FTX Hacker Panicked, Still Holds $339M in Ether, Cryptos: Arkham Intelligence

The mysterious looter siphoned about $400 million in digital assets from crypto exchange FTX late Friday night.

AccessTimeIconNov 14, 2022 at 11:30 p.m. UTC
Updated May 9, 2023 at 4:02 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The mysterious looter of bankrupt crypto exchange FTX, who is likely an insider according to a blockchain expert, holds $339 million of digital assets that they drained from the exchange late Friday, according to crypto intelligence platform Arkham Intelligence.

Arkham found that the wallets associated with the exploiter hold $215 million in ETH, the native token of the Ethereum blockchain, $48 million in Maker’s stablecoin DAI, $44 million in BNB, the Binance ecosystem’s native token, $4 million in Tether’s USDT stablecoin on the Avalanche blockchain and $3.8 million of MATIC on Polygon’s Matic bridge.

Some $20 million in PAXG, a Paxos stablecoin linked to the price of gold, was frozen when Paxos was ordered to blacklist the accounts by U.S. authorities, preventing the holder from moving or cashing out the tokens.

Late Friday night, the insolvent crypto exchange FTX of Sam Bankman-Fried, suffered suspicious outflows exceeding $600 million, as CoinDesk reported. One entity at the center of the exploit siphoned off about $400 million from the exchange’s crypto wallets. The attack came after FTX, and the other 137 firms of Bankman-Fried’s crypto conglomerate, filed for bankruptcy protection the same day.

The hacker acted hastily based on their behavior on the blockchain, according to Arkham’s report. They used various decentralized exchanges to convert tokens, including UniSwap, 1inch and CowSwap, and struggled to dump coins such as MATIC, LINK and PAXG divided into smaller amounts to prevent losses from slippage.

After tracing the attacker’s blockchain transactions, Arkham found that they “appeared to be in panic” and “lost a large amount of their token holdings” when they moved assets across different chains to avoid getting caught. In a likely attempt to consolidate their holdings, they also converted tokens to ETH and DAI on the Ethereum network, movements that cannot be easily sanctioned by authorities.

“It is becoming clearer by the day that the FTX exploiter is not very sophisticated,” Miguel Morel, chief executive of Arkham Intelligence, told CoinDesk. “They've hastily tried to do whatever they can with the funds, seemingly without much of a plan.”

The attacker also seemingly committed at least one amateur misstep. They flippantly tapped their verified personal account on crypto exchange Kraken to send enough TRX tokens to cover transaction fees, according to Dyma Budorin, CEO of blockchain security audit firm Hacken.

The unsophisticated maneuvers imply that there may be some hope to reclaim the funds the hacker took.

“I think it's only a matter of time before they're discovered due to their use of various off-ramps, and at that point it will just be about recovering the funds,” Morel said.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Krisztian  Sandor

Krisztian Sandor is a reporter on the U.S. markets team focusing on stablecoins and institutional investment. He holds BTC and ETH.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.