FTX wallets were on the move late on Friday night, the same day that FTX and its related companies filed for Chapter 11 bankruptcy. And it looked too soon, too late at night, and too sophisticated for the actions to be attributed to liquidators.
Several wallets allegedly belonging to FTX were drained of hundreds of millions of dollars in coins, with funds being transferred from Tether (USDT) into stablecoin DAI and from staked Ethereum (stETH) into Ethereum (ETH).
The exodus totals around $650 million according to an estimate by blockchain sleuth ZachXBT.
BlackHat seems like 0x59 & 6sek1 (~$450m?)
Whitehat seems like 0x97 & 0xd8 (~$196m)
Not sure about 6b4ay ($1.6b if counting illiquid tokens like MAPS OXY etc.)
Blockchain developer and auditor Foobar noticed the first transfer of $26 million and issued an alert at 9:47 pm EST.
Hundreds of millions of dollars are now flowing out of FTX wallets, some speculate liquidators but it’s late on a friday night, not typical times for such rapid heavy movements. Some withdrawals are being swapped from Tether to DAI. Hack or insider actions? $26 million here pic.twitter.com/8wWlaE7na9
As the movement continued in real time—all trackable on Etherscan—Crypto Twitter erupted in theories. Was it a hack, or an inside job from FTX leadership safeguarding their own funds, directly disobeying the bankruptcy proceedings?
“Hundreds of millions of dollars are now flowing out of FTX wallets. Some speculate liquidators, but it’s late on a Friday night, not typical times for such rapid heavy movements,” Foobar tweeted.
“Multiple former FTX employees confirmed to me they do not recognize these transfers,” ZachXBT tweeted at 10:48 pm EST.
According to blockchain tracking website DeBank, $280,726,364 in ETH, $99,276,088 in BNB, and $3,970,099 in AVAX were sent to one of the receiving wallets.
The draining continued.
somebody sent an onchain message to the recipient account with 4byte selector `0x3d24a1ff`, which is the hash of function name “Rug Pull All”
At 11:08 pm EST, FTX US general counsel Ryne Miller tweeted, “Investigating abnormalities with wallet movements related to consolidation of ftx balances across exchanges.” As crypto sleuths on Twitter surmised, Miller would have been informed if the funds were being moved as part of the liquidation process.
Just before midnight, an FTX Telegram administrator named Rey posted: “Ftx has been hacked. All funds seem to be gone.”FTX apps are malware. Delete them. Chat is open. Don’t go on ftx site as it might download Trojans.”
In cybersecurity, Trojans (named after the Trojan Horse of Greek mythology) are programs that claim to perform one function but actually do another, typically malicious. Trojans can take the form of attachments, downloads, and fake videos.
But many onlookers did not buy the idea that this was a hack.
“If you think FTX is being hacked right now, you should consider quitting crypto. you are too kind and gullible for this industry,” DeFi Pulse founder Scott Lewis tweeted.
Twitter “chief Twit” Elon Musk took the opportunity to point out that all the action was playing out on Twitter.
FTX meltdown/ransack being tracked in real-time on Twitter
It took until 2:07 am EST for Ryne Miller to provide another update. He claimed that earlier on Friday FTX and FTX US had “initiated precautionary steps to move all digital assets to cold storage” and that the “process was expedited this evening to mitigate damage upon observing unauthorized transactions.”
Following the Chapter 11 bankruptcy filings – FTX US and FTX [dot] com initiated precautionary steps to move all digital assets to cold storage. Process was expedited this evening – to mitigate damage upon observing unauthorized transactions.