This weekend, the bankruptcy court-appointed FTX Debtors group released their first interim report on ‘Control Failures at the FTX Exchanges’ that contains more than a few jaw-dropping revelations. The John J. Ray III-led Debtors also revealed that they have “recovered and secured” over $1.4 billion in digital assets and “identified” an additional $1.7 billion worth of tokens they are “in the process of recovering.”
It has been anything but an easy process of identifying what assets FTX retained when it bit the dust last November and left its customers stranded. Much of the report details the incredibly haphazard methods by which FTX and its affiliated market-maker Alameda Research stored their digital assets. All too often, SBF and other senior managers themselves were in the dark as to what they owned.
As SBF himself detailed in an internal communication with other execs: “Alameda is unauditable. I don’t mean this in the sense of ‘a major accounting firm will have reservations about auditing it’; I mean this in the sense of ‘we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.’ We sometimes find $50m of assets lying around that we lost track of; such is life.”
The Debtors have to date interviewed 19 former FTX staffers, plus five more who communicated only through their legal advisers. The conclusion the Debtors drew from these talks is that SBF and his inner circle “stifled dissent, commingled and misused corporate and customer funds, lied to third parties about their business, joked internally about their tendency to lose track of millions of dollars in assets, and thereby caused the FTX Group to collapse as swiftly as it had grown.”
Apparently convinced of their own omniscience, SBF and his minions “deprioritized or rejected advice to improve the FTX Group’s control framework.” The Debtors claim that this toxic combination of “hubris, incompetence, and greed” effectively doomed FTX/Alameda from the start.
Silos of silliness
FTX’s dysfunctional nature was embedded in its DNA, to the point that the FTX Group lacked an accurate list of employees at the time of its bankruptcy. The Debtors ended up creating four ‘silos’ of FTX/Alameda operations just to attempt to make sense of the organizational chaos.
FTX’s reliance on QuickBooks software is already the stuff of legend, but the Debtors say the Group also employed “a hodgepodge of Google documents, Slack communications, shared drives, and Excel spreadsheets” to manage its financial affairs when these affairs were managed at all. Some 56 entities within the FTX Group “did not produce financial statements of any kind.”
Even when activities were recorded, detail was sorely lacking. All digital asset transactions were designated ‘investments in cryptocurrency’ but lacked any specifics as to what tokens were the subjects of these investments. Some 80,000 transactions—many of which were only entered months after the fact—were recorded in QuickBooks accounts with the cryptic label ‘Ask My Accountant.’
Even more alarming were the “thousands of deposit checks … some stale-dated for months” that piled up due to “the failure of personnel to deposit checks in the ordinary course; instead, deposit checks collected like junk mail.”
While many inter-company transactions within the Group weren’t properly documented, the Debtors’ job was further complicated by the fact that many of these transactions were discussed in apps like Signal and Telegram with ‘disappearing messages’ enabled, “rendering any historical review impossible.”
Even where documentation is available, it can be misleading. “Tens of millions of dollars” were transferred from an Alameda bank account to SBF’s personal account in 2021 and 2022. While documented as loans to SBF, they were recorded on the general ledger as “Investment in Subsidiaries: Investments-Cryptocurrency.”
There’s also the Group’s lack of any “comprehensive, centralized source of information” regarding its “over a thousand” accounts on other exchanges, “many of which held significant assets at various points in time.” Many of these accounts were opened using the names of shell companies, with pseudonymous email addresses, or in the names of individuals with no direct ties to the Group.
Running hot and cold … but mostly hot
Even worse, if you can imagine it, were the “extensive deficiencies” in FTX/Alameda’s handling of the security of its digital asset holdings. From the start, the Group had “no dedicated personnel in cybersecurity,” no independent Chief Information Security Officer, and no established process for responding to cyber incidents in real-time.
Publicly, SBF claimed to use the “standard hot wallet/cold wallet setup” to manage its digital assets. In reality, the Group “kept virtually all crypto assets in hot wallets,” but staff were told to shield this fact from regulators and to obfuscate only slightly less when queried by “non-regulators.”
The Group also failed to employ multi-signature capabilities or Multi-Party Computation (MPC) controls, exposing themselves to the possibility that a single staffer could go rogue or an outside party could wreak havoc by obtaining a single staffer’s private keys.
Even in the rare instances in which the Group did employ multi-sig/MPC practices, it stored all three necessary private keys in a single location, negating the whole point of the exercise.
In fact, there was no system for managing private keys and seed phrases. Private keys to wallets holding over $100 million of assets were often stored in plain text, with no encryption, on a Group server. Keys to other wallets were accessible by other servers and users based in different locations.
“Single-signature-based private keys to billions of dollars in crypto assets were stored in [Amazon Web Services] Secrets Manager and/or a password vault,” opening up the possibility of these assets being pilfered by “any of the many FTX Group employees who had access to AWS Secrets Manager or the password vault.”
Many Group keys were stored without appropriate backup procedures, potentially resulting in permanent loss of assets if keys were lost. Equally slapdash efforts were employed to safeguard wallet nodes, including the reuse of keys across different nodes, so if one key was compromised, other nodes were vulnerable.
While only a tiny number of Group staff required access to central omnibus wallets to perform their respective duties, “over a dozen” people had access to these wallets containing “billions of dollars in crypto assets.”
Meanwhile, as SBF lectured his Twitter followers on how using two-factor authorization was part of “the basics” of “crypto security,” the Group failed to require the use of multi-factor authorization to access certain accounts, including its password-management program.
Oh, there’s more…
The Group was guilty of a number of other security-related faceplants, including failing to employ “offline, air-gapped, encrypted, and geographically distributed laptops to secure crypto assets.” The Group also failed to require staff to utilize corporate-issued laptops rather than their personal devices, which weren’t subject to any oversight.
The Group shared computer infrastructure and IT services across various entities in defiance of a traditional ‘segmentation’ approach, thereby ensuring that a breach of one AWS account would grant the interloper access to the whole enchilada.
The Group also had “poor or, in some cases, no ‘visibility’ controls to detect and respond to cybersecurity threats.” In other words, they had no way of knowing who was accessing the private keys of central exchange wallets for what purpose. They also used server software that, in some cases, was “nearly four years out of date.”
This lack of situational awareness and the shambolic approach to private key management was on full display during the breach of FTX systems in the hours following its early-November bankruptcy filing. The Group appeared completely unaware of the suspicious transfer of over $400 million worth of digital assets out of Group wallets until observant social media users sounded the alarm.
The Debtors note that even as they “raced to secure the environment” following those unauthorized transfers, the assets remained a tempting target for the countless individuals who may have had access to the private keys. That includes SBF, who, shortly after that November breach, infamously transferred hundreds of millions’ worth of digital assets to Bahamian authorities as part of his harebrained scheme to avoid U.S. oversight.
SBF deploys the ostrich defense
SBF was in court a couple of weeks ago to plead not guilty to the latest charges—including bribery of Chinese officials—filed against him by the U.S. Department of Justice. However, since the superseding indictment was filed after SBF agreed to be extradited from the Bahamas to the U.S., his attorneys told the court that he was “not acknowledging he can be tried” on these latest charges.
In pleading not guilty, SBF stands alone among his former colleagues who have also been charged. Most of them, including former Alameda CEO Caroline Ellison and FTX co-founder Zixiao ‘Gary’ Wang, are reportedly cooperating with the feds’ prosecution of SBF to lessen their own criminal sentences.
The Debtors’ report delves briefly into some other FTX executive interactions, including the fact that Brett Harrison, former president of FTX.US, “resigned following a protracted disagreement with Bankman-Fried and [FTX engineering director Nishad] Singh over the lack of appropriate delegation of authority, formal management structure, and key hires at FTX.US; after raising these issues directly with them, [Harrison’s] bonus was drastically reduced, and senior internal counsel instructed him to apologize to Bankman-Fried for raising the concerns, which he refused to do.”
Harrison, who resigned about six weeks before FTX’s bankruptcy filing, has steadfastly denied knowledge of SBF’s fraudulent schemes, although not everyone is willing to swallow that claim (particularly given Harrison’s lies about FTX deposits being FDIC-insured). Harrison recently announced a new start-up, Architect, devoted to developing institutional-grade trading infrastructure for crypto markets.
The Debtors’ report offers another example of FTX executive rebellion, an unidentified “lawyer within the FTX Group [who] was summarily terminated after expressing concerns about Alameda’s lack of corporate controls, capable leadership, and risk management.” This termination reportedly occurred “less than three months after being hired and shortly after learning about Alameda’s use of a North Dimension bank account to send money to customers of the FTX exchanges.”
That is definitely not a reference to Daniel Friedberg, FTX’s former chief regulatory officer, who joined the Group around three years before it imploded. And by his own previous testimony, Friedberg wasn’t fired, having resigned the same week FTX et al. filed for Chapter 11 protection, based on his being shocked—shocked!—to discover SBF wasn’t actually an effective altruist.
Moreover, Friedberg helped set up North Dimension as a means for U.S. customers to surreptitiously send dollars to FTX/Alameda via Silvergate Bank’s 24/7 crypto settlement network SEN. Like Harrison, Friedberg was also personally named in the FDIC’s ‘cease & desist’ notice for falsely implying that FTX.US deposits were federally protected.
Friedberg is reportedly cooperating with the feds in their prosecution of SBF, almost certainly in exchange for them looking the other way when it comes to Friedberg’s non-compliant approach to compliance.
On Sunday, Debtors CEO John J. Ray observed that “FTX Group was tightly controlled by a small group of individuals who falsely claimed to manage FTX Group responsibly, but in fact showed little interest in instituting oversight or implementing an appropriate control framework.” How appropriate that a CEO who was incapable of managing a business saw value in a lawyer who didn’t understand the law.
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple, Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.