A hacker who uncovered and breached security weaknesses at crypto exchanges has been sent to prison in the first case involving what’s known as smart contract hacking.

After pleading guilty to computer fraud charges, computer engineer Shakeeb Ahmed was sentenced to three years in jail, followed by three years of supervised release. He was also ordered to forfeit approximately $12.3 million and to pay over $5 million in restitution to the exchanges that he hacked. (All figures in U.S. dollars.)

According to court filings, in July 2022, Ahmed hacked into a crypto exchange and used fake pricing data to generate $9 million in excess fees. He initially withdrew the funds from the platform before agreeing to return about $7.5 million of the stolen funds in exchange for an agreement to not report the crime to law enforcement.

Later that same month, he exploited a vulnerability he discovered in smart contracts on another exchange to buy crypto at below-market values, which he then immediately sold at market rates.

The exchange offered Ahmed $600,000 of the $3.6 million he took in that hack, but he sought US$1.4 million — a deal the exchange refused.

U.S. authorities said the exchange shut down soon after the hack, as the stolen funds represented almost all of its assets.

After the attacks, Ahmed laundered the proceeds of his hacks using techniques including token-swap transactions, offshore crypto exchanges and mixers, and an anonymized cryptocurrency to conceal his fraud, authorities said.

“No matter how novel or sophisticated the hack, this office and our law enforcement partners are committed to following the money and bringing hackers to justice,” said Damian Williams, U.S. attorney for the Southern District of New York, in a release. “And as today’s sentence shows, time in prison — and forfeiture of all the stolen crypto — is the inevitable consequence of such destructive hacks.”