Hours after FTX declared bankruptcy, about $600 million in different crypto tokens were unauthorisedly moved from the exchange’s accounts, the majority of which were confirmed to have been stolen by an unknown actor. While the exploit remains a mystery, reports and on-chain information tends to suggest that perpetrator could be someone close to the exchange – possibly, Sam Bankman-Fried (SBF).
Who is behind the FTX accounts drainer wallet?
In an emergency motion filed on November 17th, FTX attorneys accused Sam Bankman-Fried and FTX co-founder Gary Wang of unauthorizedly moving funds from the bankrupt exchange, under the directive of the Bahamian regulator. The attorneys claimed to have evidence that the Bahamian regulators directed the “unauthorized access to the Debtors’ systems for the purpose of obtaining digital assets of the Debtors.”
The Securities Commission of The Bahamas did confirm it ordered the movement of some digital assets controlled by the local subsidiary of FTX exchange, FTX Digital Markets (FDM), to a separate address that the commission control. This happened on November 12th, a day after FTX’s bankruptcy declaration, but the commission explained that it had issued that emergency action for the safekeeping of the assets, and to protect the interest of all FDM clients and creditors.
While it’s uncertain whether the funds moved by the SBF and the Bahamian regulator are part of the larger $600 million stolen from FTX, on-chain information suggests it’s probably not, given the sophisticated medium with which the stolen cryptocurrencies are being moved across blockchains. But what remains apparent is that FTX’s exploitation could be an “insider job.”
Lookonchain detected coordination in the trading pattern between FTX’s hacker address, currently flagged as “FTX Accounts Drainer” on Etherscan, and one other Ethereum address “0xd275,” which was involved in misappropriating user funds, as confirmed by a former Senior Engineer at FTX, Vydamo.
Two days before FTX suspended withdrawals, 0xd275 started conducting large-scale ETH transfers on-chain, which according to Lookonchain, never occurred since the creation of the address. “The time coincides with the time when the FTX exchange suspended user withdrawals,” the on-chain research platform said.
What fascinates the most is the correlation between the addresses. 0xd275 would transfer funds to exchanges – probably to short ETH – some minutes before FTX Accounts Drainers dumped ETH.
The transaction time of 0xd275 is very consistent with FTX Accounts Drainer, it seems that the same person is operating. When 0xd275 stops trading, FTX Accounts Drainer starts trading; and when FTX Accounts Drainer stops trading, 0xd275 resumes trading.
Lookonchain
This coincidence suggests the hacker or someone knowledgeable about the activities of the FTX Accounts Drainer could also be in control of 0xd275, which has already been vouched to be a property of someone close to FTX. As such, it’s plausible that anyone from FTX – it could be SBF – might have drained funds from the exchange.
FTX hacker is trying to launder funds
FTX was drained on both Ethereum and Binance networks. In multiple transactions, all the stolen cryptocurrencies were swapped through decentralized protocols to Ether (ETH) contained in the main Ethereum wallet. After several conversions and asset bridges, the address accumulated about 288k ETH, making the hacker the 35th largest Ethereum holder then.
But in recent days, the hackers have begun bridging the stolen Ether again, but to the Bitcoin blockchain, in what is believed to be a laundering attempt. Precisely on November 20th, the FTX Accounts Drainer moved 50k ETH to a unique address 0x866E, which was later swapped for renBTC and bridged to Bitcoin.
One of the BTC addresses – “Bc1qv…gpedg” – that received bridged Bitcoins from the FTX hacker, started a peel chain shortly after receiving the funds. According to CertiK, a peel chain “is a money laundering technique whereby BTC is sent through a series of transactions in which smaller amounts of BTC are transferred to a new address.”
Most recently on Monday, the hacker transferred 180k ETH to 12 new Ethereum addresses, and each address currently holds 15k ETH. The FTX Accounts Drainer wallet only has 5,735 ETH (or $6.2 million) left. Speculations are that hackers could be attempting to bridge the coins to Bitcoin blockchain for another peel chain.
Source: https://www.cryptopolitan.com/is-sbf-the-ftx-funds-drainer/