Cyber Incident Victim: FTX
Date:
Nov 2022
Location:
United States of America
Summary
A major cryptocurrency exchange experienced a security breach resulting in over $600 million in suspicious outflows, with the attacker later holding $339 million in digital assets including Ether, DAI, and BNB. The perpetrator, suspected to be an insider, utilized decentralized exchanges and cross-chain transfers to obscure fund movements while converting stolen tokens primarily into ETH and stablecoins. Blockchain analysts characterized the exploiter's actions as panicked and unsophisticated, evidenced by hasty transactions and the use of a personal Kraken account for operational fees—a potential vulnerability for identification. Despite attempts to evade detection through multiple blockchain networks, intelligence platforms indicated the attacker's off-ramp activities would likely lead to exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 11, 2022, the cryptocurrency exchange FTX experienced a significant security breach involving suspicious outflows exceeding $600 million in digital assets. The incident occurred late Friday night amid FTX's bankruptcy proceedings, with the attacker exploiting the exchange's systems to drain funds. Blockchain analysis by Arkham Intelligence revealed that the perpetrator, suspected by experts to be an insider, transferred assets across multiple blockchain networks in an attempt to obscure transaction trails. The hacker utilized decentralized exchanges including Uniswap and 1inch to convert stolen tokens, systematically moving funds between Ethereum, Binance Smart Chain, Avalanche, and Polygon networks. By November 14, the attacker retained control of $339 million in cryptocurrency holdings, consisting primarily of $215 million in Ether (ETH), $48 million in DAI stablecoins, $44 million in Binance Coin (BNB), $4 million in Tether (USDT) on Avalanche, and $3.8 million in Polygon's MATIC tokens. The conversion patterns showed a strategic shift toward holding ETH and stablecoins, suggesting an effort to preserve value amidst market volatility following FTX's collapse.
The attacker's operational security flaws became apparent through blockchain forensic analysis. Security experts noted technical indicators of panic and lack of sophistication in the fund movement patterns, including the use of a personal Kraken exchange account to pay for transaction fees—a critical mistake that created potential identification vectors. Admiral Miguel Morel of Arkham Intelligence characterized the hacker's behavior as demonstrating haste and poor planning, stating they appeared to act without a coherent strategy for laundering or securing the stolen assets. Despite cross-chain transfers designed to complicate tracking, the majority of funds remained concentrated in identifiable wallets three days post-attack. The exploitation exacerbated FTX's financial crisis, occurring concurrently with the exchange's bankruptcy filing and liquidity collapse. Arkham's analysis concluded that the attacker's reliance on cryptocurrency off-ramps like centralized exchanges would likely lead to identification and potential fund recovery through coordinated blockchain surveillance and regulatory intervention.