Elliptic ties Russian hackers to the FTX stolen funds


  • Today, Elliptic has released a detailed report that traces the FTX’s stolen funds, over $470 Million, through North Korean and Russian hackers.
  • The yet-to-be-identified hackers started moving money when the SBF trial began – pointing fingers at FTX employees (as an inside job) or SBF.
  • Hackers pivoted to trading their Ethereum for Bitcoin on a service called THORSwap after both RenBridge and ChipMixer were been shut down.

As if matters couldn’t get any worse, days after the collapse of the crypto exchange FTX, the exchange was hacked for $475 million. Elliptic, a blockchain analytics company, stated that it has now uncovered clues that may reveal who was behind the attack.

Shortly after the breach, $74 million was transferred through RenBridge, a platform owned by FTX’s sibling company, Alameda Research. Tom Robison, Elliptic’s cofounder and chief scientist, states that:

The funds basically didn’t move for nine months, and then a couple of days before the trial starts, they start to move again […] Why did they have to move the funds now? It doesn’t really make sense to start laundering funds at the time when there’s so much attention on the victim of the hack.

Tom Robison

Who hacked FTX?

Accounts associated with FTX and FTX US were drained on November 11, 2022, scant hours after the company filed for bankruptcy. Federal prosecutors charged Bankman-Fried with two counts of wire fraud and five counts of conspiracy to commit various types of fraud last year, weeks after he resigned from his position at FTX. 

Out of the 4,536 bitcoins ($74 million) that RenBridge converted from ether in November, 2,849 BTC were processed using mixers, predominantly the ChipMixer service. These funds then intermingled with assets connected to Russian criminal networks, comprising ransomware culprits and darknet marketplaces, Elliptic said.

Following the shutdown and seizure of ChipMixer by international law enforcement, the attackers migrated to Sinbad as their mixing service.

A Russia-linked actor seems a stronger possibility […] Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges […] This points to the involvement of a broker or other intermediary with a nexus in Russia.


The attackers’ identities remain unknown, but wallet data and analysis of fund movements may cast light on their identities.

Elliptic stated that suspects include rogue FTX employees and the North Korean cyber group Lazarus, which is suspected of exploiting multiple crypto protocols. However, the on-chain data point to Russian organizations, it says.

Hacker moves FTX stolen coins

John J. Ray III, CEO and Chief Restructuring Officer of the FTX Debtors, which manages the FTX bankruptcy proceedings, stated that $323 million in various tokens were stolen from the international exchange and $90 million from the U.S. platform.

Prior to the beginning of Bankman-Fried’s trial, previously unmoved stolen assets began to move, and they have continued to do so since. Over 15,000 Ether valued at nearly $25 million were exchanged for other tokens using the privacy wallet Railgun and THORChain exchange earlier this month.

Using the THORSwap cross-chain exchange, the hacker exchanged approximately 72,500 ETH ($120 million) for Bitcoin. Elliptic noted that even after THORSwap ceased operations on October 6, the hacker was able to transfer funds through THORChain via other venues.

Following the conversion, the bridged bitcoin was sent through Sinbad, an intermediary service with documented ties to the Lazarus Group of North Korea. While the use of Sinbad raises suspicions about the Lazarus Group, Elliptic argued that the laundering strategies used here are less complex and suggested that the laundering technique increases the likelihood of a Russian connection.

The hacker’s identity remains unknown, according to Elliptic. Multiple reports suggest that the theft may have been an internal operation, implicating FTX employees or even pointing the finger at Bankman-Fried.

Yet, concerning the money laundering, Bankman-Fried might have an alibi. Elliptic cited a particular instance on October 4, 2023, when $15 million of the stolen assets were transferred via ThorChain — a time when Bankman-Fried was reportedly in court without internet access.

Two additional crypto data tracing firms, TRM Labs and Chainalysis, have been hired by the new administration at FTX, led by CEO John Ray III. 

If these crypto data tracers are successful, the crypto community may one day solve the enigma of the FTX theft. In the meantime, however, FTX’s many aggrieved creditors will be required to monitor both the Bankman-Fried trial and the Bitcoin blockchain.

Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decision.

Share link:

Florence Muchai

Florence is a crypto enthusiast and writer who loves to travel. As a digital nomad, she explores the transformative power of blockchain technology. Her writing reflects the limitless possibilities for humanity to connect and grow.

Most read

Loading Most Read articles...

Stay on top of crypto news, get daily updates in your inbox

Related News

Subscribe to CryptoPolitan