Key Takeaways
- FTX was hacked on November 12 after the exchange filed for bankruptcy.
- The Bahamas Securities Commission claimed responsibility for the attack and said it had ordered the money transferred to a third-party wallet.
- Data from the chain suggests that most of the loot was seized by a nefarious actor and not a government agency.
Share this article
The address that transferred approximately $372 million from FTX is likely owned by a black hat hacker.
Who Hacked FTX?
A debate rages over who hacked FTX.
The controversial cryptocurrency exchange was hacked on November 12, hours after it filed for voluntary bankruptcy. According to a message from November 17 court file of FTX CEO John J. Ray III, an unknown entity, transferred at least $372 million from FTX to a third-party wallet. “FTX has been hacked. All funds seem to be gone,” a Rey manager wrote on FTX’s official Telegram channel.
In response to the hack, a second wallet with connections to a know-your-customer verified account on the crypto exchange Kraken began transferring funds from FTX. A later document from the Bahamas Securities Commission shows that former FTX CEO Sam Bankman-Fried controlled this wallet and transferred funds at the regulator’s direction to “protect the interests of customers and creditors.” This prevented the first hacker from taking an estimated $200 million worth of money.
However, while this was taking place, the first walletBelieved to be a so-called “black hat” hacker operating with malicious intent, he began converting stolen assets into Ethereum, MakerDAO’s DAI stablecoin, and BNB Chain’s native token, while also sending funds across a variety of cross-chain token bridges. The attacker likely did this to avoid having their ill-gotten gains frozen. It’s a lesser known fact that stablecoins like USDC and USDT have freeze and blacklist features built into their contracts, allowing their respective issuers to halt transactions and manually seize funds.
Since time was of the essence, the hacker suffered significant delays by exchanging large amounts of tokens in rapid succession, losing thousands of dollars in the process. This fact alone indicates that this wallet is likely not controlled by the Bahamian government or regulators as they would want to preserve assets for the benefit of FTX’s creditors. Only a malicious actor would deliberately miss out on transactions to avoid assets being seized.
Moreover, the hacker also transferred 3,168 BNB to an address connected to a small Russian crypto exchange called Laslobit before sending the money to the Huobi exchange. As for the rest of the loot, after a few days of inactivity, the hacker started exchange ETH for packaging renBTC and sending it via the Ren Bridge to the Bitcoin network on November 20. The hacker will likely use a Bitcoin mixing service to break the chain of traceability to the funds. The hacker also started selling ETH on the market, causing crypto number two to drop in price. They started moving more ETH in batches of 15,000 tokens on November 21, raising fears that they might be preparing to sell off some more of their supply.
Crypto briefing previously reported that the original FTX hacker was Bankman-Fried and was operating under the direction of the Bahamian government, according to a Nov. 17 lawsuit. However, this theory has been questioned in light of more substantial evidence down the chain and evidence in lawsuits from both John J. Ray III and Bahamian regulators.
It now appears that it was actually the second address to transfer funds out of FTX and did so to protect the exchange’s remaining assets. It is worth noting that the behavior of these two wallets is strikingly different. While the first wallet swapped, bridged and started laundering assets, the second simply transferred tokens to a multi-signature wallet.
Details about how FTX was hacked are still unclear. Judging from the timing of the hack immediately following the company’s bankruptcy, some have speculated that the hacker could be a disgruntled former employee who had access to FTX’s accounts. However, it’s just as likely that someone disconnected from FTX took advantage of the disruption in the company to attack, possibly gaining access by tricking employees into opening malware-ridden emails during the bankruptcy confusion. Previous high-profile hacks attributed to North Korean state hacker Lazarus Group used this technique. It is likely that as FTX’s bankruptcy case progresses, more information will come to light about how the exchange was hacked and who is responsible.
Disclosure: At the time this piece was written, the author owned ETH, BTC, and several other crypto assets.
Share this article