Key learning points
- FTX was hacked on November 12 following the exchange’s bankruptcy filing.
- The Securities Commission of the Bahamas has claimed responsibility for the attack and said it ordered the money to be transferred to an outside wallet.
- On-chain data suggests that most of the catch was seized by a nefarious actor rather than a government agency.
share this article
The address that transferred about $372 million from FTX is likely from a black hat hacker.
Who Hacked FTX?
A debate is raging over who hacked FTX.
The embattled crypto exchange was hacked on Nov. 12, hours after it voluntarily filed for Chapter 11 bankruptcy. According to a message dated Nov file in court of FTX CEO John J. Ray III, an unknown entity transferred at least $372 million from FTX to an outside wallet. “FTX has been hacked. All funds seem to have run out,” wrote an admin who went by Rey on FTX’s official Telegram channel.
In response to the hack, a second wallet with connections to a know-your-customer verified account on the crypto exchange Kraken began transferring funds from FTX. A subsequent filing from the Securities Commission of the Bahamas indicates that former FTX CEO Sam Bankman-Fried operated this wallet and transferred funds under the direction of the regulator to “protect the interests of customers and creditors.” This prevented the first hacker from collecting an estimated $200 million in cash.
However, while this was taking place, the first wallet, believed to be a so-called “black hat” hacker operating with malicious intent, began converting stolen assets into Ethereum, MakerDAO’s DAI stablecoin and BNB Chain’s native token, while also sending money through a variety of cross-border chain token bridges. The attacker probably did this to prevent his ill-gotten gains from being frozen. It is a lesser-known fact that stablecoins like USDC and USDT have freeze and blacklist features built into their contracts, allowing their respective issuers to halt transactions and manually seize funds.
With time of the essence, the hacker incurred a significant amount of derailment by exchanging massive amounts of tokens in rapid succession, losing thousands of dollars. This fact alone indicates that this wallet is likely not controlled by the Bahamian government or regulators as they want to preserve assets for the sake of FTX’s creditors. Only a malicious actor would deliberately slip on trades to avoid seizing assets.
In addition, the hacker also transferred 3,168 BNB to an address connected to a small Russian crypto exchange called Laslobit before sending the funds to the Huobi exchange. As for the rest of the loot, after being inactive for a few days, the hacker started exchange ETH for wrapped renBTC and sending it to the Bitcoin network via the Ren bridge on November 20. The hacker will likely use a Bitcoin mixing service to break the chain of traceability to the funds. The hacker also started selling ETH on the market, causing the number two crypto to fall in price. They started moving more ETH in batches of 15,000 tokens on November 21, sparking fears they could be preparing to sell another portion of their stash.
Crypto Briefing previously reported that the first FTX hacker was Bankman-Fried to operate under the direction of the Bahamian government, according to a Nov. 17 lawsuit. However, this theory has been questioned in light of more substantial on-chain evidence and clues in court documents from both John J. Ray III and Bahamian regulators.
It now appears that it was actually the second address to transfer funds from FTX to protect the exchange’s remaining assets. It is worth noting that the behavior of these two wallets is strikingly different. While the first wallet exchanged, bridged and started laundering assets, the second simply transferred tokens to a multi-signature wallet.
Details of how FTX was hacked are still unclear. Judging by the timing of the hack immediately after the company’s bankruptcy, some have speculated that the hacker could have been a disgruntled former employee who accessed FTX’s accounts. However, it is just as likely that someone disconnected from FTX could have exploited the disruption in the company to attack, possibly gaining access by tricking employees into opening malware-ridden emails during the bankruptcy confusion. Previous high-profile hacks attributed to North Korean state-sponsored hacker Lazarus Group have used this technique. It is likely that as FTX’s bankruptcy case progresses, more information will come to light about how the exchange was hacked and who is responsible.
Disclosure: At the time of writing this piece, the author owned ETH, BTC, and several other crypto assets.
