Alameda Lost Nearly $200M to Phishing Attacks, Ex-Engineer Says

You’d expect big-name traders to ensure high levels of security and steps in place to protect against phishing attacks and hacks, both of which plague the crypto ecosystem.

But not Alameda Research. The beleaguered Sam Bankman-Fried run trading company lost at least $200 million to a variety of common attack vectors that run amok in the industry, as per new claims made by ex-employee Aditya Baradwaj.

“SBF believed that the single most important thing for a startup like Alameda or FTX was being able to move very, very fast,” Baradwaj posted on social app X earlier today. “This meant virtually no code testing and incomplete balance accounting.”

“Blockchain private keys and exchange API keys were stored in plaintext in a file that several employees could access,” Baradwaj added. CoinDesk has verified that Baradwaj was an employee of Alameda by reviewing payslips he provided.

Alameda lost $40 million by yield farming on a “new blockchain of questionable legitimacy,” wherein the network’s creator held the company’s funds hostage. Months of negotiations followed, but it is unclear if these funds were finally recovered.

Yield farming is a popular way to earn rewards by supplying tokens to a financial application on a blockchain. However, applications build by malicious actors may block withdrawals after attracting a sizable amount of capital – leading to losses.

Another security goof-up occurred when private keys, or a password to a secure crypto storage, was leaked “likely by a former employee.” The attack cost Alameda over $50 million in various tokens.

However, the biggest hit was a $100 million loss after Alameda got tricked into clicking on a fake phishing link on Google Ads. The fake link was likely mimicking a DeFi protocol and had been promoted to the top of Google searches.

Baradwaj stated that these incidents were just a few from a wide range of security lapses at Alameda.

In Michaels Lewis’s recently released biography of Bankman-Fried, it is claimed the founder lost at least $500,000 everyday during Alameda’s early days and once misplaced over $4 million worth of XRP tokens.

Together, these losses showcase the lax security practices at Alameda and the apparent carelessness of employees. Each of these attacks could have been avoided had private keys been stored more securely and if DeFi transactions were carefully vetted before moving millions of dollars in capital.

Such losses were not limited to Alameda. Bankman-Fried’s other company, crypto exchange FTX, lost over $400 million shortly after declaring bankruptcy in November 2022. The cause of the attack has been revealed to be poor private key management – which could have even cost the firm upward of $1 billion.