Russian Attackers May Have Been Behind Hack of Sam Bankman-Fried’s FTX, Elliptic Says

Some of the estimated $400 million stolen last November from the now-shuttered FTX crypto exchange may have ties to Russia-based cybercriminal groups, according to research from analytics firm Elliptic shared with CoinDesk.

The funds, mostly in ether (ETH), lay dormant for five days before a tranche of 65,000 ETH ($100 million) was transferred to the Bitcoin blockchain using the RenBridge service. The attackers then used a mixer, a blockchain-based tool that masks addresses.

“Of the 4,536 Bitcoins converted from ether at RenBridge, 2,849 BTC were sent via mixers, mainly a service called ChipMixer,” Ellipic said. “Tracking these assets will be more challenging, but at least $4 million has been transferred to exchanges where it may have been disbursed.”

ChipMixer was subsequently shut down and seized during an international law enforcement operation, after which the attackers switched to Sinbad for the mixing service.

The identity of the attackers remains unknown, but portfolio data and analysis of fund movements could help shed light on who could be behind the attack.

Elliptic said the suspects range from rogue employees at FTX to the North Korean hacker group Lazarus, which has allegedly exploited several crypto protocols. However, signs on the chain point to Russian groups, the report said.

“A player linked to Russia appears to be a stronger possibility,” the company said. “Of the stolen assets traceable through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.”

“This indicates the involvement of a broker or other intermediary with a connection in Russia,” the report said.

Accounts linked to FTX and FTX USA were cleared on November 11, 2022, just hours after the company filed for bankruptcy and founder Sam Bankman-Fried resigned from the crypto empire he led.

Bankman-Fried was later charged by federal prosecutors with two counts of bank fraud and five counts of conspiracy to commit various types of fraud last year, weeks after resigning from his position at FTX.

John J. Ray III, the CEO and Chief Restructuring Officer of the FTX Debtors, which is handling the FTX’s bankruptcy proceedings, later said that $323 million worth of various tokens had been hacked from the international exchange and $90 million from its U.S. platform.

Stolen belongings that were previously untouched started moving a few days before the start of Bankman-Fried’s trial and have been in transit ever since. Earlier this month, more than 15,000 ether, worth almost $25 million, was exchanged for other tokens using the privacy wallet Railgun and THORChain exchange.