Russian Attackers May Have Been Behind Hack of Sam Bankman-Fried’s FTX, Elliptic Says

Research firm Elliptic said some of the stolen funds appear to be linked to Russian cybercriminal groups, citing on-chain analysis.

AccessTimeIconOct 12, 2023 at 12:00 p.m. UTC

Part of the estimated $400 million stolen last November from the now-shuttered FTX crypto exchange may have links to Russia-based cybercriminal groups, research from analysis firm Elliptic shared with CoinDesk shows.

The funds, mostly in ether (ETH), lay dormant for five days before a tranche of 65,000 ETH ($100 million) was transferred to the Bitcoin blockchain using the RenBridge service. The attackers then used a mixer, a blockchain-based tool that masks addresses.

“Of the 4,536 Bitcoins converted from ether at RenBridge, 2,849 BTC was sent through mixers, predominantly a service called ChipMixer,” Ellipic said. “Tracing these assets becomes more challenging, however at least $4 million was transferred to exchanges, where it may have been cashed out.”

ChipMixer was subsequently shut down and seized in an international law-enforcement operation, after which the attackers switched to Sinbad for the mixing service.

The identity of the attackers remains unknown, but wallet data and analysis of fund movements may help shed light on who could have been behind the attack.

Who hacked FTX?

Elliptic said suspects range from rogue employees at FTX to North Korean hacker group Lazarus, which is alleged to have exploited several crypto protocols. On-chain signs, however, point to Russian groups, it said.

“A Russia-linked actor seems a stronger possibility,” according to the firm. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.”

“This points to the involvement of a broker or other intermediary with a nexus in Russia,” it said.

Accounts tied to FTX and FTX US were drained on Nov. 11, 2022, mere hours after the company filed for bankruptcy and founder Sam Bankman-Fried resigned from the crypto empire he ran.

Bankman-Fried was later charged with two counts of wire fraud and five counts of conspiracy to commit various forms of fraud by federal prosecutors last year, weeks after stepping down from his role at FTX.

John J. Ray III, the CEO and Chief Restructuring Officer of the FTX Debtors, which handles the FTX bankruptcy proceedings, later said that $323 million in various tokens were hacked from its international exchange and $90 million from its U.S. platform.

Stolen assets that were previously untouched started moving a few days before the start of Bankman-Fried's trial, and have since been on the move. Earlier this month, over 15,000 ether, worth nearly $25 million, was swapped for other tokens using the privacy wallet Railgun and THORChain exchange.

Edited by Sheldon Reback.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.