Security
Headlines
HeadlinesLatestCVEs

Headline

How the FTX Thieves Have Tried to Launder Their $400 Million Haul

Whoever looted FTX on the day of its bankruptcy has now moved the stolen money through a long string of intermediaries—including a service owned by FTX itself.

Wired
#acer

As the criminal trial of FTX founder Sam Bankman-Fried unfolds in a Manhattan courtroom, some observers in the cryptocurrency world have been watching a different FTX-related crime in progress: The still-unidentified thieves who stole more than $400 million out of FTX on the same day that the exchange declared bankruptcy have, after nine months of silence, been busy moving those funds across blockchains in an apparent attempt to cash out their loot while covering their tracks. Blockchain watchers still hope that money trail might help to identify the perpetrators of the heist—and answer the looming question of whether someone with insider knowledge of FTX was involved.

Today, cryptocurrency tracing firm Elliptic released a new report on the complex path those stolen funds have taken over the 11 months since they were pulled out of FTX on November 11 of last year. Elliptic’s tracing shows how that nine-figure sum, which FTX puts at between $415 million and $432 million, has since moved through a long list of crypto services as the thieves attempt to prepare it for laundering and liquidation, and even through one service owned by FTX itself. But those hundreds of millions also sat idle for all of 2023—only to begin to move again this month, in some cases as Bankman-Fried himself sat in court, raising new and unanswered questions about the thieves’ identities and plans.

“The funds basically didn’t move for nine months, and then a couple of days before the trial starts, they start to move again,” says Tom Robison, Elliptic’s cofounder and chief scientist. “Why did they have to move the funds now? It doesn’t really make sense to start laundering funds at the time when there’s so much attention on the victim of the hack.”

Aside from that strange timing, Elliptic says the FTX thieves have largely taken steps typical for the perpetrators of large-scale crypto heists as the culprits sought to secure the funds, swap them for more easily laundered coins, and then funnel them through cryptocurrency “mixing” services to achieve that laundering. The majority of the stolen funds, Elliptic says, were stablecoins that, unlike other forms of cryptocurrency, can be frozen by their issuer in the case of theft. In fact, the stablecoin issuer Tether moved quickly to freeze $31 million of the stolen money in response to the FTX heist. So the thieves immediately began exchanging the rest of those stablecoins for other crypto tokens on decentralized exchanges like Uniswap and PancakeSwap—which don’t have the know-your-customer requirements that centralized exchanges do, in part because they don’t allow exchanges for fiat currency.

In the days that followed, Elliptic says, the thieves began a multi-step process to convert the tokens they’d traded for the stablecoins into cryptocurrencies that would be easier to launder. They used “cross-chain bridge” services that allow cryptocurrencies to be exchanged from one blockchain to another, trading their tokens on the bridges Multichain and Wormhole to convert them to Ethereum. By the third day after the theft, the thieves held a single Ethereum account worth $306 million, down about $100 million from their initial total due to the Tether seizure and the cost of their trades.

From there, the thieves appear to have focused on exchanging their Ethereum for Bitcoin, which is often easier to feed into “mixing” services that offer to blend a user’s bitcoins with those of other users to prevent blockchain-based tracing. On November 20, nine days after the theft, they traded about a quarter of their Ethereum holdings for Bitcoin on a bridge service called RenBridge—a service that was, ironically, itself owned by FTX. “Yes, it is quite amazing, really, that the proceeds of a hack were basically being laundered through a service owned by the victim of the hack,” says Elliptic’s Robison.

On December 12, a month after the theft, most of the bitcoins from that RenBridge trade were then fed into a mixing service called ChipMixer. At that point, the thieves went strangely quiet. The rest of their Ethereum would remain dormant for the next nine months.

Only on September 30, just days ahead of Bankman-Fried’s trial, did the remainder of the funds begin to move again, Elliptic says. By that time, both RenBridge and ChipMixer had been shut down—RenBridge due to its parent company FTX’s collapse and ChipMixer due a law enforcement seizure. So the thieves pivoted to trading their Ethereum for Bitcoin on a service called THORSwap and then routing those bitcoins into a mixing service called Sinbad.

Sinbad has over the past year become a popular destination for criminal cryptocurrency, particularly crypto stolen by North Korean hackers. But Elliptic’s Robison notes that despite this, the movement of funds appears less sophisticated than what he’s seen in the typical North Korean heist. “It doesn’t use some of the services that Lazarus typically use,” Robison says, referring to the broad group of North Korean state-sponsored hackers known as Lazarus. “So it doesn’t look like them.”

Does the timing of those new movements of funds ahead of—and even during—Bankman-Fried’s trial suggest someone with insider knowledge is responsible? Elliptic’s Robison notes that, while the timing is conspicuous, he can only speculate at this point. It’s possible that the timing has been purely coincidental, Robison says. Or someone might be moving the money now to make it look like an FTX insider—potentially one who fears they might be about to lose their internet access. Neither Bankman-Fried nor his fellow executives have been charged with the theft, and some of the money movements have taken place while Bankman-Fried has been in court, with only a laptop disconnected from the internet.

Eventually, no doubt, the thieves will attempt to cash out their stolen and laundered cryptocurrency for some sort of fiat currency. Robison is still hopeful that, despite their use of mixers, they can still be identified at that point—though he declined to definitively answer whether Elliptic can defeat those mixing services’ anonymity measures. “I think they probably will be successful in cashing out at least some of these funds. I think whether they’re going to get away with it is a separate question,” says Robison. “There’s already a blockchain trail to be followed, and I think that trail will only become clearer with time.”

Two other cryptocurrency tracing firms, TRM Labs and Chainalysis, have both been hired by FTX’s new regime under CEO John Ray III to aid in the investigation. TRM Labs declined to comment on the case. Chainalysis didn’t respond to WIRED’s request for comment, nor did FTX itself.

If those cryptocurrency tracers succeed, we may someday have an answer to the mystery of the FTX heist. In the meantime, however, FTX’s many aggrieved creditors will be left to keep one eye on Bankman-Fried’s trial and the other on the Bitcoin blockchain.

Wired: Latest News

Drug Dealers Have Moved Onto Social Media