1. Home
  2. FTX hacker

FTX hacker

FTX hacker could be using SBF trial as a smokescreen: CertiK

The still-unidentified FTX hackers started ramping up their movement of stolen funds in recent weeks, potentially using media attention of the trial as a cover to hide the illicit activity.

The hacker responsible for stealing over $400 million from FTX and FTX US in November could be using the hype around Sam Bankman-Fried’s fraud trial to further obfuscate the funds, says CertiK’s director of security operations Hugh Brooks.

Only days before the start of Bankman-Fried's criminal trial, the FTX hacker, known as “FTX Drainer," began moving millions in Ether it had gained from the November attack.

The movements have continued throughout the trial. In the last three days, the hacker transferred approximately 15,000 ETH (worth roughly $24 million) to three new wallet addresses.

“With the onset of the FTX trial and the substantial public attention and media coverage it is receiving, the individual accountable for draining the funds might be feeling an increased urgency to conceal the assets,” said Brooks.

“It's also plausible that the FTX drainer harbored an assumption that the trial would monopolize so much attention from the Web3 industry that there would be insufficient bandwidth to trace all stolen funds while also covering the trial concurrently.”

FTX, which had once been valued at $32 billion, declared bankruptcy on Nov. 11. That same day, employees at FTX began noticing massive withdrawals of funds from the exchange’s wallets.

An Oct. 9 report from Wired has provided fresh insight into how events transpired during the night of the attack.

After FTX employees realized that the attacker had complete access to a series of wallets, the team declared that "the fox [was] in the hen house” and scrambled to keep the remaining funds out of the hacker’s hands.

The team reportedly made the decision to transfer a staggering amount of the remaining funds — between $400 and $500 million — to a privately owned Ledger cold wallet, while waiting to hear back from BitGo, the company tasked with taking custody of the exchange’s assets post-bankruptcy.

The move likely prevented the attacker from gaining a full $1 billion in the raid.

Related: FTX hacker’s wallet stirs as Ethereum ETFs prepare for US debut

Meanwhile, Brooks explained that the hacker appears to have changed its method for obscuring funds.

On Nov. 21, the FTX hacker was observed attempting to launder funds by using a “peel chain” method, which involves sending decreasing amounts of funds to new wallets and “peeling” off smaller amounts to new wallets.

However, the hacker has recently been using a more sophisticated method to obscure the transfer of the illicit assets, said Brooks.

The new laundering method being employed by the FTX hacker as recorded on Oct. 2. Source: CertiK

The funds stored in the original Bitcoin wallet are distributed through multiple wallets, transferring smaller divisions of funds to a series of additional wallets, a tactic that “considerably prolongs” the tracing process.

Brooks said they have yet to identify any individuals or groups that could be behind the FTX hack, and that investigations are continuing.

Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis

Kernel Secures Binance Labs Funding To Redefine Restaking on BNB Chain

On the move: FTX hacker splits nearly $200M in ETH across 12 wallets

Meanwhile, Ethereum users are sending encoded messages to the FTX hacker pleading for a share of funds.

The hacker behind the theft of more than $447 million of crypto from the crypto exchange FTX has been again spotted moving their ill-gotten funds. 

According to Etherscan data, between 4:11 to 4:17 pm UTC on November 21, the attacker moved a total of 180,000 Ether (ETH) across 12 newly created wallets — each receiving 15,000 ETH. The total amount moved totaled $199.3 million at current prices.

Recent transactions from wallet labeled "FTX Accounts Drainer" — Source: Etherscan

At the time of publication, the ETH has not moved from any of the 12 wallets.

Some in the crypto community suggest the attacker may be planning to subdivide it into smaller and smaller amounts in order to confuse investigators, a process known as “peel chaining,” or they may be planning to use a mixing service at some point to obscure which coins are theirs.

Meanwhile, some Ethereum users appear to have sent coded messages to the hacker asking for a share of the loot.

One user registered the Ethereum Name Service (ENS) domain name, “ftx-rekt200k-pls-help.eth” to express that they have lost money from the FTX collapse and to ask for a reimbursement from the hacker.

They sent 21 transactions of 0.000001 Ether to the hacker’s address in an attempt to get noticed.

Another user was even more creative. They registered the ENS domain, “pleasecheckutf8data.eth” and sent 12 transactions of 0.0001 ETH or less to the hacker’s wallet address.

An encoded message asking the FTX Accounts Drainer for a share of funds. Source: Etherscan

Inside each transaction was a UTF8 encoded message that said “Please send me 100k~, I have medical bills to pay and visit the USA this coming December. I can't walk properly, and have aggressive muscle issues. Please help! I lost most of my money on FTX.”

The message also contained a link to an Imgur post which the user claimed was proof of their medical appointment.

Related: FTX hacker dumps 50,000 ETH, still among top 40 Ether holders

The hack occurred on Nov. 11, the same day that FTX filed for chapter 11 bankruptcy protection.

On November 20, the attacker transferred 50,000 ETH to a separate wallet and then converted it to Bitcoin using two separate renBTC bridges.

As of today, the hacker is the 40th largest holder of ETH.

Kernel Secures Binance Labs Funding To Redefine Restaking on BNB Chain