Who Is the FTX Hacker? On-Chain Clues Shed Light on the Situation
- FTX was hacked on November 12 following the exchange’s bankruptcy filing.
- The Securities Commission of The Bahamas claimed responsibility for the attack, saying it ordered the transfer of the funds to an external wallet.
- On-chain data suggests that the bulk of the haul was seized by a nefarious actor rather than a government authority.
Share this article
The address that transferred approximately $372 million from FTX likely belongs to a black hat hacker.
Who Hacked FTX?
Debate is raging over who hacked FTX.
The embattled crypto exchange was hacked on November 12, hours after it filed for Chapter 11 voluntary bankruptcy. According to a November 17 court filing from FTX CEO John J. Ray III, an unknown entity transferred at least $372 million from FTX to an external wallet. “FTX has been hacked. All funds seem to be gone,” an admin going by Rey wrote on FTX’s official Telegram channel.
In response to the hack, a second wallet with connections to a know-your-customer verified account on the crypto exchange Kraken started transferring funds out of FTX. A later filing from the Securities Commission of The Bahamas indicates that former FTX CEO Sam Bankman-Fried was operating this wallet and transferring funds at the regulator’s direction to “protect the interests of clients and creditors.” This prevented an estimated $200 million worth of funds from being taken by the first hacker.
However, while this was taking place, the first wallet, assumed to be a so-called “black hat” hacker operating with malicious intent, started converting stolen assets into Ethereum, MakerDAO’s DAI stablecoin, and BNB Chain’s native token while also sending funds through a variety of cross-chain token bridges. The attacker likely did so to prevent their ill-gotten gains from being frozen. It’s a lesser-known fact that stablecoins such as USDC and USDT have freeze and blacklist functions built into their contracts, allowing their respective issuers to halt transactions and confiscate funds manually.
As time was of the essence, the hacker incurred a sizable amount of slippage from swapping huge amounts of tokens in quick succession, losing thousands of dollars in the process. This fact alone indicates that this wallet is likely not controlled by the Bahamian government or regulators, as they would want to preserve assets for the sake of FTX’s creditors. Only a malicious actor would intentionally incur slippage on trades to prevent assets from being seized.
Additionally, the hacker also transferred 3,168 BNB to an address connected to a small Russian crypto exchange called Laslobit before sending the funds to the Huobi exchange. As for the rest of the loot, after staying dormant for a few days, the hacker started swapping ETH for wrapped renBTC and sending it through the Ren bridge to the Bitcoin network on November 20. The hacker will likely use a Bitcoin mixing service next to break the chain of traceability to the funds. The hacker also began selling ETH on the market, causing the number two crypto to drop in price. They started moving more ETH in batches of 15,000 tokens on November 21, sparking fears that they could be preparing to sell another portion of their stash.
Crypto Briefing previously reported that the initial FTX hacker was Bankman-Fried operating under the direction of the Bahamian government, per a November 17 court filing. However, this theory has been cast into doubt in light of more substantial on-chain evidence and clues included in court filings from both John J. Ray III and Bahamian regulators.
It now appears that it was actually the second address transferring funds out of FTX that was doing so to protect the exchange’s remaining assets. It’s worth noting that the behavior of these two wallets is strikingly different. While the first wallet has swapped, bridged, and started to launder assets, the second has simply transferred tokens to a multi-signature wallet.
Details surrounding how FTX was hacked are still unclear. Judging by the timing of the hack immediately following the firm’s bankruptcy, some have speculated the hacker could be a disgruntled former employee who had access to FTX’s accounts. However, it’s just as likely that someone unconnected to FTX could have taken advantage of the disruption in the company to attack, potentially gaining access through tricking employees into opening malware-ridden emails during the bankruptcy confusion. Previous high-profile hacks attributed to North Korean state-sponsored hacker Lazarus Group have used this technique. It’s likely that as FTX’s bankruptcy case progresses, more information will come to light regarding how the exchange was hacked and who is responsible.
Disclosure: At the time of writing this piece, the author owned ETH, BTC, and several other crypto assets.