Shortly after the bankruptcy, the FTX exchange is “hacked”. The hacker looted more than half a billion dollars worth of tokens, exchanged them for ether – and dumped them on the market. But what does the government of the Bahamas have to do with it?
The collapse of FTX keeps the market in suspense and we will continue to report on it. Today we turn to something that has received little attention: the hack—or the alleged hack. Like everything about FTX, it’s going to be…extreme.
So: A few hours after FTX declared bankruptcy, on November 12, the exchange reported a hack: They are investigating unauthorized transactions that pay out coins.
The blockchain analyst Elliptic specified this a little later: The “hack” – Elliptic put the word in double quotes on purpose – sold assets worth 477 million dollars. Another analyst, Nansen, put the haul at $659 million. The specific value is likely to fluctuate extremely, since it was a rather colorful basket: a large number of coins – stablecoins, DeFi tokens, memecoins, wrapped ether … – on a wide variety of blockchains – Ethereum, Polygon, Solana, BNB, Avalanche, Tron etc.
Hundreds of millions of dollars are now flowing out of FTX wallets, some speculate liquidators but it’s late on a friday night, not typical times for such rapid heavy movements. Some withdrawals are being swapped from Tether to DAI. Hack or insider actions? $26 million here pic.twitter.com/8wWlaE7na9
— foobar (@0xfoobar) November 12, 2022
The hacker then immediately started moving the coins through the DeFi ecosystem: He first led them to the Ethereum blockchain via various bridges and exchanged them for ether there. This was probably done to protect them from being frozen. This didn’t quite work out as Tether and Paxos reacted swiftly, freezing around $100 million in stablecoins. The rest, however, ended up on an ether wallet.
The hack came at the right time. It seemed a little too much on schedule, and of course it wasn’t for a second before the rumor was raised that it was an inside job: that Sam Bankman-Fried or some other employee of the bankrupt exchange was getting what there was yet to get. Shortly thereafter, the suspicion was confirmed: A transaction led to a Tron wallet from the Kraken exchange, and its CSO Nick Percoco explained that the wallet was linked to the official FTX account. This account is now of course frozen.
So that could close the case. Or?
An author that no one would have expected
The explanation is unsatisfactorily too simple. An inside job – who then uses the official account at Kraken? Someone smart enough to withdraw the coins and pulling out all the stops to protect them from censorship – is that making such an obvious mistake?
Something doesn’t add up.
Shortly thereafter, a new suspect came into play, and one no one would have guessed: the government of the Bahamas, where FTX was registered. An application to the US bankruptcy court in Delaware read the following, unfortunately in somewhat convoluted legal jargon:
In connection with the Saturday, November 13 investigation into the hack, Mr. Bankman-Fried and [FTX Co-Founder and CTO Gary] Wang stated that the ‘Regulators of the Bahamas’ have directed certain asset transfers of the Debtors executed by Mr. Wang and Mr. Bankman-Fried (who, as the Debtors know, were effectively in the custody of the Bahamas authorities) […] The Debtors therefore have credible evidence that the Bahamas government is responsible for the unauthorized Having requested access to the debtor’s system with the intention of obtaining its digital assets…
In a press release that followed shortly thereafter , the Bahamas government confirmed this in clearer terms:
Nassau, The Bahamas, Thursday November 17, 2022 – On November 12, 2022, the Securities and Exchange Commission of the Bahamas (‘the Commission’) ordered […] that all digital assets of FTX Digital Markets Ltd. transferred to a digital wallet controlled by the Commission.
Now the story makes sense: Sam Bankman-Fried, or rather Gary Wang, emptied the wallets on orders from the Bahamas government. Hence the official account at Kraken. That the government of a small Caribbean state would use the methods of hackers to plunder a bankrupt exchange is exciting. Or, as someone put it on Twitter, “The SEC thought they were gangsta; then the Securities and Exchange Commission of the Bahamas came on the field.”
SEC thought they were gangsta; then the Bahamanian Securities Commission walked onto the yard pic.twitter.com/pRKVHhrqkp
— _gabrielShapir0 (@lex_node) November 18, 2022
As a result of the switch, the hacker had accumulated 228,523 Ether on his wallet, worth almost $300 million at the time. This made him the 35th largest Ethereum holder. Him – so the government of the Bahamas, which is exciting again.
Or? Are we still missing a piece of the puzzle?
black and white
If the Bahamas government ordered the “hack,” it makes some sense that the coins would go to an official FTX account. But it makes another facet of the story even more absurd: that the hacker acted like a hacker — and didn’t stop.
Update: FTX Hacker is now actively dumping ETH on-chain
He has dumped about $15 million ETH in the past 30 minutes and just prepped a fresh batch of $12 million
Still has $270m ETH in main wallet
He’s selling ETH to wBTC to renBTC through aggregators like 1inch https://t.co/mEd8UHFCO0
— kamikaz ΞTH ?? (@kamikaz_ETH) November 20, 2022
On November 20th, the hacker started selling the ethers through onchain exchanges. Not against dollar tokens, but against tokenized bitcoins, either wBTC or renBTC. Would the government of the Bahamas really react like that? Would it be legal to exchange confiscated assets? At this point at the latest, doubts about this variant began to spread.
1/ I have seen a ton of misinformation being spread on Twitter and in the news about the FTX event so let me debunk the three most common things I’ve seen
“Bahamian officials are behind the FTX hack”
“Exchanges know who the hacker is”
“FTX hacker is trading meme coins” pic.twitter.com/IAtHnpJI44
— ZachXBT (@zachxbt) November 20, 2022
Analyst ZachXBT offers a plausible explanation: It was both and. Both a hacker – and the government of the Bahamas. FTX was looted by two hands, a white hat, on behalf of the government, and a black hat, a criminal.
The two behave completely differently: The white hat paid out the coins to multisig addresses and sent them from there to exchanges such as Kraken. This is how someone behaves who has nothing to hide.
Another address – 0x59 – behaved quite differently. She sold tokens and used bridges to accumulate the coins on the Ethereum address. She sent coins to the Huobi exchange, known for lax money laundering controls, via detours, passing through an address associated with a semi-legal Russian exchange. She acted like a thief in the night.
But why is the hacker selling the ethers? What’s the point of having bitcoin tokens that may be frozen by providers like BitGo (WBTC)?
This question leads us to the last exciting detail of the hack.
Money laundering, with a difference
The sale of ethers against bitcoin continued over the following days. packet by packet. This had the effect of causing the price of ether to plummet against bitcoin, from around 0.073 to 0.069 BTC.
Then Web3 data analyst d0xScope presented an interesting find that explains a lot: an address that borrowed more than $10 million in USDC or Ether via DeFi platforms and deposited them on exchanges – again and again, and each time before the FTX Hacker sold ether.
We find a smart money (or dark money?) address that always borrows >$10M USDC/ETH and deposits it to exchange every time before FTX-drainer dumps ETH.
Chances are he knows the activity of FTX-drainer and benefits from it:
— 0xScope (@ScopeProtocol) November 22, 2022
This forms an interesting idea of how the hacker cashed out his loot: instead of getting the coins clean himself via mixers and other methods, he manipulates the markets to profit from them with another account unrelated to the hack, by betting on falling prices.
The logical consequence would be – or is already – that after dropping the ether he sells the bitcoins for ether again in order to make money from the reverse bet. And so on – until he flies up, probably sooner rather than later. His accounts are probably already known to the stock exchanges and blocked.