FTX’s stolen crypto funds linked to Russian cybercrime networks
Blockchain analytics firm Elliptic has released new findings that suggest a Russian-linked entity may be behind the high-profile hack of cryptocurrency exchange FTX.
The revelation comes as part of an ongoing investigation into the theft of a staggering $477 million in various cryptocurrencies from the exchange.
Funds moved during SBF’s court appearance
Elliptic’s report highlights a key moment that casts doubt on initial suspicions that FTX founder Sam Bankman-Fried could be involved in the theft.
According to the firm, $15 million of the stolen assets were moved on Oct. 4, 2023, at 3:41 p.m. EST. At that time, Bankman-Fried was reportedly in a Manhattan courtroom without internet access, making it unlikely that he was responsible for the transaction.
Since the hack, a significant portion of the stolen funds has been converted to Bitcoin (BTC) and funneled through ChipMixer, a now-defunct privacy mixer. Elliptic’s analysis shows that these assets were often mixed with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets.
“This points to the involvement of a broker or other intermediary with a nexus in Russia,” the firm stated.
FTX lost 9,500 Ethereum (ETH) to an unidentified hacker on the same day it filed for bankruptcy last November. The hacker also made off with other cryptocurrencies, including Pax Gold (PAXG), Tether (USDT), and Wrapped Bitcoin (WBTC).
While some of these assets were frozen by regulatory authorities, most were successfully converted into other cryptocurrencies and moved to different blockchains.
Breaking the blockchain trail
Elliptic notes that the hacker used various methods to obscure the trail of stolen funds.
On Nov. 20, 65,000 ETH were converted to Bitcoin via RenBridge, a service ironically owned by Alameda Research, which shares a balance sheet with FTX.
After a pause of nine months, an additional 72,500 Ethereum (ETH), valued at $120 million, were converted to Bitcoin through the use of THORSwap, a service that has since suspended its interface due to money laundering concerns.
With ChipMixer no longer operational, many of the funds were mixed through Sinbad, a service believed to be a rebranded version of Blender. The U.S. Treasury Department previously sanctioned the latter for aiding the North Korean Lazarus Group.
However, Elliptic does not believe that the Lazarus Group is behind the FTX hack, citing the hacker’s relatively unsophisticated money laundering techniques.
While the identity of the FTX hacker remains unknown, Elliptic’s latest findings add a new layer of complexity to an already intricate case.
The firm’s analysis points to a Russian-linked entity as a likely suspect, although further investigation is needed to confirm these suspicions.