- In November 2022, an unidentified hacker stole $477 million from FTX, just as the stock market collapsed into bankruptcy.
- The thief lost $94 million in the days after the hack as they rushed to launder funds through decentralized exchanges (DEX), cross-bridges and mixers.
- $74 million was sent through RenBridge, a service owned by FTX sister company Alameda Research.
- Much of the stolen property remained dormant until a few days before the Bankman-Fried trial began, and has continued to be moved ever since.
- Some of the stolen funds have been combined with bitcoins that are being laundered by criminal groups linked to Russia.
On November 11, 2022, Bahamas-based cryptocurrency exchange FTX filed for bankruptcy, and its CEO Sam Bankman-Fried was later arrested and charged with embezzling billions of dollars in client funds.
Later that day, amid the chaos of the business’s collapse, cryptoassets controlled by the exchange—worth hundreds of millions of dollars—were stolen. The identity of the thief remains a mystery, even as stolen property continues to be moved and laundered for all to see on the blockchain.
The thief first struck at 21:22 on the evening of November 11, moving 9,500 ETH (then worth $15.5 million) from a wallet belonging to FTX to a new wallet. Over the next few hours, hundreds of other cryptoassets were taken from the exchange’s wallets, in transactions that ended a total of 477 million dollars.1
The thief could have stolen more if not for the quick response of FTX staff and bankruptcy counsel, who were able to secure over $300 million in assets before the thief could gain access.
Following blockchain money
The thief immediately got to work laundering the funds and making sure the authorities couldn’t confiscate them. Of the stolen cryptoassets, $434 million were stablecoins and other tokens, many of which can be frozen by issuers in circumstances where they are believed to have been stolen. In fact, that’s exactly what happened; for example, the stablecoin issuer Tether was able to freeze $31.5 million USDT stolen in hours after hack.
To prevent further seizures, the thief began exchanging the stolen tokens for “native assets” such as the cryptocurrency Ether. Each blockchain has a native asset that is not issued by any central party and therefore cannot be frozen by the issuer.
If a thief tries to exchange stolen crypto-assets on a centralized exchange like Coinbase, their funds are likely to be seized as well – so they usually turn to decentralized exchanges (DEX) instead. A thief is free to exchange the stolen tokens for the original assets on the DEXs without the compliance department flagging and freezing their funds.
In the case of the FTX theft, the hacker used DEXs including Uniswap and PancakeSwap to exchange hundreds of millions of dollars worth of tokens immediately after the theft.
Cross chain washing
Now that these stolen assets were protected from seizure, the thief proceeded to move them to different blockchains. This helps break the blockchain trail, making it harder to trace funds, as well as providing access to services on blockchains that facilitate further laundering.
Again, this could can be done using a centralized exchange, but the thief risks confiscating the property. Instead, decentralized services known as cross-chain bridges are typically used to move funds from one blockchain to another — and that’s what the thief proceeded to do.
First, stolen assets on the Binance Smart Chain and Solana blockchain were transferred to the thief’s Ethereum account and combined with other stolen assets, using Multichain and Wormhole cross-bridges.
So far, three days have passed since the hack began, and the thief has accumulated 245,000 ETH in one Ethereum account, which is now worth around $306 million. The thieves’ haul has so far been significantly reduced due to the costs of exchanging funds and the seizure of some of the stolen tokens by their issuers.
The ETH lay dormant for five days, then on November 20, 65,000 ETH were transferred to the Bitcoin blockchain using the RenBridge cross-chain bridge. Elliptical research previously revealed that RenBridge was used to launder over half a billion dollars in illegal assets. Incredibly, the company behind RenBridge was owned by Alameda Research – so the funds stolen from FTX were laundered through a service actually owned by its sister company.
Mixing
Why go to the trouble and expense of converting Ether to Bitcoin? Hack proceeds are often transferred to Bitcoin due to the availability of mixers, services that help cover the blockchain trail by mixing your cryptocurrency with that owned by other people.
And that’s exactly what the thief went on to do – of the 4,536 bitcoins converted from ether on RenBridge, 2,849 BTC were sent through mixers, mostly through a service called ChipMixer. Tracing these assets are becoming increasingly challenging, however at least $4 million has been transferred to the stock market, where it may have been cashed out.
It was now December 12, 2022 – a month since the theft had begun.
A nine-month break
The 180,000 ETH not converted to Bitcoin via RenBridge remained dormant until the early hours of September 30, 2023 – worth $300 million by then.
The same laundering technique – converting ether into bitcoin and then running it through a mixer – continued to be used, but much has changed in the crypto ecosystem in the past nine months.
RenBridge shut down after the collapse of FTX, so the thief turned instead to another cross-bridge: THORSwap. Some 72,500 ETH (now worth $120 million) of the stolen property was converted to Bitcoin in this way. THORSwap suspended his interface on October 6, citing “the potential movement of illegal funds through THORChain and, in particular, THORSwap“. However, the thief continued to use the THORChain bridge in other ways.
Most of this Bitcoin was then sent through the mixer. In April 2023, ChipMixer – the previous mixer of choice for thieves – was confiscated in an international law enforcement operation, with a platform the accused laundering $3 billion from ransomware and other illicit sources. Instead, the thief started using Sinbad, another mixer that launched in late 2022.
Elliptical research suggests that Sinbad is a rebrand of Blender, a mixer approved by the US Treasury Department for its use by North Korea’s Lazarus group. Sinbad was also heavily used to launder the proceeds of the hacks he committed, although despite this, no sanctions were applied to Sinbad.
Who is behind the FTX theft?
Almost a year after the theft of $477 million in cryptoassets from FTX, the identity of the thief remains unknown.
One possibility is an inside job. Some FTX employees would have access to the company’s cryptoassets in order to move them for operational reasons. In the chaos surrounding the company’s bankruptcy and collapse, it may have been possible for an internal actor to take over these assets.
One of the suspects could be Sam Bankman-Fried himself, although his limited internet access would hamper any money laundering attempt. At 15:41 EST on October 4, 2023, $15 million of the stolen cryptocurrency was moved – at which time Bankman-Fried was reportedly in court, without internet access.
The lax security measures used by FTX may have also made it relatively easy for an outside actor to steal assets. The new CEO of FTX discovered that the private keys that allow access to the company’s cryptoassets are stored in an unencrypted form, and the former employee discovered that over $150 million was stolen from Alameda Research, due to poor security.
The use of the sinbad mixer could indicate the involvement of North Korea’s Lazarus Group, the perpetrators of some of the biggest cryptocurrency thefts. However, the specific methods used to launder stolen property are different and unsophisticated compared to those typically used by Lazarus.
A Russian-linked actor seems more likely. Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with the assets of Russian-linked criminal groups, including ransomware gangs and darknet markets, before being sent to the stock market.2 This suggests the involvement of a broker or other intermediary with a nexus in Russia.
Whoever is behind the hack, the stolen assets are still being moved and laundered through the blockchain. Various techniques of cross-laundering of assets and cross-chains were used to avoid the seizure of these assets and to try to cover the money trail. Despite this, the thief lost about $94 million in the first few days after the hack – due to the seizure by token issuers and the cost of fast exchanges between different assets and blocks.
Notably, much of the stolen funds remained dormant for several months, until just before the Bankman-Fried trial began in New York. Cryptocurrency launderers have been known to wait years to move and cash out after the public’s attention has dissipated – but in this case, they started moving just as the world’s attention turned back to FTX and the events of November 2022.
Learn more about cross crime
Crypto laundering is constantly evolving. Our brand new State of Cross Crime report – itself an update of our inaugural 2022 publication – features case studies of the latest cross-chain typologies and trends that law enforcement and compliance teams need to be aware of.
It also contains a comprehensive guide to using Elliptic’s holistic block analysis tools to discover and investigate cross-chain cases.
Click below to download the report.
1 FTX administrators reported total losses due to “unauthorized third-party transfers” of $413 million – the difference is likely due to the subsequent seizure and return of some of the stolen assets. The hacker even appears to have sent $53 million in one crypto asset back to FTX – presumably to redeem the token for its underlying assets.
2 Kudos to Blake Cohen of the OKX investigative team for identifying this connection.
Crypto crime in America