The troubled cryptocurrency exchange was hacked on November 12, just hours after declaring Chapter 11 voluntary bankruptcy. CEO of FTX John J. Ray III claimed in a court document dated November 17 that an unidentified party transferred at least $372 million from FTX to an external wallet.
On FTX’s official Telegram channel, an admin going by the name Rey posted, “All funds seem to be gone.”
In reaction to the hack, funds started leaving FTX through a second wallet that was linked to a know-your-customer verified account on the crypto exchange Kraken.
Sam Bankman-Fried, the former CEO of FTX, was operating this wallet and transferring funds at the regulator’s request to “protect the interests of clients and creditors,” according to a later filing from the Securities Commission of The Bahamas. This stopped the first hacker from stealing an estimated $200 million worth of funds.
FTX exploiter technique
The first wallet, thought to be a so-called “black hat” hacker acting maliciously, began converting stolen assets into Ethereum, MakerDAO’s DAI stablecoin, and BNB Chain’s native token while simultaneously transferring funds across a number of cross-chain token bridges while this was happening. The attacker probably did so to avoid having their illegal earnings frozen.
Unknown to many, stablecoins like USDC and USDT include built-in freeze and blacklist mechanisms that let their respective issuers halt transactions and seize cash.
The hacker lost thousands of dollars as a result of significant slippage from quickly swapping large numbers of tokens because speed was of the essence. This aspect alone suggests that this wallet is probably not in the jurisdiction of the Bahamian authorities, who would seek to protect assets for the sake of FTX’s creditors. Only a bad operator would purposefully allow deals to lapse in order to avoid having assets seized.
Before sending the money to the Huobi exchange, the hacker also sent 3,168 BNB to an account linked to a tiny Russian crypto exchange called Laslobit. Regarding the remaining treasure, on November 20, the hacker began exchanging ETH for wrapped renBTC and transmitting it across the Ren bridge to the Bitcoin network after going idle for a few days.
Next, the hacker will probably employ a Bitcoin mixing service to sever the fund’s chain of custody. Additionally, the hacker started peddling ETH, which led to a decline in the value of the second-ranked cryptocurrency. On November 21, they began moving additional ETH in batches of 15,000 tokens, which raised concerns that they might be getting ready to sell another portion of their stash.
New twist on FTX hacker
As per a November 17 court filing, it was originally stated that Bankman-Fried, acting on behalf of the Bahamian government, was the original FTX hacker. However, more extensive on-chain data and hints provided in court documents from John J. Ray III and Bahamian officials have called into question this theory.
It now appears that the second address was actually sending funds out of FTX in order to safeguard the exchange’s remaining assets. It’s important to note that these two wallets behave in remarkably distinct ways. The second wallet simply moved tokens to a multi-signature wallet, whereas the first wallet started to trade, bridge, and launder assets.
It’s still unclear exactly how FTX was hacked. Some have hypothesized that the hacker might have been a disgruntled former employee who had access to FTX’s accounts based on the timing of the attack immediately after the company’s bankruptcy.
However, it’s also possible that someone unrelated to FTX used the instability in the firm to launch an attack. They might have done this by luring staff into reading malware-laced emails while they were confused about the company’s bankruptcy. This method has been employed in previous high-profile hacks ascribed to the North Korean state-sponsored hacker group Lazarus Group.
More details on how the exchange was hacked and who is to blame will probably surface as the bankruptcy case for FTX develops.