FTX hacker could be using SBF trial as a smokescreen: CertiK

October 10, 2023 Coin Telegraph

The still-unidentified FTX hackers started ramping up their movement of stolen funds in recent weeks, potentially using media attention of the trial as a cover to hide the illicit activity.

The hacker responsible for stealing over $400 million from FTX and FTX US in November could be using the hype around Sam Bankman-Fried’s fraud trial to further obfuscate the funds, says CertiK’s director of security operations Hugh Brooks.

Only days before the start of Bankman-Fried's criminal trial, the FTX hacker, known as “FTX Drainer," began moving millions in Ether it had gained from the November attack.

The movements have continued throughout the trial. In the last three days, the hacker transferred approximately 15,000 ETH (worth roughly $24 million) to three new wallet addresses.

“With the onset of the FTX trial and the substantial public attention and media coverage it is receiving, the individual accountable for draining the funds might be feeling an increased urgency to conceal the assets,” said Brooks.

“It's also plausible that the FTX drainer harbored an assumption that the trial would monopolize so much attention from the Web3 industry that there would be insufficient bandwidth to trace all stolen funds while also covering the trial concurrently.”

FTX, which had once been valued at $32 billion, declared bankruptcy on Nov. 11. That same day, employees at FTX began noticing massive withdrawals of funds from the exchange’s wallets.

An Oct. 9 report from Wired has provided fresh insight into how events transpired during the night of the attack.

After FTX employees realized that the attacker had complete access to a series of wallets, the team declared that "the fox [was] in the hen house” and scrambled to keep the remaining funds out of the hacker’s hands.

The team reportedly made the decision to transfer a staggering amount of the remaining funds — between $400 and $500 million — to a privately owned Ledger cold wallet, while waiting to hear back from BitGo, the company tasked with taking custody of the exchange’s assets post-bankruptcy.

The move likely prevented the attacker from gaining a full $1 billion in the raid.

Meanwhile, Brooks explained that the hacker appears to have changed its method for obscuring funds.

On Nov. 21, the FTX hacker was observed attempting to launder funds by using a “peel chain” method, which involves sending decreasing amounts of funds to new wallets and “peeling” off smaller amounts to new wallets.

However, the hacker has recently been using a more sophisticated method to obscure the transfer of the illicit assets, said Brooks.

*The new laundering method being employed by the FTX hacker as recorded on Oct. 2. Source: CertiK*

The funds stored in the original Bitcoin wallet are distributed through multiple wallets, transferring smaller divisions of funds to a series of additional wallets, a tactic that “considerably prolongs” the tracing process.

Brooks said they have yet to identify any individuals or groups that could be behind the FTX hack, and that investigations are continuing.

Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis

Sam Bankman-Fried reveals the circumstances behind Bahamian withdrawals

November 30, 2022 Coin Telegraph

000

The former FTX CEO has explained why the exchange only reopened withdrawals for Bahamian citizens shortly before filing for bankruptcy.

FTX’s former CEO Sam Bankman-Fried has divulged what really went on in the days before it filed for bankruptcy when the exchange selectively reopened withdrawals — only for Bahamian users.

In a telephone interview with crypto blogger Tiffany Fong, dated Nov. 16, Bankman-Fried claims to have made the decision to reopen withdrawals to Bahamian citizens as he did not want himself, nor the exchange, to be in a country “with a lot of angry people in it.”

“The reason I did it was it was critical to the exchange being able to have a future because that’s where I am right now, and you do not want to be in a country with a lot of angry people in it and you do not want your company to be incorporated in a country with a lot of angry people in it,” he said.

Bankman-Fried claims he gave Bahamian securities regulators a “one-day heads up” that FTX was going to do it, but said the regulator neither responded with a “yes or no,” before he ultimately decided to go ahead with allowing withdrawals.

“So it was realistically speaking, it’s shitty, but [...] the pathway for FTX involved Bahamians not being pissed at it.”

The now-defunct crypto exchange initially halted all withdrawals on Nov. 8 as a result of liquidity issues.

On Nov. 10, only a day before it filed for bankruptcy, the exchange noted it had begun to facilitate withdrawals of Bahamian funds. At the time, it claimed that it was in compliance with the demands of the country’s regulators — leading to millions of dollars worth of funds extracted from the exchange.

However, the Securities Commission of The Bahamas (SCB) threw a wrench into FTX’s narrative, stating on Nov. 12 that it had neither instructed nor authorized FTX to prioritize withdrawals of Bahamian clients.

They also warned that any withdrawal of funds could be clawed back as part of the firm’s liquidation proceedings.

Cointelegraph contacted the SCB for confirmation on if it had received communication from FTX prior to the exchange’s withdrawals reopening, and what its response was at the time. The SCB did not immediately respond.

Audio from my first interview with Sam Bankman-Fried. SBF talks bankruptcy, the alleged “backdoor,” donations to the Democratic Party, Ukraine money laundering rumors, the hack, Alameda’s margin position on FTX, using FTT as collateral & more. https://t.co/qVfUv6dhww
— Tiffany Fong (@TiffanyFong_) November 29, 2022

In his most recent interview with Fong, Bankman-Fried denied the move was to facilitate withdrawals by people within FTX after Fong suggested that this is how it was being seen.

“Oh it wasn’t insider withdrawals, this was trying to create a regulatory pathway forward for the exchange.”

SBF was hot on FTX hacker’s trail

The former FTX CEO also noted during the Nov. 16 interview that he was close to finding out the identity of the FTX hacker, who is understood to have stolen over $450 million worth of assets soon after the exchange filed for bankruptcy on Nov. 11.

“I don’t know exactly who because they shut off all access to the systems when I was halfway through exploring it. I’ve narrowed it down to eight people. I don’t know which one it was but I have a pretty decent sense.”

Bankman-Fried said he believes it was “either an ex-employee or somewhere someone installed malware on an ex-employee’s computer.”

In a separate, more recent interview with Sam Bankman-Fried by Axios on Nov. 29, the former FTX CEO has revealed he only has around $100,000 left in his bank account as of today.

This is despite Bankman-Fried being worth an estimated $26 billion at his peak.

Bankman-Fried claims that he had “basically everything” tied up in the now-bankrupt company.

"I mean, I have no idea. I don't know. I had $100,000 in my bank account last I checked," he said.

On the move: FTX hacker splits nearly $200M in ETH across 12 wallets

November 22, 2022 Coin Telegraph

On the move: FTX hacker splits nearly 0M in ETH across 12 wallets

attacker

Meanwhile, Ethereum users are sending encoded messages to the FTX hacker pleading for a share of funds.

The hacker behind the theft of more than $447 million of crypto from the crypto exchange FTX has been again spotted moving their ill-gotten funds.

According to Etherscan data, between 4:11 to 4:17 pm UTC on November 21, the attacker moved a total of 180,000 Ether (ETH) across 12 newly created wallets — each receiving 15,000 ETH. The total amount moved totaled $199.3 million at current prices.

*Recent transactions from wallet labeled "FTX Accounts Drainer" — Source: Etherscan*

At the time of publication, the ETH has not moved from any of the 12 wallets.

Some in the crypto community suggest the attacker may be planning to subdivide it into smaller and smaller amounts in order to confuse investigators, a process known as “peel chaining,” or they may be planning to use a mixing service at some point to obscure which coins are theirs.

Meanwhile, some Ethereum users appear to have sent coded messages to the hacker asking for a share of the loot.

One user registered the Ethereum Name Service (ENS) domain name, “ftx-rekt200k-pls-help.eth” to express that they have lost money from the FTX collapse and to ask for a reimbursement from the hacker.

They sent 21 transactions of 0.000001 Ether to the hacker’s address in an attempt to get noticed.

Another user was even more creative. They registered the ENS domain, “pleasecheckutf8data.eth” and sent 12 transactions of 0.0001 ETH or less to the hacker’s wallet address.

*An encoded message asking the FTX Accounts Drainer for a share of funds. Source: Etherscan*

Inside each transaction was a UTF8 encoded message that said “Please send me 100k~, I have medical bills to pay and visit the USA this coming December. I can't walk properly, and have aggressive muscle issues. Please help! I lost most of my money on FTX.”

The message also contained a link to an Imgur post which the user claimed was proof of their medical appointment.

The hack occurred on Nov. 11, the same day that FTX filed for chapter 11 bankruptcy protection.

On November 20, the attacker transferred 50,000 ETH to a separate wallet and then converted it to Bitcoin using two separate renBTC bridges.

As of today, the hacker is the 40th largest holder of ETH.

FTX hacker