In a startling revelation, analysis firm Elliptic has unveiled potential links between the infamous FTX crypto exchange collapse and Russian cybercriminal groups. This connection adds a layer of complexity to the already convoluted narrative surrounding the $400 million stolen from FTX in November last year.
Elliptic's research suggests that a portion of the stolen funds, primarily composed of ether (ETH), has been dormant until recently, with approximately $100 million worth of ETH making a mysterious journey to the Bitcoin blockchain via RenBridge.
The individuals behind this heist have left a trail of uncertainty as they attempted to obscure their tracks. A blockchain-based tool, a mixer, was employed to mask addresses, making it challenging to trace stolen assets.
Elliptic reports that approximately 2,849 BTC out of the 4,536 Bitcoins converted from ether using RenBridge were funneled through mixers, predominantly through a service called ChipMixer. However, at least $4 million of these funds ultimately found their way to exchanges where they could potentially be cashed out.
The situation unexpectedly turned when ChipMixer was shut down and seized as part of an international law-enforcement operation. Following this setback, the attackers switched to Sinbad for their mixing service.
While the identities of these audacious hackers remain a mystery, the data collected from wallets and the analysis of fund movements may eventually shed light on the culprits.
FTX's Mysterious Collapse
The incident that shook FTX occurred on November 11, 2022, mere hours after the company declared bankruptcy and its founder, Sam Bankman-Fried, resigned from his role.
Subsequently, Bankman-Fried faced charges of wire fraud and conspiracy to commit various forms of fraud, as filed by federal prosecutors. John J. Ray III, CEO and Chief Restructuring Officer of the FTX Debtors, stated that $323 million in various tokens were pilfered from the international exchange, with another $90 million taken from the U.S. platform.
Stolen Assets Back in Motion
Interestingly, the stolen assets that had been dormant started to move shortly before Bankman-Fried's trial began and have continued to do so. Just recently, over 15,000 ETH, equivalent to nearly $25 million, was exchanged for other tokens through the privacy wallet Railgun and the THORChain exchange.
Anonymous hackers connected to the now-defunct FTX have begun moving substantial amounts of stolen assets just as the trial of FTX founder Sam Bankman-Fried kicked off. Approximately 72,500 ETH, valued at $1,544, has come to life since the FTX hack in November 2022.
The thief has systematically converted ETH into Bitcoin through the multichain decentralized exchange (DEX) THORSwap. Since September 30, 2023, about $120 million worth of ETH has been converted into Bitcoin, totaling $26,674. This laundering technique echoes the one used in the original heist, where 65,000 ETH ($100 million) were converted to BTC using RenBridge.
The Value Grows Over Time
The report by Elliptic notes that the 180,000 ETH not converted to Bitcoin through RenBridge remained dormant until September 30, 2023, when its value had grown to $300 million.
In the days following the initial hack, the FTX hacker is believed to have lost $94 million as they rushed to launder the funds through decentralized exchanges, cross-chain bridges, and mixers.
Despite nearly a year passing since the hack, the identity of the FTX thief remains a mystery. Elliptic has suggested three potential culprits: an inside job by someone associated with FTX, North Korea's Lazarus Group, and Russia-linked criminal groups.
According to Elliptic's report, "Some FTX employees would have had access to the business's crypto assets in order to move them for operational reasons. In the chaos surrounding the company's bankruptcy and collapse, it may have been possible for an internal actor to take these assets."
As the investigation into the FTX collapse and the associated hacker's activities continues, the story remains complex for the crypto community and law enforcement agencies searching for answers. The role of Russian cybercriminal groups in this saga adds another layer of complexity to an already intricate narrative.