Russian Attackers May Have Been Behind Hack of Sam Bankman-Fried’s FTX, Elliptic Says
Research firm Elliptic said some of the stolen funds appear to be linked to Russian cybercriminal groups, citing on-chain analysis.
Part of the estimated $400 million stolen last November from the now-shuttered FTX crypto exchange may have links to Russia-based cybercriminal groups, research from analysis firm Elliptic shared with CoinDesk shows.
The funds, mostly in ether (ETH), lay dormant for five days before a tranche of 65,000 ETH ($100 million) was transferred to the Bitcoin blockchain using the RenBridge service. The attackers then used a mixer, a blockchain-based tool that masks addresses.
“Of the 4,536 Bitcoins converted from ether at RenBridge, 2,849 BTC was sent through mixers, predominantly a service called ChipMixer,” Ellipic said. “Tracing these assets becomes more challenging, however at least $4 million was transferred to exchanges, where it may have been cashed out.”
ChipMixer was subsequently shut down and seized in an international law-enforcement operation, after which the attackers switched to Sinbad for the mixing service.
The identity of the attackers remains unknown, but wallet data and analysis of fund movements may help shed light on who could have been behind the attack.
Who hacked FTX?
Elliptic said suspects range from rogue employees at FTX to North Korean hacker group Lazarus, which is alleged to have exploited several crypto protocols. On-chain signs, however, point to Russian groups, it said.
“A Russia-linked actor seems a stronger possibility,” according to the firm. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.”
“This points to the involvement of a broker or other intermediary with a nexus in Russia,” it said.
Accounts tied to FTX and FTX US were drained on Nov. 11, 2022, mere hours after the company filed for bankruptcy and founder Sam Bankman-Fried resigned from the crypto empire he ran.
Bankman-Fried was later charged with two counts of wire fraud and five counts of conspiracy to commit various forms of fraud by federal prosecutors last year, weeks after stepping down from his role at FTX.
John J. Ray III, the CEO and Chief Restructuring Officer of the FTX Debtors, which handles the FTX bankruptcy proceedings, later said that $323 million in various tokens were hacked from its international exchange and $90 million from its U.S. platform.
Stolen assets that were previously untouched started moving a few days before the start of Bankman-Fried's trial, and have since been on the move. Earlier this month, over 15,000 ether, worth nearly $25 million, was swapped for other tokens using the privacy wallet Railgun and THORChain exchange.
Shaurya Malwa
Shaurya is the Co-Leader of the CoinDesk tokens and data team in Asia with a focus on crypto derivatives, DeFi, market microstructure, and protocol analysis. Shaurya holds over $1,000 in BTC, ETH, SOL, AVAX, SUSHI, CRV, NEAR, YFI, YFII, SHIB, DOGE, USDT, USDC, BNB, MANA, MLN, LINK, XMR, ALGO, VET, CAKE, AAVE, COMP, ROOK, TRX, SNX, RUNE, FTM, ZIL, KSM, ENJ, CKB, JOE, GHST, PERP, BTRFLY, OHM, BANANA, ROME, BURGER, SPIRIT, and ORCA. He provides over $1,000 to liquidity pools on Compound, Curve, SushiSwap, PancakeSwap, BurgerSwap, Orca, AnySwap, SpiritSwap, Rook Protocol, Yearn Finance, Synthetix, Harvest, Redacted Cartel, OlympusDAO, Rome, Trader Joe, and SUN.