The U.S. government has indicted cybersecurity professional Shakeeb Ahmed, accusing him of hacking a cryptocurrency exchange and stealing approximately $9 million in cryptocurrency. Ahmed, described as a senior security engineer, possessed specialized skills in reverse engineering smart contracts and blockchain audits, which he allegedly utilized to carry out the attack. While it is unclear where Ahmed was employed exactly, his LinkedIn profile stated that he worked as a senior security engineer at Amazon. However, an Amazon spokesperson confirmed that Ahmed is no longer employed by the company.
Although the victim was not explicitly named by prosecutors, CoinDesk reported that the details of the hack align with the attack on Crema Finance—a Solana-based exchange—in early July 2022. During this timeframe, Ahmed purportedly hacked an undisclosed exchange. At the time of the incident, the hacker returned around $8 million in crypto but kept the remaining amount. The U.S. Attorney’s Office stated that Ahmed engaged in communications with the crypto exchange, offering to return all stolen funds except for $1.5 million if they refrained from involving law enforcement.
This practice of negotiating with victims and returning part of the stolen cryptocurrency is relatively common within the crypto world and web3 ecosystem. Hackers who adopt this approach sometimes label themselves as “white hats,” terminology used to describe hackers with good intentions. However, these actions blur ethical boundaries and the appropriate use of such a term.
Returning some of the stolen loot did not protect Ahmed from legal consequences. Prosecutors emphasized that Ahmed leveraged his computer security engineering skills to orchestrate the theft and subsequent concealment attempts. Special Agent in Charge Tyler Hatcher from IRS Criminal Investigation’s Cyber Crimes Unit noted that while Ahmad attempted to hide the stolen funds using his expertise, his efforts were ultimately unsuccessful.
According to allegations outlined in court documents, Ahmed exploited a vulnerability in the targeted exchange by injecting false pricing data to generate inflated fees amounting to millions of dollars—fees he had not genuinely earned but could still withdraw. The indictment also claimed that Ahmed laundered the stolen cryptocurrency through a series of transactions, including token swaps and transferring proceeds from the Solana blockchain to the Ethereum blockchain.
Furthermore, court records indicated that Ahmed conducted online searches related to the hack, his potential legal liability, attorneys specializing in similar cases, law enforcement’s capacity to investigate such attacks, and even evading criminal charges by fleeing the United States.