On November 12, 2022, the FTX crypto exchange stated in its official Telegram channel that it had been hacked. According to the disclosed information, hackers allegedly had been able to siphon more than $600 million from FTX's crypto wallets. Soon after, FTX announced in its official Telegram channel that it had been compromised, instructing users not to install any new upgrades and to delete all FTX apps.
Various teams of researchers and information security enthusiasts (SlowMist_Team, ZachXBT, PeckShield and Hacken) have been trying to trace the funds drained from FTX. The TokenScope Team also decided to look into the matter. As a reminder, the causes of FTX’s collapse were analyzed last week.
Our research is based on the fact that FTX and its U.S. division, FTX.US, have, in addition to their own token, official wallets in various cryptocurrencies (BTC, ETH, BSC, TRON and SOLANA) on several major crypto exchanges.
Analysis of active FTX wallets revealed the address where some of BTC funds could have been transferred. The hackers’ wallet where FTX funds were siphoned is 325gSHHe7UGvzEc9kGx43VqPboXUVwa26i. The wallet was created on November 12, 2022 and currently holds 3,871.694 BTC (or $65 million at the current exchange rate).
On November 12, 2022, four transactions were carried out in favor of this wallet (3,500 BTC, 300 BTC, 70 BTC and 0.094 BTC) from 55 bitcoin addresses belonging to FTX.US.
You can see the graph here.
ETH and BSC
Analysis of the exchange cluster (ftx Cluster) allowed us to establish its main addresses in the Ethereum network:
Having studied these addresses, we were able to understand that several swap and cross-chain transactions had been completed at these addresses in the past few days (from November 12 to 14), as a result of which some funds had been withdrawn and some remained at the addresses belonging to the exchange.
According to Beosin Alert, analysis of the balances in major coins shows the current distribution of FTX wallets in ETH and BSC, as follows:
In fact, as of now, FTX’s official addresses hold about $338 million worth of cryptocurrency in different coins. The main address to which the funds were transferred is the cold wallet 0x97f991971a37D4Ca58064e6a98FC563F03A71E5c, with the wallet’s current balance in various coins amounting to around $186 million.
The official address of FTX is TYDzsYUEpvnYmQk4zGP9sWWcTEd2MiAtW6 (the current balance is equivalent to $46,000). The official address of FTX.US is TXwym1VaATMV1EEPKPmVcZ1oDK8GiB5psy (the current balance stands at $3.46).
On November 12, funds from both addresses were being transferred to TYoZM8LALfUqm4EXzB7oKmwqusWtXTBhY6; the wallet’s current balance in multiple coins amounts to $37 million (according to the Tronscan Asset Overview).
One important detail should be noted in this regard. When the hackers (or the owners themselves) were trying to transfer $46.7 million from the FTX address TYDzsYUEpvnYmQk4zGP9sWWcTEd2MiAtW6, they were short of funds to pay the transaction fee, so they came up with nothing better than transferring them from their personal account on the Kraken exchange. The latter’s officials reported the situation to law enforcement authorities and froze the accounts of FTX Group, Alameda Research and their executives. This fact could be indirect evidence backing up the version that it was not hackers but insiders who were involved in the unauthorized withdrawals.
FTX-owned Solana address JBpj7yp4Afvb71TmanVwJZXGeX4kqbGFvjCFCRo3EbTM has transferred funds to the wallet 6sEk1enayZBGFyNvvJMTP7qs5S3uC7KLrQWaEk38hSHH, which now holds USDT 27 million (according to solscan.io).
A total of $315 million was withdrawn from FTX wallets (this amount is currently held in various token wallets), and $338 million is currently held in the addresses owned by the FTX exchange.
We also share the opinion of most crypto community experts that, most likely, unauthorized withdrawals from the crypto exchange’s wallets were not carried out by hackers, but rather by insiders, in an attempt to save their own funds. In this connection, we believe that this amount of $643 million belongs in its entirety to FTX users and is readily available to the owners of the collapsed exchange.
This statement looks even more justified, given the information from Ryne Miller, FTX General Counsel.
We’ll be watching further developments.
In order to protect other users from the risks involved in interactions with compromised addresses and their owners, you can report to us all cases related to specific cryptocurrency addresses and assessed risks. To report such a case, please go to TokenScope.com and press the “Report cryptocurrency address” button.