As reported by analytics firm Elliptic today, 12 October, an anonymous FTX hacker has moved as much as 72,500 Ether ($ETH) from the assets that were stolen in 2022 from the exchange shortly after it declared bankruptcy.
The first movement was noted on 30 September, just a few days before the start of the highly-anticipated trial of Sam Bankman-Fried. The thief converted $120million worth of $ETH into Bitcoin through the multichain decentralised exchange (DEX) THORSwap, reported Elliptic. At that time, the converted amount was worth $87m, which is 18% of the total stolen funds of $477m.
Almost nine months after the hack, the thief deployed a similar laundering technique of converting the Ether to Bitcoin and then passing it through a mixer. Back in 2022, the hacker had transferred 65,000 $ETH ($100m) to $BTC using the cross-chain bridge RenBridge.
However, RenBridge was no longer an option this time as it had shut down in the wake of FTX’s collapse. The thief then turned to another cross-chain bridge: THORSwap.
On 6 October, THORSwap suspended its interface, citing “the potential movement of illicit funds through THORChain and, specifically, THORSwap”. However, this didn’t stop the hacker from using the underlying THORChain bridge through other means.
According to Elliptic, the thief’s previous choice of mixer was ChipMixer. However, in April 2023, it was seized in an international law enforcement operation. The platform was also accused of laundering $3bn from ransomware and other illicit sources. Following this, the FTX hacker shifted to Sinbad, another mixer launched in late 2022.
In an Elliptic research report that was published earlier this year, Sinbad was suggested to be a rebrand of Blender. The latter is a mixer that was sanctioned by the US Treasury Department following its use by North Korea’s Lazarus Group, which is known for multiple high-level crypto hacks.
While Sinbad has also been heavily used to launder the proceeds of the hacks pulled off by the Group, sanctions have not been applied to the mixer yet.
The latest report also revealed how the thief lost $94m in the days following the hack. This was because they rushed to launder the funds through decentralised exchanges, cross-chain bridges and mixers.
When it comes to the identity of the hacker, Elliptic suggested that it could be an FTX inside job. The lax security measures employed by FTX as disclosed by a former Alameda worker added weight to these claims, making it relatively simple for an external actor to steal the assets.
“Some FTX employees would have had access to the business’s crypto assets in order to move them for operational reasons. In the chaos surrounding the company’s bankruptcy and collapse, it may have been possible for an internal actor to take these assets.”
It ruled out Sam Bankman-Fried being the culprit too because of his current limited internet access. When $15 million of the stolen crypto was moved at 3:41 pm EST on 4 October 2023, the former FTX CEO was reportedly in court, without internet access.
The other two potential suspects suggested in the report were: North Korea’s Lazarus Group (because of the use of the Sinbad mixer) and Russia-linked criminal groups, which was tagged as a stronger possibility: “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”
