White Hat v. Black Hat: What Really Happened With the FTX Hack?
One theory posits that the FTX hacker was biding their time to steal billions — until they realized the exchange was insolvent
Source: Shutterstock, modified by Blockworks
Bankruptcy lawyers are battling Bahamian regulators over crypto tied to former billionaire Sam Bankman-Fried’s FTX empire — raising questions about a peculiar half-billion-dollar hack on the exchange last week.
Last weekend, blockchain analytics unit Elliptic reported that $663 million in various cryptocurrencies had been drained from FTX wallets just 24 hours after 134 affiliated entities had filed for Chapter 11 bankruptcy on Nov. 11.
Elliptic at the time attributed $186 million of those outflows to FTX personnel, who’d appeared to be securing compromised funds to avoid further losses. The remaining $447 million in digital assets were said to have been siphoned in “unauthorized transfers,” with $220 million cashed out for ether and stablecoin DAI. Blockchain data shows the attacker interacting with decentralized exchanges such as Uniswap alongside aggregators 1inch and CoW Protocol.
At the time of the attack, FTX representatives in the firm’s Telegram channel characterized the situation as a hack and urged FTX users not to interact with the exchange’s website and apps for fear of malware.
FTX US general counsel Ryne Miller later shared a statement from FTX’s appointed restructurer John J. Ray III, who confirmed that “unauthorized access to certain assets has occurred.”
Fast forward to Thursday, and the Securities Commission of the Bahamas announced via Twitter it had assumed control of assets belonging to FTX Digital Markets, leading onlookers to question whether the commission was the hacker — albeit a “white hat” — all along.
“On [Nov. 12], the Commission, in the exercise of its powers as regulator acting under the authority of an Order made by the Supreme Court of the Bahamas, took the action of directing the transfer of all digital assets of FTX Digital Markets to a digital wallet controlled by the Commission, for safekeeping,” the Commission said.
It went on: “Urgent interim regulatory action was necessary to protect the interests of clients and creditors of FTX Digital Markets.”
The statement aligns with evidence provided by FTX representatives in their court filing, released shortly after the Commission’s tweet. They say government officials allegedly directed Bankman-Fried and co-founder Gary Wang — described as “effectively in the custody of Bahamas authorities” — to make the presumably unauthorized transfers.
According to FTX lawyers, the crypto is being kept with New York-based direct custody-service startup Fireblocks under control of the Bahamian government. Fireblocks declined to comment on the record.
FTX hacker could’ve been in waiting for a long time
The question remains: Was FTX actually hacked? On-chain data reviewed by Blockworks does indeed show addresses linked to an attacker draining almost half a billion dollars in various cryptocurrencies from FTX hot wallets — including FTX US — on Nov. 12.
Tokens were apparently siphoned across multiple blockchains including Ethereum, Solana and Binance Chain. Cryptocurrencies such as gold-pegged asset pax gold, tether, ether, chainlink, shiba inu and bitcoin all featured prominently in the haul, as well as aave and apecoin.
As earlier noted by Elliptic, much of the funds in question were quickly sold for MakerDAO’s decentralized stablecoin DAI and ether — assets considered uncensorable. Notably, no funds were sent to crypto mixers such as Tornado Cash.
Read more: Crypto Mixers and Privacy Coins: Can They Resist Censorship?
Tether, on the other hand, quickly moved to freeze around $47 million in USDT, rendering the tokens moot and valueless.
But Tom Robinson, chief scientist at Elliptic, isn’t totally convinced the incident was a hack. In an email to Blockworks, Robinson explained that based on the information shared publicly it’s still not clear exactly what happened. But his interpretation would be that the Bahamian regulator gave instructions to convert the stablecoins and other tokens into ETH and DAI to avoid them being frozen by their issuers.
“That or whoever was directed to move the assets took it upon themselves to perform the conversion. But that’s just speculation on my part at the moment,” Robinson said.
Bankman-Fried addressed the apparent hack in recent conversations with Vox journalist Kelsey Piper, saying that the hacker was either a disgruntled employee or a bad actor who had smuggled malware onto an employees machine, leading to compromised hot wallet private keys.
Indeed, court filings recently showed just how lax FTX cybersecurity practices were. Lawyers maintain that former CEO Bankman-Fried and chief technology officer Wang used an “unsecured group email account to access confidential private keys and other critically sensitive information.”
Retrieving FTX’s stolen crypto could take years — if at all
To Nick Bax, head of research at crypto research and development startup Convex Labs, this leaves open the possibility that a company insider was phished — which could’ve directly led to the hack last week. Similar prominent thefts have been linked to the Lazarus hacking group affiliated with the North Korean government, which has cultivated vulnerabilities within crypto companies, although there has been no direct evidence or allegations made by law enforcement in this case.
Bax remained confident that the initial Ethereum wallet labeled as FTX Account Drainer on Etherscan was a black hat hacker. He described a scenario where a hacker had gotten to FTX’s unsecured email account and FTX private keys.
“Like everybody else, you think FTX has $10 billion or $20 billion — what do you do? Stay in the network and wait for your opportunity to steal it all,” Bax said.
“We do know in other cases, sophisticated or state-sponsored hackers, they had an opportunity to steal a life-changing amount of money, but they stayed and maintained their foothold in the network for months and months, waiting for the opportunity to maximize their theft. In the case of FTX, they could’ve realized that FTX was actually insolvent at the same time as everybody else, and just pulled what they could.”
Kraken Chief Security Officer Nick Percoco tweeted at the time of the attack that the exchange knew the identity of the attacker, as Kraken accounts had funded certain transaction fees for some illicit transactions. Percoco later appeared to walk those comments back, tweeting that the accounts in question may have belonged to FTX, and the cited transactions may have been part of efforts to safeguard crypto from the attack. Blockworks has reached out for comment.
But whether it was a disgruntled employee, North Korean hackers or someone else, the matter of whether the funds could eventually be retrieved and returned to FTX creditors is unclear.
Bax, who has worked extensively in cryptoasset recovery on behalf of hacking victims, explained that retrieving the funds begins with identifying the hacker.
“There’s been several large recoveries from the Silk Road hack and those took years. There’s been a partial recovery from the North Korean hacks of the Ronin network, but they only got around 20% back,” Bax said.
“It really depends on who it is, if it’s an insider — it’s not that hard. If it’s the North Koreans who hacked the insider, then good luck.”
Macauley Peterson contributed reporting.
Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.
Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.
The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.
