Part of the estimated $400 million stolen last November from the now-shuttered FTX crypto exchange may have links to Russia-based cybercriminal groups, research from analysis firm Elliptic shared with CoinDesk shows.
The funds, mostly in ether (ETH), lay dormant for five days before a tranche of 65,000 ETH ($100 million) was transferred to the Bitcoin blockchain using the RenBridge service. The attackers then used a mixer, a blockchain-based tool that masks addresses.
“Of the 4,536 Bitcoins converted from ether at RenBridge, 2,849 BTC was sent through mixers, predominantly a service called ChipMixer,” Ellipic said. “Tracing these assets becomes more challenging, however at least $4 million was transferred to exchanges, where it may have been cashed out.”
ChipMixer was subsequently shut down and seized in an international law-enforcement operation, after which the attackers switched to Sinbad for the mixing service.
The identity of the attackers remains unknown, but wallet data and analysis of fund movements may help shed light on who could have been behind the attack.
Who hacked FTX?
Elliptic said suspects range from rogue employees at FTX to North Korean hacker group Lazarus, which is alleged to have exploited several crypto protocols. On-chain signs, however, point to Russian groups, it said.
“A Russia-linked actor seems a stronger possibility,” according to the firm. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.”
“This points to the involvement of a broker or other intermediary with a nexus in Russia,” it said.
Accounts tied to FTX and FTX US were drained on Nov. 11, 2022, mere hours after the company filed for bankruptcy and founder Sam Bankman-Fried resigned from the crypto empire he ran.
Bankman-Fried was later charged with two counts of wire fraud and five counts of conspiracy to commit various forms of fraud by federal prosecutors last year, weeks after stepping down from his role at FTX.
John J. Ray III, the CEO and Chief Restructuring Officer of the FTX Debtors, which handles the FTX bankruptcy proceedings, later said that $323 million in various tokens were hacked from its international exchange and $90 million from its U.S. platform.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.