White Hat v. Black Hat: What Really Happened With the FTX Hack?

Cointime Official

Bankruptcy lawyers are battling Bahamian regulators over crypto tied to former billionaire Sam Bankman-Fried’s FTX empire — raising questions about a peculiar half-billion-dollar hack on the exchange last week.

Last weekend, blockchain analytics unit Elliptic reported that $663 million in various cryptocurrencies had been drained from FTX wallets just 24 hours after 134 affiliated entities had filed for Chapter 11 bankruptcy on Nov. 11.

Elliptic at the time attributed $186 million of those outflows to FTX personnel, who’d appeared to be securing compromised funds to avoid further losses. The remaining $447 million in digital assets were said to have been siphoned in “unauthorized transfers,” with $220 million cashed out for ether and stablecoin DAI. Blockchain data shows the attacker interacting with decentralized exchanges such as Uniswap alongside aggregators 1inch and CoW Protocol.

At the time of the attack, FTX representatives in the firm’s Telegram channel characterized the situation as a hack and urged FTX users not to interact with the exchange’s website and apps for fear of malware.

FTX US general counsel Ryne Miller later shared a statement from FTX’s appointed restructurer John J. Ray III, who confirmed that “unauthorized access to certain assets has occurred.”

Fast forward to Thursday, and the Securities Commission of the Bahamas announced via Twitter it had assumed control of assets belonging to FTX Digital Markets, leading onlookers to question whether the commission was the hacker — albeit a “white hat” — all along.

“On [Nov. 12], the Commission, in the exercise of its powers as regulator acting under the authority of an Order made by the Supreme Court of the Bahamas, took the action of directing the transfer of all digital assets of FTX Digital Markets to a digital wallet controlled by the Commission, for safekeeping,” the Commission said.

It went on: “Urgent interim regulatory action was necessary to protect the interests of clients and creditors of FTX Digital Markets.”

The statement aligns with evidence provided by FTX representatives in their court filing, released shortly after the Commission’s tweet. They say government officials allegedly directed Bankman-Fried and co-founder Gary Wang — described as “effectively in the custody of Bahamas authorities” — to make the presumably unauthorized transfers.

According to FTX lawyers, the crypto is being kept with New York-based direct custody-service startup Fireblocks under control of the Bahamian government. Fireblocks declined to comment on the record.

FTX hacker could’ve been in waiting for a long time

The question remains: Was FTX actually hacked? On-chain data reviewed by Blockworks does indeed show addresses linked to an attacker draining almost half a billion dollars in various cryptocurrencies from FTX hot wallets — including FTX US — on Nov. 12.

Tokens were apparently siphoned across multiple blockchains including Ethereum, Solana and Binance Chain. Cryptocurrencies such as gold-pegged asset pax gold, tether, ether, chainlink, shiba inu and bitcoin all featured prominently in the haul, as well as aave and apecoin.

As earlier noted by Elliptic, much of the funds in question were quickly sold for MakerDAO’s decentralized stablecoin DAI and ether — assets considered uncensorable. Notably, no funds were sent to crypto mixers such as Tornado Cash.

Tether, on the other hand, quickly moved to freeze around $47 million in USDT, rendering the tokens moot and valueless.

But Tom Robinson, chief scientist at Elliptic, isn’t totally convinced the incident was a hack. In an email to Blockworks, Robinson explained that based on the information shared publicly it’s still not clear exactly what happened. But his interpretation would be that the Bahamian regulator gave instructions to convert the stablecoins and other tokens into ETH and DAI to avoid them being frozen by their issuers.

“That or whoever was directed to move the assets took it upon themselves to perform the conversion. But that’s just speculation on my part at the moment,” Robinson said.

Bankman-Fried addressed the apparent hack in recent conversations with Vox journalist Kelsey Piper, saying that the hacker was either a disgruntled employee or a bad actor who had smuggled malware onto an employees machine, leading to compromised hot wallet private keys.

Indeed, court filings recently showed just how lax FTX cybersecurity practices were. Lawyers maintain that former CEO Bankman-Fried and chief technology officer Wang used an “unsecured group email account to access confidential private keys and other critically sensitive information.”

Retrieving FTX’s stolen crypto could take years — if at all

To Nick Bax, head of research at crypto research and development startup Convex Labs, this leaves open the possibility that a company insider was phished — which could’ve directly led to the hack last week. Similar prominent thefts have been linked to the Lazarus hacking group affiliated with the North Korean government, which has cultivated vulnerabilities within crypto companies, although there has been no direct evidence or allegations made by law enforcement in this case.

Bax remained confident that the initial Ethereum wallet labeled as FTX Account Drainer on Etherscan was a black hat hacker. He described a scenario where a hacker had gotten to FTX’s unsecured email account and FTX private keys.

“Like everybody else, you think FTX has $10 billion or $20 billion — what do you do? Stay in the network and wait for your opportunity to steal it all,” Bax said.

“We do know in other cases, sophisticated or state-sponsored hackers, they had an opportunity to steal a life-changing amount of money, but they stayed and maintained their foothold in the network for months and months, waiting for the opportunity to maximize their theft. In the case of FTX, they could’ve realized that FTX was actually insolvent at the same time as everybody else, and just pulled what they could.”

Kraken Chief Security Officer Nick Percoco tweeted at the time of the attack that the exchange knew the identity of the attacker, as Kraken accounts had funded certain transaction fees for some illicit transactions. Percoco later appeared to walk those comments back, tweeting that the accounts in question may have belonged to FTX, and the cited transactions may have been part of efforts to safeguard crypto from the attack. Blockworks has reached out for comment.

But whether it was a disgruntled employee, North Korean hackers or someone else, the matter of whether the funds could eventually be retrieved and returned to FTX creditors is unclear.

Bax, who has worked extensively in cryptoasset recovery on behalf of hacking victims, explained that retrieving the funds begins with identifying the hacker.

“There’s been several large recoveries from the Silk Road hack and those took years. There’s been a partial recovery from the North Korean hacks of the Ronin network, but they only got around 20% back,” Bax said.

“It really depends on who it is, if it’s an insider — it’s not that hard. If it’s the North Koreans who hacked the insider, then good luck.”



All Comments

Recommended for you

  • Hong Kong and Macao police jointly arrested 4 people this week in connection with the JPEX case and seized or frozen 24 million Hong Kong dollars in assets.

    With regards to the JPEX virtual asset trading platform case, the Hong Kong police have received 2,417 reports, involving a total amount of over HKD 1.5 billion. Assistant Commissioner of Police, Chung Yung-min, stated that the Hong Kong police carried out a joint operation with the Macau Judiciary Police from Tuesday to Thursday this week, arresting four people and seizing or freezing HKD 24 million in assets, including casino accounts and a large amount of cash. She also said that the police are actively tracing the whereabouts of virtual assets, have identified other targets, but some have left Hong Kong. The police will work with international cooperation to arrest those involved. She pointed out that the JPEX fraud network is very large and complex, and the investigation is still in its early stages. Those involved still insist that it is a legitimate investment platform. She hopes that the public will be more cautious when making any decisions regarding JPEX. Chief Superintendent of the Cyber Security and Technology Crime Bureau, Cheng Lai-ki, said that the criminal group has destroyed many documents, making it difficult for the police to track the fraudulent funds and investigate. However, she emphasized that the police will continue to communicate with overseas trading platforms to trace the whereabouts of virtual assets. A total of HKD 5 million worth of encrypted currency assets have been frozen temporarily. 

  • Valkyrie Ethereum Futures ETF Receives U.S. SEC Approval

    The US SEC has approved Valkyrie to convert its existing Bitcoin futures ETF to a Bitcoin and Ethereum futures ETF. The new fund will be renamed "Valkyrie Bitcoin and Ethereum Strategy ETF" and will take effect on October 3, with the code still being BTF.

  • AlphaSense Raises $150M in Series E Funding Round Led by BOND and Alphabet's CapitalG

    AlphaSense, a B2B AI platform focused on business intelligence and search, has completed a successful Series E funding round, raising $150 million. The round was led by BOND and included investments from Alphabet's CapitalG, Goldman Sachs, and Viking Global. AlphaSense's valuation has grown from $1.7 billion to $2.5 billion since its Series D funding round in June 2023. The platform uses machine learning to provide deep insights into business and finance analytics, offering "insights-as-a-service." The latest investment will allow AlphaSense to continue leading the generative AI revolution in the B2B sector.

  • web3 startup IYK raises $16.8 million in seed funding, led by A16z Crypto

    Web3 startup IYK has raised $16.8 million in seed funding, with A16z Crypto leading the way and other investors including 1kx, Collabcurrency, Lattice Capital, and gmoney. According to its website, IYK is a participant in the a16z Crypto Startup School, which is an accelerator program from the venture capital giant that typically invests $500,000 in participating startups in exchange for 7% equity. IYK says that it has recruited over 100 creators from industries such as fashion, music, and art since its founding in 2021. To attract more brands and creators, it is launching a self-service platform to help create digital physical experiences.

  • Oracle project Supra completed over US$24 million in financing, with participation from Animoca Brands and Coinbase Ventures.

    On September 28th, Supra, a provider of oracle and VRF services, announced that it had completed a funding round of over $24 million. Investors in this round include Animoca Brands, BCW, Coinbase Ventures, FiveT Fintech (formerly Avaloq Ventures), Galaxy Interactive, Hashed, HashKey, Huobi Ventures, No Limit Holdings, Prosus Ventures,, Republic Crypto, Shima Capital, Signum Capital, SMO Capital, Sound Ventures, Sublime Ventures, UOB Venture Management (Dahua Bank), and Valor Equity Partners.

  • Hong Kong police arrested three people again in connection with the JPEX case, bringing the total number of arrests to 15

    Hong Kong police arrested three more people related to the JPEX case, including one director and one employee of the overseas exchange Lupin, and one popular analyst from a foreign currency exchange shop. The total number of arrests is now 15. The police have received a total of 2,392 reports, involving a total amount of nearly 1.5 billion yuan, and have frozen 77 million yuan in assets. 

  • The EU will collect data proving that cryptocurrency PoW mechanisms "seriously" harm the environment and plans to develop sustainability standards

    On September 28th, the European Commission released a tender contract worth 800,000 euros (approximately $842,000) aimed at mitigating the "significant harm" that cryptocurrency poses to the environment. The research, which will end on November 10th, will establish standards that will be incorporated into potential future EU policies to curb the impact of cryptocurrency on climate change and develop new energy efficiency labels for blockchain. The European Commission stated in the tender document that "there is evidence that crypto-assets can cause significant damage to the climate and the environment," which could undermine the EU's greenhouse gas reduction targets, indicating that new sustainable development standards may be adopted in the future. EU legislators are concerned about the energy-intensive PoW consensus mechanism that supports blockchain such as Bitcoin. The EU's research will be completed within a year and will study green issues related to the use of water, waste, natural resources, and energy by cryptocurrencies. (CoinDesk)

  • Brazil’s cryptocurrency trading volume in July was US$3.7 billion, with USDT trading accounting for 81.6%

    According to data from the Federal Tax Authority, cryptocurrency transactions in Brazil reached 18.8 billion Brazilian real (approximately 3.7 billion US dollars) in July, a decrease of 11.4% compared to the previous month. The three highest transaction volumes were stablecoins, with USDT accounting for 15.3 billion Brazilian real, or 81.6% of the total transaction volume, followed by USDC (838 million Brazilian real) and Brazilian real stablecoin BRZ (641 million Brazilian real). 

  • The National Blockchain Industry Industry-Education Integration Community was established in Xiongan New Area

    National Blockchain Industry Production-Education Integration Community Establishment Conference was held in Xiong'an New Area on September 27. The National Blockchain Industry Production-Education Integration Community is jointly formed by Xiong'an Guochuang Center Technology Co., Ltd., Southwest University of Finance and Economics, Hebei Software Vocational and Technical College, and other units under the guidance of the Vocational and Adult Education Department of the Ministry of Education, the Education and Examination Center of the Ministry of Industry and Information Technology, and the China Association of Small and Medium Enterprises, together with relevant industry associations, enterprises, undergraduate colleges, vocational colleges, scientific research institutes and other units. The establishment of the National Blockchain Industry Production-Education Integration Community aims to gather high-quality production-education resources and establish a new type of production-education integration organization to support the development of the blockchain industry, promote industrial development and talent cultivation, effectively promote the deep integration of industry and education, improve the quality of talent cultivation, better meet the development needs of the blockchain industry, and effectively promote economic and social development.

  • Slope, a Fintech Startup Backed by the Founder of Worldcoin, Completed $30 Million in Financing

    Slope, a financial technology startup supported by Worldcoin founder Sam Altman, announced the completion of a $30 million financing round, with participation from Y Combinator, monashees, and a group of angel investors in the financial technology field. It is reported that Sam Altman and Union Square Ventures jointly led Slope's previous $24 million Series A financing round. So far, the company's total financing amount has reached $187 million.