On Friday night, as the weary cryptocurrency world was ready to pack their bags after the busiest week on record in the industry, around 9:45 pm Eastern time the news began to filter that hundreds of millions of dollars were pouring out of FTX wallets.
“Hack or preferred stock?” tweeted foobar, a popular figure on Crypto Twitter, along with a screenshot showing the movement of the blockchain explorer Etherscan. “They seem to be moving everything.”
It quickly became clear that no one was going to have a quiet Friday night as amateur investigators were quick to figure out what was going on, pointing out that many of the transactions had been tagged with provocative messages such as “Rug Pull All” (a “rug pull “Is a common cryptographic term for when insiders steal money).
About an hour later, leading chain investigator ZachXBT tweeted that former FTX employees confirmed they hadn’t acknowledged the transfers, totaling approximately $ 383 million.
Evidence pointed to outside work, a theory reinforced only 20 minutes later, when US FTX general counsel Ryne Miller tweeted that he was “investigating anomalies with portfolio movements related to the consolidation of FTX balances between exchanges.”
Things only got worse when the figure increased to over $ 600 million. Just before midnight, an administrator of the official FTX channel on Telegram sent a disturbing message.
“FTX has been hacked … Do not go to the FTX site as it may download trojans”, referring to a malicious type of computer virus.
Users, already worried about the status of their money, which they were unable to withdraw and are now unable to access the app without risking downloading malware, were panicked, with many blaming the hacking of an internal job by FTX itself.
“This is the biggest attraction of the decade,” wrote a user named Mo Bamba.
One user said Fortune that since Monday they can no longer access or open the app, with the Safari browser providing them only with a loading screen and therefore a Cloudflare error.
Later that evening, Miller of FTX US tweeted that following the companies’ Chapter 11 filing for bankruptcy, they had initiated precautionary measures to move all digital assets into cold storage, a process that had been accelerated as a result of unauthorized transactions. .
The next day, he tweeted that FTX US and FTX were making every effort to protect assets, confirming unauthorized access to certain assets had occurred, attributing the statement to John Ray, who took over as CEO of FTX afterwards. Sam Bankman-Fried resigns.
Who is the hacker?
On Saturday, on Crypto Twitter, sentiment seemed to change that the hacker was actually an FTX insider. In a Twitter thread of a cybersecurity auditor exposing the evidence, the security chief of the Kraken exchange replied, “This has been investigated,” before writing, “we know the identity of this account.”
Miller, FTX USA’s general counsel, contacted Percoco to see if they could work together.
“We have actively monitored recent developments with the FTX estate, are in contact with law enforcement and have blocked access to the Kraken account to certain funds that we suspect are associated with” fraud, negligence or misconduct … related to FTX, “a spokesperson for Kraken said Fortune.
As of Monday, many of the details remain uncertain, including the actual hack figure. Blockchain analytics firm Elliptic estimated the outflow at $ 663 million, though it said $ 477 million was suspected of having been stolen.
TRM Labs, another blockchain analytics company, calculated the figure at $ 338 million.
When contacted, a TRM Labs spokesperson declined to comment further, and an Elliptic spokesperson pointed to the blog post posted on Saturday.
Most of the money is currently in a handful of wallets, with everyone from blockchain analytics firms to Kraken to FTX itself, searching for the origin of the hack. With all eyes on the addresses and the infamous Tornado Cash mixing service incapacitated by US government sanctions, it seems only a matter of time before the culprit is found.