Damian Williams, the United States Attorney for the Southern District of New York, announced the unsealing of an Indictment charging SHAKEEB AHMED with wire fraud and money laundering in connection with his attack on a decentralized cryptocurrency exchange (the “Crypto Exchange”), according to US Attorney. AHMED laundered the millions in fees that he stole from the Crypto Exchange to conceal their source and ownership.
- (i) conducting token-swap transactions
- (ii) “bridging” fraud proceeds from the Solana blockchain over to the Ethereum blockchain
- (iii) exchanging fraud proceeds into Monero, an anonymized and particularly difficult cryptocurrency to trace
- (iv) using overseas cryptocurrency exchanges
This is the second case are announcing this week to shed light on fraud in the cryptocurrency and digital asset ecosystem (see Decentralized Exchanges Risks Review).
AHMED was arrested this morning in New York, New York, and will be presented this afternoon before U.S. Magistrate Judge Robert W. Lehrburger.
As alleged in the indictment, Shakeeb Ahmed, who was a senior security engineer at an international technology company, used his expertise to defraud the exchange and its users and steal approximately $9 mn in cryptocurrency.
We allege that he then laundered the stolen funds through a series of complex transfers on the blockchain where he swapped cryptocurrencies, hopped across different crypto blockchains, and used overseas crypto exchanges.
Damian Williams
But none of those actions covered the defendant’s tracks or fooled law enforcement (see How Worldwide Cryptocurrency Adoption Changes Compensation & Rewards Programs?).
Centralized exchanges are custodial in nature, meaning that they hold the funds of users and have control over what occurs in the platform. As a way of safeguarding the crypto holdings of their users, they store a bulk of it in cold wallets.
A typical custodial exchange requests that potential users undergo the KYC process and without it, they are either not allowed to use the blockchain-based services or restricted on what services they can enjoy.
A DEX exchange is a trading platform that allows people to buy and sell their crypto assets and trade directly with other users. Traders use this type of trading platform when they want to exchange cryptocurrencies at market price without the intervention of a centralized authority.
Financial crime strikes at the core of our national and economic banking security. With an attack of this magnitude, it’s crucial we ensure continued consumer confidence in our financial system.
HSI Special Agent in Charge Chad Plantz
Ruthless and reckless attempts aimed to sabotage legitimate commerce for greed must be stopped. It’s cases like these that demonstrate HSI’s commitment and ability to work with a coalition of the willing to dismantle these complicated and technical fraud schemes and identify those responsible regardless of where they operate.
Decentralized finance (DeFi) has had a challenging year – losing 75% of its total value locked over the last 11 months. However, while the crypto crash might have hit investors, it did not deter criminals. Bug exploits, logic faults, private key compromises and social engineering attacks broke records in 2022, stealing a record $2.7 billion from DeFi protocols.
Mr. Ahmed used his skills as a computer security engineer to steal millions of dollars. He then allegedly tried to hide the stolen funds, but his skills were no match for IRS Criminal Investigation’s Cyber Crimes Unit.
The Crypto Exchange was incorporated overseas and operates on the Solana blockchain.
At all relevant times, the Crypto Exchange allowed users to exchange different kinds of cryptocurrencies and paid fees to users who deposited cryptocurrency to provide liquidity on the Crypto Exchange.
In July 2022, AHMED carried out an attack on the Crypto Exchange by exploiting a vulnerability in one of the Crypto Exchange’s smart contracts and inserting fake pricing data to fraudulently cause that smart contract to generate approximately $9 million dollars’ worth of inflated fees that AHMED did not legitimately earn, which fees AHMED was able to withdraw from the Crypto Exchange in the form of cryptocurrency.
This conduct defrauded the Crypto Exchange and its users, whose cryptocurrency AHMED had fraudulently obtained. Additional details regarding the attack, including AHMED’s use of cryptocurrency “flash loans” to further defraud the Crypto Exchange, are described in the Indictment publicly filed today.
After he stole the fees he never legitimately earned, AHMED had communications with the Crypto Exchange in which he decided to return all of the stolen funds except for $1.5 million if the Crypto Exchange agreed not to refer the attack to law enforcement.
At the time of the attack, AHMED reverse engineering smart contracts and blockchain audits, which are some of the specialized skills AHMED used to execute the attack.
After the attack, AHMED searched online for information about the attack, his own criminal liability, criminal defense attorneys with expertise in similar cases, law enforcement’s ability to successfully investigate the attack, and fleeing the United States to avoid criminal charges.
For example, approximately two days after the attack, AHMED conducted an internet search for the term “defi hack,” read several news articles about the hack of the Crypto Exchange, and visited several pages on the Crypto Exchange’s website.
AHMED conducted internet searches or visited websites related to the charges in the indictment, including by searching for the term “wire fraud” and for the term “evidence laundering.”
Finally, AHMED also conducted internet searches or visited websites related to his ability to flee the United States, avoid extradition, and keep his stolen cryptocurrency.
Edited by 
Oleg Parashchak
