Hacker trying to steal cryptocurrency

Exchanges warned to be on alert for frantic attempts to dump stolen FTX ETH

The hunt continues for significant numbers of ETH tokens that suddenly went missing from wallets belonging to bankrupt exchange FTX earlier this month. Blockchain forensics firm Chainalysis confirmed that, while some transfers were legitimate, others were stolen and “on the move.” It alerted exchanges to be ready to freeze accounts if they received any of the funds.

We noted on November 12 that potentially “hundreds of millions of dollars” began leaving FTX wallets just before the weekend. Observers were initially unclear whether those funds were being stolen (or by whom) or being seized by regulators in the Bahamas, where FTX is headquartered.

The answer appears to be a combination of both official and unapproved withdrawals. The Securities Commission of the Bahamas confirmed in a statement on November 18 that it had directed “the transfer of all digital assets of FTX Digital Markets Ltd. (FDM) to a digital wallet controlled by the Commission, for safekeeping.”

“Urgent interim regulatory action was necessary to protect the interests of clients and creditors of FDM.”

It also added that “It is not the understanding of the Commission that FDM is a party to the U.S. Chapter 11 Bankruptcy proceedings.” An earlier statement said it did not aim to prioritize Bahamian users over those in other countries.

In a short tweet thread posted on Monday, Chainalysis described missing FTX funds as “stolen.” While it noted that some funds had gone to the Bahamian regulator’s wallets, these transfers only accounted for a portion of the missing funds.

The company said that ETH tokens drained from FTX’s wallets were “bridged” to BTC using the Ren Protocol. Ren is a DeFi protocol that allows users to send funds from one blockchain to a locked contract, where it issues a surrogate token in another blockchain’s native unit (in this case, renBTC) that unlocks actual funds on another chain. Chainalysis said the resulting BTC would likely be sent to mixers, where it would be harder to track.

Some responders expressed skepticism at Chainalysis’ statements, noting the company had an existing business relationship with FTX and wondering why it had not noticed any shenanigans at FTX while they were happening:

As with other similar exchange “hacks” in the past, there have been several claims that FTX employees or insiders could be responsible for the hastily-removed funds. One such claim was that CEO Sam Bankman-Fried may have had a “back door” to the system that allowed him to move funds between the operation’s various entities without triggering regulatory flags. At the time of writing, however, it remains unclear who initiated the large ETH transfers.

The Ren protocol and blockchain bridging

Ren itself was acquired by Alameda in February 2021 in a deal it described as funding for its development team. It distanced itself from that company’s bad press a few days ago with a post titled “Moving on from Alameda,” where it said its upcoming Ren 2.0 protocol would launch in late 2022 or early 2023 and would be “an open-source and community-run version of the Ren network.” In online discussions, Ren developers described their role more as “outsourcers” to Alameda, with a deal that allowed them to now open-source the Ren 1.0 protocol version and break completely with Alameda for the 2.0 release.

While the Ren network would be able to bridge some of the stolen ETH, its liquidity pools were unlikely to be deep enough to swap the entire stolen amount—potentially over $280 worth. Ren developers also said they would disable new renBTC mints soon, meaning whoever had the ETH would likely be trying to offload it as quickly as possible. Under Ethereum’s new proof-of-stake protocol, a majority of validators have signaled willingness to blacklist addresses identified as holding sanctioned or stolen funds.

While market prices for most digital assets have dipped sharply over the past week, ETH has dropped further than most. Some have speculated this could be due to the “attacker” attempting to liquidate the missing ETH as quickly as possible.

Kraken had stated a week ago that it had “a handful of accounts owned by the bankrupt FTX Group, Alameda Resources, and their executives,” which the exchange had frozen and spoken about to law enforcement:

Chainalysis wrote a blog post in August warning that cross-chain bridging protocols presented new security vulnerabilities that made them attractive targets for hackers. Many feature central storage points for funds that back their “bridged” assets on receiving blockchains, it said, adding that “effective bridge design is still an unresolved technical challenge.”

Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to BinanceBitcoin.comBlockstreamShapeShiftCoinbaseRipple,
EthereumFTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.