Alameda Lost Nearly $200M to Phishing Attacks, Ex-Engineer Says

Lax security practices seemed to be a feature of the former crypto trading titan.

AccessTimeIconOct 12, 2023 at 6:39 a.m. UTC
Updated Oct 12, 2023 at 12:21 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

You’d expect big-name traders to ensure high levels of security and steps in place to protect against phishing attacks and hacks, both of which plague the crypto ecosystem.

But not Alameda Research. The beleaguered Sam Bankman-Fried run trading company lost at least $200 million to a variety of common attack vectors that run amok in the industry, as per new claims made by ex-employee Aditya Baradwaj.

“SBF believed that the single most important thing for a startup like Alameda or FTX was being able to move very, very fast,” Baradwaj posted on social app X earlier today. “This meant virtually no code testing and incomplete balance accounting.”

“Blockchain private keys and exchange API keys were stored in plaintext in a file that several employees could access,” Baradwaj added. CoinDesk has verified that Baradwaj was an employee of Alameda by reviewing payslips he provided.

Alameda lost $40 million by yield farming on a “new blockchain of questionable legitimacy,” wherein the network’s creator held the company’s funds hostage. Months of negotiations followed, but it is unclear if these funds were finally recovered.

Yield farming is a popular way to earn rewards by supplying tokens to a financial application on a blockchain. However, applications build by malicious actors may block withdrawals after attracting a sizable amount of capital – leading to losses.

Another security goof-up occurred when private keys, or a password to a secure crypto storage, was leaked “likely by a former employee.” The attack cost Alameda over $50 million in various tokens.

However, the biggest hit was a $100 million loss after Alameda got tricked into clicking on a fake phishing link on Google Ads. The fake link was likely mimicking a DeFi protocol and had been promoted to the top of Google searches.

Baradwaj stated that these incidents were just a few from a wide range of security lapses at Alameda.

In Michaels Lewis’s recently released biography of Bankman-Fried, it is claimed the founder lost at least $500,000 everyday during Alameda’s early days and once misplaced over $4 million worth of XRP tokens.

Together, these losses showcase the lax security practices at Alameda and the apparent carelessness of employees. Each of these attacks could have been avoided had private keys been stored more securely and if DeFi transactions were carefully vetted before moving millions of dollars in capital.

Such losses were not limited to Alameda. Bankman-Fried’s other company, crypto exchange FTX, lost over $400 million shortly after declaring bankruptcy in November 2022. The cause of the attack has been revealed to be poor private key management – which could have even cost the firm upward of $1 billion.

Edited by Parikshit Mishra.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.