FTX Hacker: Who? On-chain clues provide context

FTX Hacker: Who? On-chain clues provide context

Who was the Hacker of FTX?
There is a heated discussion going on over who hacked FTX.

The troubled cryptocurrency exchange was breached on November 12, only a few hours after it voluntarily filed for Chapter 11 bankruptcy protection. An unidentified party reportedly moved at least $372 million in FTX cryptocurrency to an external wallet on November 17, according to a court declaration that was submitted by FTX CEO John J. Ray III. "There has been an attack on FTX. It appears that none of the money are available," an administrator who goes by the name Rey posted on the official Telegram channel for FTX.

As a direct response to the attack, a second wallet that had ties to a know-your-customer verified account on the cryptocurrency exchange Kraken began moving cash out of FTX. According to a subsequent filing made by the Securities Commission of The Bahamas, former FTX CEO Sam Bankman-Fried was managing this wallet and moving cash at the instruction of the regulator in order to "protect the interests of clients and creditors." Because of this, the first hacker was unable to steal an estimated two hundred million dollars' worth of cash.


However, while this was going on, the first wallet, which was thought to be a hacker operating under the guise of a so-called "black hat," began converting stolen assets into Ethereum, MakerDAO's DAI stablecoin, and BNB Chain's native token. It also began sending funds through a variety of cross-chain token bridges. This led to the assumption that the hacker was acting maliciously. It is quite likely that the attacker did this in order to avoid their illegal earnings from being frozen. Stablecoins like USDC and USDT have capabilities incorporated into their contracts that allow their respective issuers to manually block transactions and seize funds. This is a fact that is not well recognized, but stablecoins like USDC and USDT contain these functions.

Because speed was of the importance, the hacker lost a significant amount of money as a result of the slippage that occurred when exchanging large quantities of tokens in rapid succession. This resulted in a loss of several thousand dollars. On the basis of this information alone, we may deduce that the Bahamian government or its authorities do not control this wallet. If they did, they would wish to keep funds safe for the sake of FTX's creditors. Slippage on trades is something that would only be purposely caused by a malevolent person in order to avoid assets from being confiscated.

Before transferring the cash to the Huobi exchange, the hacker made an additional transfer of 3,168 BNB to an address that was related to a Laslobit, a very minor cryptocurrency exchange located in Russia. On November 20, after being inactive for a few days, the hacker began exchanging ETH for wrapped renBTC and transferring it to the Bitcoin network over the Ren bridge. This was done in order to access the remaining portion of the stolen wealth. It is quite likely that the hacker will employ a Bitcoin mixing service as the following step in their plan to break the chain of traceability to the monies. The hacker also started selling ETH on the market, which caused the price of the second most valuable cryptocurrency to go down. On November 21, they started transferring additional Ethereum in batches of 15,000 tokens, which sparked suspicions that they could be getting ready to sell another chunk of their hoard of cryptocurrency.

According to a court document on November 17, Crypto Briefing previously alleged that Bankman-Fried was the first FTX hacker and that he was acting under the instructions of the government of the Bahamas. However, in light of increasingly extensive on-chain evidence and hints that were disclosed in court documents from both John J. Ray III and Bahamian officials, this notion has been called into question.


It now looks that the second address that transferred cash out of FTX was really doing so to safeguard the exchange's remaining assets. The reason for this is unclear at this time. It is important to point out that the operation of these two wallets is very distinct from one another. While the first wallet has engaged in asset swapping and bridging, as well as the beginning stages of asset laundering, the second wallet has only moved tokens to a wallet that supports multiple signatures.

There is still a lack of clarity on the specifics of how the FTX system was compromised. Based on the fact that the breach occurred soon after the company filed for bankruptcy, some people have hypothesized that the perpetrator of the crime was a disgruntled former employee of FTX who had access to the company's accounts. However, it is also possible that someone who is not affiliated with FTX took advantage of the disturbance in the firm in order to launch an attack, maybe acquiring access by luring staff into accepting emails containing malware when the company was in the midst of the bankruptcy crisis. Earlier high-profile breaches that have been connected to the North Korean state-sponsored hacking group Lazarus Group have utilized this method. It is quite possible that as the bankruptcy action against FTX continues to move forward, further evidence will become public revealing how the exchange was hacked and who is to blame for the attack.


Ojike Stella

1727 Blog posts

Comments
Alphonsus Odumu 2 d

FTX hacker