First Smart Contract Attack Indictment in the US

The US Department of Justice (DOJ) has charged Shakeeb Ahmed with stealing $9 million from a Solana-based decentralized exchange (DEX) using a common flash loan method.

Details of the Case

On July 11, the DOJ ordered the arrest of Shakeeb Ahmed, a security engineer, for fraud and money laundering. Ahmed allegedly exploited a vulnerability in the DEX's smart contract to manipulate price data and withdraw funds.

The DOJ's press release stated that Ahmed utilized flash loans worth tens of millions of dollars, deposited them into the DEX's liquidity pool, and then withdrew funds while claiming fees (normally reserved for liquidity providers). Ahmed allegedly took out at least 21 flash loans, according to the indictment.

Afterwards, Ahmed attempted to obfuscate the stolen funds by converting them into various cryptocurrencies across multiple blockchains, eventually converting them into Monero (XMR) and sending them to various exchanges to mix the funds.

The indictment also highlights Ahmed's attempts to evade law enforcement, as evidenced by his search history.

Partial Return of Stolen Funds

The DOJ noted that Ahmed returned most of the stolen funds in an effort to seek leniency from the law.

Although the DEX involved was not named, the case shares similarities with the attack on Crema Finance. Last August, this Solana-based DEX was drained of nearly $9 million, after which the hacker returned $8 million and kept $1.7 million as a bug bounty reward.

Significance of the Case

This marks the first time the US has prosecuted a smart contract attack. Previously, at the end of 2022, US authorities arrested the suspect behind the manipulation of Mango Markets, which resulted in a loss of $114 million. Since early 2023, US financial authorities have consistently taken legal actions against organizations and individuals within the crypto industry.