As Sam Bankman-Fried, disgraced founder of crypto exchange FTX, sits in a jail cell in Brooklyn’s notorious Metropolitan Detention Center awaiting the start of his trial on Tuesday for seven counts of fraud and conspiracy, funds that were stolen from FTX in a hack hours after the firm filed for Chapter 11 bankruptcy last November have moved for the first time in more than 9 months.
Not only was the FTX collapse already one of the most stunning debacles in the long history of financial disasters, the siphoning of $600 million in funds from the company’s crypto wallets added insult to injury and led to speculation that company insiders were absconding with funds. Self-described “rug pull survivor” turned crypto sleuth ZachXBT tweeted Ethereum, Solana and Binance chain addresses involved, noting, “Multiple former FTX employees confirmed to me they do not recognize these transfers.”
While FTX’s then general counsel Ryne Miller acknowledged the hack and warned customers not to attempt to use FTX sites, only after the exploit did they start moving assets out of company wallets and into cold storage. “Following the Chapter 11 bankruptcy filings – FTX US and FTX [dot] com initiated precautionary steps to move all digital assets to cold storage,” Miller said. “Process was expedited this evening – to mitigate damage upon observing unauthorized transactions.”
Fast forward through 10 months of post-collapse FTX drama–including not only the inability of Bankman-Fried to refrain from speaking to the press but also his passing on to the New York Times private documents belonging to Alameda Research’s CEO (his former girlfriend), who pleaded guilty only weeks after the bankruptcy and is now a cooperating witness for the prosecution, along with FTX’s co-founder and head of engineering.
Now the hacker who stole the crypto from FTX wallets has started moving the funds for the first time since last December. On Saturday, blockchain analytics service Spot On Chain and others following the hacker addresses noted that one of those had moved 2,500 ETH ($4.2 million at the time) to two new addresses.
The next day Spot On Chain reported that a total of 22,500 ETH had moved from exploiter addresses in 24 hours. They show 12,250 ETH moving from 2 addresses (0x3e9 and 0x7F3) to Thorchain, which is a decentralized protocol that allows users to add or swap liquidity across chains. Rather than “wrapping” assets (which involves sending a cryptoasset, such as Bitcoin, to a custodian who holds it and creates a version of it on another chain, as BitGo does by minting WBTC tokens on Ethereum), Thorchain uses an automated market maker mechanism where liquidity providers deposit tokens and then Thorchain’s RUNE token is paired with two tokens in succession to execute a user’s desired swap from one to the other.
Spot On Chain also shows 7,750 ETH transferred to Railgun, a smart contract system that enables zero-knowledge privacy for any on-chain applications. Railgun’s site explains that “All transferring, swapping, lending, borrowing, and interactions with dApps increases the variations of interactions in RAILGUN and decreases the chances that withdrawals can be linked to deposits.”
An additional 2,500 ETH has been swapped by the hacker for 153 tBTC (and subsequently redeemed for Bitcoin) using MetaMask’s in-wallet swap functionality that compares prices on various decentralized exchanges and provides the best price (for an 0.875% fee). tBTC is similar to wrapped Bitcoin but rather than sending one’s BTC to custody firm BitGo, nodes running a protocol created by Threshold Network mint the ERC-20 token via a decentralized process using threshold cryptography. But all these transfers are with just a fraction of the hacked funds, as the FTX exploiter entity still holds 163,246 ETH ($280 million) across 14 addresses, according to Spot On Chain.
Examining the addresses used and their complete history, one can see not only the activity of the hacker moving funds but anyone else who interacted with those addresses. This being the wacky world of crypto, perhaps it’s not surprising to see that from the day ETH was first transferred into the 0x3e9 address on November 21, 2022 until the ETH starting to move out September 30, 2023 there were 18 additional transfers to the address–ranging from 1 wei to 0.0004 ETH ($0.64) from addresses with ENS names like umbrellauni.eth, couldyoupleasesendmesome.eth and hacker-dont-give-up.eth. And yes, the hacker kept those tips when transferring the ETH out, leaving only 0.00005 of ETH dust remaining.
So has all this on-chain sleuthing gotten us any closer to identifying the hacker? Bloomberg cited anonymous sources in reporting last December that the Justice Department was investigating the hack, so presumably they are following the recent activity closely. One also wonders whether Bankman-Fried’s trial will elicit any relevant information, particularly considering that he told YouTuber Tiffany Fong in a November 29 interview that he had, “narrowed it down to like eight people. I don’t know which one it was. I have a pretty decent sense. Either it was an ex-employee or someone installed malware on an ex-employee’s computer. I don’t know for sure which one it is because access is totally shut down right now, because it would be dangerous to allow people to query data.”
Let’s hope that the ease of querying data on blockchains ultimately proves dangerous to criminals of various stripes.
You May Also Like
-
September 28, 2020 -
September 19, 2023 -
