FTX Was Hacked. Or Not?
Earlier it was reported that the entire collapse of FTX could have been the result of hacking. But, is it true? Let's figure it out.
Earlier it was reported that the entire collapse of FTX could have been the result of hacking. But, is it true? Let's figure it out.
What is happening with FTX now is one of the largest collapses in the history of the crypto industry. We recently wrote about the FTX bankruptcy process, how Binance and Alameda are connected with FTX, the role of Tron in the collapse of FTX and how the collapse of FTX affected stablecoins. Today we will discuss an equally important event in this whole pile of news – FTX Hack.
A popular figure in the crypto industry, Twitter user foobar, expressed his assumptions that FTX was hacked. He noticed strange transfers from FTX wallets. Foobar tweeted about this on November 12 and with this tweet, a long thread dedicated to hacking FTX began.
Hundreds of millions of dollars are now flowing out of FTX wallets, some speculate liquidators but it's late on a friday night, not typical times for such rapid heavy movements. Some withdrawals are being swapped from Tether to DAI. Hack or insider actions? $26 million here pic.twitter.com/8wWlaE7na9
— foobar (@0xfoobar) November 12, 2022
After the funds left FTX wallets, strange swaps began to occur. As foobar noted, “this is super sketchy, no liquidator would be taking actions like this.”
After swapping USDT for DAI (more censorship-resistant?), they just swapped $44 million of stETH for ETH, eating huge slippage. This is super sketchy, no liquidator would be taking actions like this pic.twitter.com/QRjKEN4g9T
— foobar (@0xfoobar) November 12, 2022
Then someone left a message in the blockchain, which can be interpreted as the phrase “Rug Pull All".
somebody sent an onchain message to the recipient account with 4byte selector `0x3d24a1ff`, which is the hash of function name "Rug Pull All"
— foobar (@0xfoobar) November 12, 2022
great stuff pic.twitter.com/3w3rOaRTAJ
This was followed by several more strange transfers between different wallets. Including on Ethereum and Solana.
Thousands of Wormhole ETH is getting bridged from Solana into the Ethereum wallet now pic.twitter.com/01KpKVAUGr
— foobar (@0xfoobar) November 12, 2022
After these strange transactions, further strange things started happening with FTX applications. They received updates. Foobar suggested that these were malware updates that were needed in order to find out the private keys of FTX users' wallets. A little later, a message appeared in the main FTX chat in Telegram that FTX was hacked, and all funds disappeared. The message also said that all FTX applications are a malware.
FTX just pinned this message in their main telegram chat pic.twitter.com/8uCl4wJtvT
— foobar (@0xfoobar) November 12, 2022
At the same time, Ryne Miller, General Counsel at FTX US, tweeted that everything that is happening is not hacking, but an attempt to save FTX funds.
Following the Chapter 11 bankruptcy filings - FTX US and FTX [dot] com initiated precautionary steps to move all digital assets to cold storage. Process was expedited this evening - to mitigate damage upon observing unauthorized transactions.
— Ryne Miller (@_Ryne_Miller) November 12, 2022
But, at the same time, a couple of hours earlier, Ryne Miller said that he did not know what was going on.
Investigating abnormalities with wallet movements related to consolidation of ftx balances across exchanges - unclear facts as other movements not clear. Will share more info as soon as we have it. @FTX_Official
— Ryne Miller (@_Ryne_Miller) November 12, 2022
Ryne Miller’s weird behaviour was also noticed by foobar. He suggested that Ryne Miller noticed the thefts and made attempts to save some of the funds.
My best interpretation is that FTX counsel noticed the blackhat thefts getting dumped to ETH and DAI onchain, then took whitehat actions to save the remainder of funds. Estimates from @zachxbt have the blackhat theft at ~450m and whitehat rescue (multisig) at ~200m so far
— foobar (@0xfoobar) November 12, 2022
Later, Ryne Miller did confirm “unauthorized access to certain assets".
2/ Among other things, we are in the process of removing trading and withdrawal functionality and moving as many digital assets as can be identified to a new cold wallet custodian. As widely reported, unauthorized access to certain assets has occurred.
— Ryne Miller (@_Ryne_Miller) November 12, 2022
In addition to strange transactions and malware apps, there were also reports that Sam Bankman-Fried manipulated accounting data. This is reported by Reuters.
“In a subsequent examination, FTX legal and finance teams also learned that Bankman-Fried implemented what the two people described as a "backdoor" in FTX's book-keeping system, which was built using bespoke software. They said the "backdoor" allowed Bankman-Fried to execute commands that could alter the company's financial records without alerting other people, including external auditors. This set-up meant that the movement of the $10 billion in funds to Alameda did not trigger internal compliance or accounting red flags at FTX, they said.”
On the evening of November 12, the Founder & CEO of IBCgroup, Mario Nawfal, referring to the Co-Founder & CEO of Hacken, Dyma Budorin, reported that the hacker was most likely an insider, and Kraken was also used during the hack. The Chief Security Officer at Kraken, Nick Percoco, responded to this tweet. He said that they know who this user is.
We know the identity of the user.
— Nick Percoco (@c7five) November 12, 2022
What do we have as a result? The strange transactions that foobar noticed looked like a hacker attack. However, what are the chances that external hackers attacked wallets at the same time when FTX staff were working on consolidating the balances, as Ryne Miller wrote about? Our take is that the chances are low, yet we will continue to observe this developing story.