On November 11th 2022, the Bahamas-based cryptocurrency exchange FTX filed for bankruptcy, and its CEO Sam Bankman-Fried was subsequently arrested and charged with embezzling billions of dollars of customer funds. Later that same day, amidst the chaos of the business’s collapse, cryptoassets controlled by the exchange – worth hundreds of millions of dollars – were stolen. The identity of the thief remains a mystery, even as the stolen assets continue to be moved and laundered for all to see on the blockchain. The thief first struck at 9:22pm on the evening of November 11th, moving 9,500 ETH (then worth $15.5 million) from a wallet belonging to FTX, to a new wallet. Over the next few hours, hundreds of other cryptoassets were taken from the exchange’s wallets, in transactions eventually totalling $477 million.1 The thief could have stolen even more, were it not for the quick response of the FTX staff and bankruptcy advisors, who managed to secure over $300 million in assets before the thief could access them. The thief immediately set to work laundering the funds, and ensuring that they could not be seized by the authorities. Of the stolen cryptoassets, $434 million were stablecoins and other tokens, many of which can be frozen by their issuers in circ*mstances where they are believed to have been stolen. In fact, exactly this happened; for example, stablecoin issuer Tether was able to freeze $31.5 million of stolen USDT in the hours after the hack. To prevent further seizures, the thief began to swap the stolen tokens for “native assets” such as the Ether cryptocurrency. Every blockchain has a native asset that is not issued by any central party, and which therefore cannot be frozen by an issuer.
Following the blockchain money trail
If a thief tries to swap stolen cryptoassets at a centralized exchange such as Coinbase, they are also likely to have their funds seized – so instead, they typically turn to decentralized exchanges (DEXs). A thief is free to swap stolen tokens for native assets on DEXs, without having their funds flagged and frozen by a compliance department.
In the case of the FTX theft, the hacker used DEXs including Uniswap and PancakeSwap to exchange hundreds of millions of dollars worth of tokens immediately following the theft.
Cross-chain laundering
Now that these stolen assets were safe from seizure, the thief proceeded to move them to different blockchains. This helps to break the blockchain trail, making it more difficult to trace funds, as well as providing access to services on blockchains that facilitate further laundering.
Again, this could be done using a centralized exchange, but a thief risks having the assets seized. Instead, decentralized services known as cross-chain bridges are typically used to move funds from one blockchain to another – and this is what the thief proceeded to do.
First, stolen assets on the Binance Smart Chain and Solana blockchains were transferred to the thief’s Ethereum account and combined with the other stolen assets, using the cross-chain bridges Multichain and Wormhole.
By now, three days had passed since the hack began, and the thief had accumulated 245,000 ETH in a single Ethereum account, now worth some $306 million. The thief’s haul had been significantly reduced by this point, due to the costs of exchanging assets and the seizure of some of the stolen tokens by their issuers.
The ETH lay dormant for five days, and then on November 20th, 65,000 ETH was transferred to the Bitcoin blockchain using the RenBridge cross-chain bridge. Elliptic research has previously revealed that RenBridge has been used to launder over half a billion dollars in illicit assets. Incredibly, the company behind RenBridge was owned by Alameda Research – so funds stolen from FTX were being laundered through a service effectively owned by its sister company.
Mixing
Why go to the trouble and expense of converting the Ether to Bitcoin? Proceeds of hacks are often transferred to Bitcoin because of the availability of mixers, services that help to mask the blockchain trail by mixing your cryptocurrency with that owned by other people.
And this is exactly what the thief proceeded to do – of the 4,536 Bitcoins converted from ether at RenBridge, 2,849 BTC was sent through mixers, predominantly a service called ChipMixer. Tracing these assets becomes more challenging, however at least $4 million was transferred to exchanges, where it may have been cashed-out.
It was now December 12th 2022 – one month since the theft began.
A screenshot from Elliptic Investigator, showing the stolen assets being converted to ETH through decentralized exchanges, then being bridged to Bitcoin and sent through ChipMixer.
A nine-month pause
The 180,000 ETH that was not converted to Bitcoin through RenBridge remained dormant until the early hours of September 30th 2023 – by which time it was worth $300 million.
The same laundering technique – converting the Ether to Bitcoin and then passing it through a mixer – continued to be employed, but a lot had changed in the crypto ecosystem over the intervening nine months.
RenBridge had shut down in the wake of FTX’s collapse, and so the thief turned instead to another cross-chain bridge: THORSwap. Some 72,500 ETH (now worth $120 million) in stolen assets were converted to Bitcoin in this way. THORSwap suspended its interface on October 6th, citing “the potential movement of illicit funds through THORChain and, specifically, THORSwap”. However, the thief continued to use the underlying THORChain bridge through other means.
Much of this Bitcoin was then sent through a mixer. In April 2023, ChipMixer – the thief’s previous mixer of choice – was seized in an international law enforcement operation, with the platform being accused of laundering $3 billion from ransomware and other illicit sources. Instead, the thief began to use Sinbad, another mixer that was launched in late 2022.
Elliptic research suggests that Sinbad is a rebrand of Blender, a mixer that was sanctioned by the US Treasury Department due to its use by North Korea’s Lazarus Group. Sinbad has also been heavily used to launder the proceeds of the hacks that it has perpetrated, though despite this, sanctions have not been applied to Sinbad.
Who was behind the FTX theft?
Nearly a year after the $477 million theft of cryptoassets from FTX, the identity of the thief remains unknown.
One possibility is an inside job. Some FTX employees would have had access to the business’s cryptoassets in order to move them for operational reasons. In the chaos surrounding the company’s bankruptcy and collapse, it may have been possible for an internal actor to take these assets.
One suspect may be Sam Bankman-Fried himself, although his limited access to the internet would hamper any laundering efforts. At 3:41pm EST on October 4th 2023, $15 million of the stolen crypto was moved – at which time Bankman-Fried was reportedly in court, without internet access.
The lax security measures employed by FTX may have also made it relatively simple for an external actor to steal the assets. The new CEO of FTX revealed that private keys allowing access to the firm’s cryptoassets were stored in unencrypted form, and a former employee disclosed that over $150 million was stolen from Alameda Research, due to poor security.
The use of the Sinbad mixer might indicate the involvement of North Korea’s Lazarus Group, perpetrator of some of the largest crypto thefts. However the specific methods used to launder the stolen assets are distinct and unsophisticated compared to those typically used by Lazarus.
A Russia-linked actor seems a stronger possibility. Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.2 This points to the involvement of a broker or other intermediary with a nexus in Russia.
Whoever was behind the hack, the stolen assets continue to be moved and laundered through the blockchain. Various cross-asset and cross-chain laundering techniques have been used to avoid seizure of these assets, and to attempt to conceal the money trail. Despite this, the thief lost approximately $94 million during the first few days following the hack – due to seizures by token issuers, and the costs of quickly swapping between different assets and blockchains.
Daily number of transactions involving the stolen assets (before being deposited into mixers). The initial laundering took place between the day of the hack (12 Nov 2022) and mid-December 2022. The assets then lay dormant until the end of September 2023. The red line indicates the start date of the Bankman-Fried trial.
It is notable that much of the stolen funds remained dormant for several months, until just before the start of Bankman-Fried’s trial in New York. Crypto launderers have been known to wait for years to move and cash-out assets once public attention has dissipated – but in this case they have begun to move just as the world’s attention is once again directed towards FTX and the events of November 2022.
Learn more about cross-chain crime
Crypto laundering is constantly evolving. Our brand-new “State of Cross-chain Crime” report – itself an update of our 2022 inaugural publication – contains case studies of the latest cross-chain typologies and trends that law enforcement and compliance teams need to be aware of.
It also contains a comprehensive guide to using Elliptic's holistic blockchain analytics tools to detect and investigate cross-chain cases.
Click below to download the report.
1 The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million - the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. The hacker even appears to have sent $53 million in one cryptoasset back to FTX - presumably to redeem the token for its underlying asset.
2 Credit to Blake Cohen from the OKX investigations team for identifying this link.
Law Enforcement Americas Crypto Crime
