
Nirvana Finance Restart: How Was the Hacker Behind the First-Ever Smart Contract Attack Conviction Caught?
TechFlow Selected TechFlow Selected

Nirvana Finance Restart: How Was the Hacker Behind the First-Ever Smart Contract Attack Conviction Caught?
For DApp developers, fund security is a critical dimension that must be carefully considered.
Author: @Web3Mario
Summary: Last week saw several major developments—the Federal Reserve cut rates by a relatively aggressive 50 basis points, while the Bank of Japan held steady. This essentially signals that there likely won't be significant bearish news in the coming weeks. Many analyses on this have already been published, so I won't repeat them here. During this period, focusing on just two key factors will help manage risk effectively: first, whether the labor market recovers as expected; second, the risk of renewed inflation. Beyond that, one piece of breaking news caught my attention: Nirvana Finance, an algorithmic stablecoin project on Solana, announced the relaunch of its V2. The project had halted operations after being hacked for over $3.5 million in July 2022. I recall learning previously that the hacker responsible was convicted, and the recent restart suggests judicial authorities have now completed the transfer of recovered funds. This marks what appears to be the first-ever criminal conviction in the U.S. for exploiting a smart contract vulnerability—an event of landmark significance for common law jurisdictions. It should significantly improve procedures for handling similar cases going forward. Over the weekend, I took some time to thoroughly research the case details and share them with you.
Background of the Nirvana Finance Flash Loan Attack
Not sure how many readers are familiar with this project—let me briefly outline the background. Nirvana Finance was an algorithmic stablecoin project on Solana—I won’t dive deep into its mechanics. Launched in early 2022, it was attacked on July 28, 2022, resulting in the theft of all collateral backing its stablecoin NIRV, amounting to approximately $3.5 million. The attack method itself is quite interesting. Although the project's contracts were not open-sourced, the attacker still managed to profit using Solend’s flash loan functionality. At the time, the team faced accusations of an inside job.

Besides this, prior to the hack, the project claimed to have completed “automated audits,” though these proved ineffective. Alex Hoffman, one of the co-founders, later told Cointelegraph that the actual audit process had only just begun the week of the attack. He admitted he hadn’t anticipated such high visibility for Nirvana Finance during development—until several Chinese media outlets covered it, causing TVL to spike rapidly. Understandably so, given that this was during the peak of Luna’s rise, when algorithmic stablecoins drew intense interest. After achieving initial traction, Solana CEO Anatoly Yakovenko personally urged Hoffman to conduct a smart contract audit and even helped expedite the scheduling with auditing firms.
After losing its collateral, the project went dormant—but its Discord community remained actively maintained by official team members. Throughout this time, the community continued monitoring the stolen funds. However, since the hacker eventually used tools like Tornado Cash and Monero to obfuscate the trail, recovery efforts initially yielded no results. A turning point came on December 14, 2023, when Shakeeb Ahmed, a senior software security engineer formerly at Amazon, pleaded guilty in the U.S. District Court for the Southern District of New York to a computer fraud charge related to hacking both Nirvana Finance and an unnamed decentralized cryptocurrency exchange. The U.S. Attorney’s Office stated this marked the first-ever criminal conviction globally for exploiting a smart contract vulnerability.

Of course, the founder didn’t stop there after the attack—he moved on to develop other projects: Superposition Finance and Concordia Systems. One benefit of maintaining some level of anonymity is avoiding excessive FUD spillover. Then, on April 15, 2024, the court sentenced Shakeeb Ahmed to three years in prison for hacking and defrauding two crypto exchanges. On June 6, the stolen funds were officially transferred back to the team-designated account—marking the formal recovery of the assets.

The Root Cause Was Actually Crema Finance—Nirvana Finance Was Revealed Only After the Hacker Was Caught
In fact, the 34-year-old software engineer was working as a senior security engineer at an international tech company at the time of the attacks, specializing in smart contract and blockchain audits. He was also proficient in reverse engineering—a skill that explains how Nirvana could be attacked despite not open-sourcing its code. Reverse engineering involves using decompilation tools to convert compiled executable bytecode back into human-readable high-level source code. While the original contract wasn't public, all compiled bytecode is stored on-chain, making it accessible to skilled developers through such techniques.
According to documents later released by the U.S. Department of Justice, the origin of the entire case traces back to a decentralized exchange attacked in July 2022, suffering losses of around $9 million—identified upon analysis as Crema Finance. On July 4, 2022, Shakeeb Ahmed exploited the platform via a flash loan attack and then offered a $2.5 million "white-hat bounty" to return users’ assets and avoid prosecution. Ultimately, Crema Finance agreed to pay about $1.68 million as a settlement.
The DOJ document further states that Nirvana Finance was only identified after the hacker was apprehended and voluntarily disclosed the attack. Evidence leading to Shakeeb Ahmed’s conviction included browser history retrieved from his personal computer linking him to the incidents. The report also details various methods he used post-attack to obscure the funds, including mixers, Tornado Cash, and Monero. This raises an interesting question: What exactly did Shakeeb Ahmed do that ultimately led to his arrest?
There are likely two answers. First, according to an analysis by SolanaFM at the time of the attack, the attacker interacted either directly with Huobi exchange addresses or with nested addresses linked to Huobi—since the initial capital for the attack originated from there. Second, a critical mistake involved his use of Tornado Cash. The effectiveness of Tornado Cash in obscuring fund trails depends on how long funds remain deposited and how much activity occurs on the pool during that time. Longer durations with more withdrawal transactions increase anonymity. However, shortly after depositing the stolen funds into Tornado Cash, a withdrawal transaction occurred quickly, and the withdrawn funds eventually flowed into the centralized exchange Gemini. This suggests law enforcement likely collaborated with these centralized platforms—Huobi and Gemini—to trace and ultimately apprehend Shakeeb Ahmed in New York.
In any case, recovering the stolen funds is good news. More importantly, this case highlights two key takeaways: first, for DApp developers, fund security must be a top priority. Second, this sets a legal precedent, providing a reference framework for future cases and serving as a deterrent against similar malicious acts.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














