The mysterious looter of bankrupt crypto exchange FTX, who is likely an insider according to a blockchain expert, holds $339 million of digital assets that they drained from the exchange late Friday, according to crypto intelligence platform Arkham Intelligence.
Arkham found that the wallets associated with the exploiter hold $215 million in ETH, the native token of the Ethereum blockchain, $48 million in Maker’s stablecoin DAI, $44 million in BNB, the Binance ecosystem’s native token, $4 million in Tether’s USDT stablecoin on the Avalanche blockchain and $3.8 million of MATIC on Polygon’s Matic bridge.
Late Friday night, the insolvent crypto exchange FTX of Sam Bankman-Fried, suffered suspicious outflows exceeding $600 million, as CoinDesk reported. One entity at the center of the exploit siphoned off about $400 million from the exchange’s crypto wallets. The attack came after FTX, and the other 137 firms of Bankman-Fried’s crypto conglomerate, filed for bankruptcy protection the same day.
The hacker acted hastily based on their behavior on the blockchain, according to Arkham’s report. They used various decentralized exchanges to convert tokens, including UniSwap, 1inch and CowSwap, and struggled to dump coins such as MATIC, LINK and PAXG divided into smaller amounts to prevent losses from slippage.
After tracing the attacker’s blockchain transactions, Arkham found that they “appeared to be in panic” and “lost a large amount of their token holdings” when they moved assets across different chains to avoid getting caught. In a likely attempt to consolidate their holdings, they also converted tokens to ETH and DAI on the Ethereum network, movements that cannot be easily sanctioned by authorities.
“It is becoming clearer by the day that the FTX exploiter is not very sophisticated,” Miguel Morel, chief executive of Arkham Intelligence, told CoinDesk. “They've hastily tried to do whatever they can with the funds, seemingly without much of a plan.”
The attacker also seemingly committed at least one amateur misstep. They flippantly tapped their verified personal account on crypto exchange Kraken to send enough TRX tokens to cover transaction fees, according to Dyma Budorin, CEO of blockchain security audit firm Hacken.
The unsophisticated maneuvers imply that there may be some hope to reclaim the funds the hacker took.
“I think it's only a matter of time before they're discovered due to their use of various off-ramps, and at that point it will just be about recovering the funds,” Morel said.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.