD 9 million dollars worth of cryptocurrency from the Exchange by manipulating the smart contract. Using TRM Labs Graph Visualizer, you can see the exploit coming from the exploiter address, crossing blockchains from Solana to Ethereum, and moving to subsequent ETH addresses.

Subsequent to the exploit, the defendant  needed to obfuscate the flow of the fraudulently obtained funds, so he began using sophisticated money laundering techniques to hide the destination of the funds. The defendant  appears to have swapped funds across blockchains a number of times, used cryptocurrency “mixers” and moved funds into privacy enhanced cryptocurrencies in order to conceal the flow of funds.‍

The Response‍

Following the hack, the Exchange worked with TRM’s incident response team, and investigators from HSI and IRS-CI to track and trace the flow of funds both before and after the exploit.

During the course of the investigation and incident response, the defendant returned all of the funds other than USD 1.5 million worth of cryptocurrency, which he claimed he was due for highlighting the vulnerability in the smart contract protocol.

According to the indictment, investigators used this on-chain data with an off-chain investigation to ultimately identify and arrest the defendant. That off-chain investigation revealed that, following the attack, the defendant searched online for information about the attack, his own criminal liability, criminal defense attorneys with expertise in similar cases, law enforcement’s ability to successfully investigate the attack, and fleeing the United States to avoid criminal charges.  

For example, according to the indictment, two days after the attack, the defendant conducted an internet search for the term “defi hack,” read several news articles about the hack of the Crypto Exchange, and conducted internet searches or visited websites related to his ability to flee the United States, avoid extradition, and keep his stolen cryptocurrency: he searched for the terms “can I cross border with crypto,” “how to stop federal government from seizing assets,” and “buying citizenship”; and he visited a website titled “16 Countries Where Your Investments Can Buy Citizenship . . .”

This case exemplifies the sophisticated and coordinated efforts of U.S. law enforcement agencies such as HSI and IRS-CI, using blockchain intelligence, to disrupt and punish fraud in the cryptocurrency ecosystem. It also highlights the importance of being able to trace and track the flow of funds across blockchains to stop illicit actors who seek to obfuscate transactions.