Another cybercriminal's deal with DeFi victims falls through

Another alleged cybercriminal on the Solana blockchain has gotten busted by Federal authorities, despite cutting a deal with his victims not to press charges.

Why it matters: If thieves think that all it takes to avoid the cops is extorting a deal out of their victims, there will be a lot more theft.

Driving the news: On Tuesday, prosecutors in the Southern District of New York announced charges against Shakeeb Ahmed for allegedly executing a flash loan attack against a decentralized exchange on the Solana blockchain in July 2022.

What they're saying: “Financial crime strikes at the core of our national and economic banking security.  With an attack of this magnitude, it’s crucial we ensure continued consumer confidence in our financial system," Homeland Security agent Chad Plantz said in a statement.

Catch up fast: The indictment does not name the exchange, but it gives several clues that make it obvious the exchange in question is Crema Finance, which had lost $9 million in an exploit last year.

• In fact the indictment cites this story — while redacting the exchange's name, about how the attacker returned about a fifth of the stolen funds in exchange for a deal.
• In other words, the attacker extorted a large payment out of the project by holding a much larger sum for ransom until its operators agreed.

How it works: The attacker was able to trick the exchange into believing that it had deposited very large amounts of money on the exchange.

• Then the thief executed some large trades, which earned him outsized liquidity provider fees, because of weaknesses in Crema's smart contracts.
• These large trades were funded using the flash loan feature on Solend, the leading money market on Solana.
• All of this worked because Crema is an exchange that runs on autonomous code, without people in the loop. As long as provisions of the code aren't violated, everything works.

A vulnerability was found in that code.

Be smart: Flash loans are uncollateralized loans that only last for an instant (in blockchain time). They are used to exploit temporary opportunities for profit on-chain, with very little risk to the borrower or lender.

• Flash loans are, however, a favorite tool of cybercriminals in leveraging exploits in decentralized finance.

Zoom out: Another exchange on Solana, Mango Markets, got hit with an exploit last year, and in that case the attacker also negotiated a deal not to press charges.

• That attacker, Avraham Eisenberg (who admitted to it publicly before being arrested) is currently in custody.

The intrigue: After stealing the funds from Crema, the thief allegedly went to great effort to trade away any trace of his assets associated with the crime.

• The indictment provides a chilling array of details about his online activities following the exploit.

Quick take: Cutting a deal with a cybercrime victim makes very little sense. It wouldn't work if someone mugged someone else in broad daylight, then asked them not to press charges if they returned their ID and phone, but kept all the cash.

• Blockchains are no different, and they keep a permanent record.