The U.S. government accused a cybersecurity professional of hacking a cryptocurrency exchange and stealing around $9 million in cryptocurrency, in what looks like a case of an ethical hacker turning rogue, then trying to appear ethical again.
In a press release on Tuesday, the U.S. Attorney’s Office of the Southern District of New York announced the indictment of Shakeeb Ahmed, 34, calling him “a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the attack.”
While the prosecutors did not specify who the victim was, cryptocurrency news website CoinDesk reported that the description and date of the hack match the attack on Crema Finance, a Solana-based exchange, which happened in early July 2022, around the same date — July 2 and 3 — that Ahmed is alleged to have hacked an unnamed exchange.
In that case, the hacker ended up returning around $8 million in crypto and keeping the rest, as it was reported at the time. In its press release, DOJ prosecutors said that Ahmed “had communications with the Crypto Exchange in which he decided to return all of the stolen funds except for $1.5 million if the Crypto Exchange agreed not to refer the attack to law enforcement.”
This is a very common practice in the world of crypto and web3. In the past, hackers who stole crypto and offered to return parts of it by negotiating with the victims directly have sometimes called themselves “white hats,” cybersecurity lingo for hackers who have good intentions. Clearly, these hackers have taken what is a word with a pretty clear and established meaning and co-opted it for a practice that resides — to say the least — in a gray area.
And, as this case shows, returning some of your crypto loot does not mean you will not be prosecuted.
The feds highlighted the fact that Ahmed, who is accused of wire fraud and money laundering, used the chops he learned in his day jobs to carry out the theft.
“Ahmed used his skills as a computer security engineer to steal millions of dollars. He then allegedly tried to hide the stolen funds, but his skills were no match for IRS Criminal Investigation’s Cyber Crimes Unit,” Special Agent in Charge Tyler Hatcher, who works for IRC-CI, the criminal investigation branch of the IRS, is quoted as saying in a press release.
Ahmed allegedly exploited a vulnerability in the exchange and inserted “fake pricing data to fraudulently generate millions of dollars’ worth of inflated fees, which he did not actually earn but was still able to withdraw,” according to the indictment against Ahmed.
Then, according to the feds, Ahmed allegedly laundered the stolen crypto “through a series of transactions,” such as swapping tokens, “bridging” the proceeds from the Solana blockchain to the Ethereum blockchain, among others.
Later, Ahmed also allegedly searched online for information on the hack, “his own criminal liability,” attorneys who had expertise in similar cases, whether law enforcement could investigate such an attack, and “fleeing the United States to avoid criminal charges.”
Do you have information about this hack, other cyberattacks against crypto projects, or thefts of cryptocurrency? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.