Security firms track FTX exploiter through Bitcoin mixer
Experts are tracking one of the largest exploits in crypto history as the attacker attempts to launder their funds
REDPIXEL.PL/Shutterstock modified by Blockworks
A significant portion of the funds from a nearly $500 million exploit are currently being laundered via a mixer service on the Bitcoin blockchain. However, informed sources tell Blockworks that the exploiter’s efforts may be stymied by the sheer sum they’re attempting to obfuscate.
Amid the collapse of crypto exchange FTX in November 2022, an unknown attacker made off with $477 million in customer funds.
According to a report from analysis firm Elliptic, in the weeks that followed the attacker almost immediately lost some $31 million from Tether freezing their USDT, and likewise lost significant sums to slippage as they swapped between stablecoins and other assets to ether.
The attacker then bridged some 74,000 of their remaining 245,000 ether (ETH) ($306 million at the time) through the now-defunct Ren cross-chain bridge to Bitcoin, where they then deposited into the ChipMixer mixing service, per Elliptic research. Elliptic estimates that upwards of $4 million was eventually successfully sent to centralized exchanges to offramp to fiat.
Since then, the remaining 185,000 ETH sat largely untouched, until the hacker once again began swapping ETH for BTC last week.
In an interview with Blockworks, Evgenii Melnichuk, chief investigation officer at BLIN Analytics, reported that the exploiter swapped nearly 72,500 ETH to bitcoin (BTC) via ThorChain. Subsequently, ThorChain paused its operations, partly due to concerns over potential law enforcement scrutiny.
But why is the exploiter swapping from Ethereum to Bitcoin to begin with?
“One of the main reasons is liquidity,” said Melnichuk. “On Bitcoin there’s more mixers, and they’re different. On Ethereum, after Tornado was sanctioned, a lot of people stopped using it and liquidity decreased, and as a result the anonymity set also decreased.”
Indeed, both BLIN and Elliptic confirm that the exploiter has attempted to wash 4,000 BTC via Sinbad, a clone of the Blender.io service, which was sanctioned by the treasury in 2022.
However, according to Melnichuk, the vast amounts deposited into Sinbad have “overheated” the service, ruining the anonymity set. BLIN believes it has successfully tracked the funds through the mixer as a result.
“Some of the coins the hacker deposited to Sinbad were withdrawn by the same hacker — the mixer was overheated,” Melnichuk told Blockworks.
The 4,000 BTC have been transferred to intermediary addresses. From there, the hacker will likely dispatch the funds to exchanges, leveraging stolen or purchased accounts. A second option is that the hacker will attempt to send funds to other blockchains to further obfuscate their tracks, perhaps sending funds to Avalanche — a pattern used by North Korean-funded Lazarus Group hackers.
Elliptic, meanwhile, believes it has tracked the older BTC mixed through Chipmixer.
“Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia,” the firm wrote.
Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.
Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.
Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.
The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.
