Inside story How FTX stays up all night to prevent a $1 billion cryptocurrency theft case

Exclusive Insight FTX's Nightly Vigilance against a Potential $1 Billion Crypto Theft

Author: Andy Greenberg, Wired; Translation: Song Xue, LianGuai

On the evening of November 11th last year, FTX employees experienced one of the worst days in the short life of the company. Just 10 months earlier, the company had declared bankruptcy after becoming one of the top global cryptocurrency exchanges. After a long struggle, executives convinced the CEO, Sam Bankman-Fried, to transfer power to the new CEO, John Ray III, whose task now is to lead the company through a nightmarish jungle of debt, much of which seems impossible to pay off.

FTX seemed to have hit rock bottom. Until someone – one or more unidentified thieves – chose that particular moment to make things worse. That Friday night, exhausted FTX employees began to see the mysterious outflow of the company’s cryptocurrencies, which was publicly captured on the Etherscan website tracking the Ethereum blockchain, meaning that billions of dollars worth of cryptocurrencies were being stolen in real-time.

“Oh God,” recalled a former FTX employee, “that was my thought at the time.” The employee requested anonymity because they are not authorized to discuss internal company affairs. “After going through all of this, we were hacked?”

• KYC integration in Uniswap v4 sparks community controversy
• Tax Report Exposes Crypto Whales South Korea’s Underwater Adventure
• Apple Shocks Crypto Community MetaMask Wallet Vanishes from App Store – The Mystery Unraveled!

According to their own accounting, FTX ultimately lost between $415 million to $432 million in cryptocurrency assets due to these unidentified thieves, a figure publicly confirmed by FTX during the bankruptcy proceedings. What FTX didn’t previously disclose is that they may have lost even more – how their employees and external consultants scrambled to move over $1 billion worth of cryptocurrencies to safer storage spaces to prevent them from being maliciously stolen. At one point, nearly $500 million worth of cryptocurrencies were even sent to a physical USB drive in an advisor’s office, in a race to keep it out of the hands of thieves.

“Invitation: Urgent”

As the trial of FTX’s disgraced founder, Sam Bankman-Fried, enters its second week, many in the cryptocurrency community are closely watching the courtroom drama, looking for any clues about how the exchange was so disastrously robbed just hours after he left control. The question of who carried out the theft, and whether the thieves were internal FTX personnel or external hackers, is of particular concern. This mystery remains unsolved, with Sam Bankman and other FTX executives not being charged with any theft.

But now, Wired can reveal FTX’s emergency actions to limit the damage from this theft and prevent what could have been a heist of ten-figure sums. The new leadership of FTX, under the direction of CEO John Ray, declined interviews about the incident. However, Wired has learned the hourly details of the crisis response through detailed invoices submitted by Alvarez and Marsal, personal interviews with those involved in the immediate response to the theft, and blockchain analysis provided by cryptocurrency tracking company, Elliptic.

This response began around 10 p.m. on November 11th when Zach Dexter, CEO of FTX subsidiary LedgerX, sent Google Meet invitations to over 20 remaining FTX employees, bankruptcy lawyers, and advisors. The subject of the invitation had only one word: “Emergency.”

A few employees quickly joined the Google Meet video call, and over the next 12 hours, the number of participants grew to dozens. They could all see in real-time on Etherscan that the FTX wallets were being emptied. But almost no one in the conference call knew where FTX actually stored its cryptocurrencies or how it managed and controlled the keys to these wallets. This knowledge was only held by a small group of FTX elites— Sam Bankman-Fried and his inner circle. According to sources present at the meeting, Bankman-Fried never attended the meeting, but FTX co-founder and CTO Gary Wang did participate.

Sources say that at this point, many people close to Ray no longer trusted Wang. During the FTX collapse, Wang initially stood by Bankman and only distanced himself from the former CEO after days of persuasion from other employees within the company.

Wang did not win the support of any critics at the emergency meeting when he first suggested that simply changing the keys to the emptied wallets would stop the ongoing theft. The former FTX employee at the time thought this seemed meaningless, as anyone who had network access could simply obtain new keys and continue their looting. “The fox is in the henhouse, would you still change the henhouse key?” the former employee remembers thinking at the time. Wang later admitted to facing the same criminal charges as Bankman-Fried but did not respond to requests for comment sent to his lawyer.

However, just as the Google Meet conference call began, LedgerX’s Dexter started exploring a different approach to protect FTX’s funds. A week before the theft, digital asset custody company BitGo had been negotiating with Sullivan & Cromwell, the law firm responsible for FTX’s bankruptcy proceedings, to secure custody of the company’s remaining cryptocurrency assets. Therefore, Dexter now called BitGo, attempting to bypass the lengthy legal contract process initiated by Sullivan & Cromwell. Instead, Dexter asked BitGo to immediately create a “cold storage” wallet (a wallet that can be securely stored offline) where FTX could transfer all its remaining funds to a safe haven. Dexter did not respond to requests for comment.

BitGo said it could prepare the wallet in about half an hour. FTX employees were concerned that this was still too slow. By then, thieves could steal hundreds of millions of dollars’ worth of cryptocurrencies from the company’s wallets.

During the Google Meet call, someone asked if anyone had their own hardware wallet where they could store the funds before BitGo was ready. Kumanan Ramanathan, an FTX advisor from Alvarez & Marsal, dialed in from his home in the suburbs of New York and volunteered to participate. He had a Ledger Nano (a USB drive hardware wallet) in his home office and proposed using it as a temporary refuge for the vulnerable funds.

On the evening of November 11th, around 10:30 PM, Ramanath set up a new wallet on his Ledger Nano. The former FTX employee remembers watching him carefully inspect the password he created for the wallet. Wang began transferring FTX funds into it, and soon Ramanath held around 400-500 million dollars worth of encrypted assets on his USB drive at his home in Westchester County.

A Late Night 911 Call

A few minutes later, BitGo informed FTX staff that their wallet was ready, and they began transferring hundreds of millions of dollars’ worth of cryptocurrencies to BitGo’s cold storage instead of Ramanath’s Ledger device. Throughout the rest of that sleepless night, the staff searched for each wallet containing FTX funds and transferred all the tokens they could find to BitGo. Another person involved in the response said, “They were cleaning up all these systems, trying to find where all the private keys were and where the assets were stored.” The person asked to remain anonymous because they were not authorized to publicly discuss the matter. “It was just chaos.”

Due to FTX staff’s focus on getting approval from executives for the transfer of these potentially vulnerable funds, Ramanath was left with the cryptocurrencies that Wang initially transferred to his Ledger wallet. This created a peculiar situation where one person actually owned around 500 million dollars’ worth of FTX funds, bringing about its unique legal and security risks. That night, FTX’s general counsel, Ryne Miller, rushed to Ramanath’s residence to help guard it. Ryne Miller declined to comment on the matter, and Ramanath did not respond to requests for comments.

At 10:59 PM, Ramanath called the police to report a theft and explained that he held a large amount of the victim’s money, requesting police assistance in protecting his home. After all, no one, then or now, knows who stole the other funds and whether they might try to take the encrypted assets held by Ramanath. A police report from the New Rochelle Police Department obtained by Wired shows that Ramanath told the 911 dispatcher, “There is currently a large-scale cryptocurrency attack happening, and a significant amount of funds are being sent to this address,” and he is “concerned the house will be targeted.”

Even after the police arrived, FTX’s general counsel, Miller, stayed at the house well into the early hours. Billing records for Ramanath indicate that he and Miller spent alm

According to Forbes and court documents, on Saturday evening, Bancman-Fried and Wang transferred over $4 billion into an account controlled by the Bahamian government for protection. In some ways, the flow of funds to the Bahamas seems to be confused with the theft itself. A week after the theft, some media outlets mistakenly reported that the stolen funds had actually been seized by the Bahamian government. As contrary evidence, cryptocurrency tracing companies like Elliptic and Chainalysis observed that some of the actual stolen funds were sent to “mixing” services, which are commonly used for money laundering activities of stolen crypto funds, such as Railgun and cross-chain token exchange service THORChain, which is typical behavior for large-scale cryptocurrency theft.

Little security measures and no detailed arrangements

In the months since the desperate rescue operation on November 11th, the new regime responsible for handling the company’s bankruptcy proceedings, FTX, publicly claimed that there were obvious security flaws that made the theft possible.

As part of the FTX bankruptcy process, a report released in April listed examples of negligence: the previous FTX did not have an independent chief information security officer or an actual dedicated security team; the company stored almost all cryptocurrencies in hot wallets (wallets connected to the internet), despite employees being instructed to publicly claim that the company only stored 10% of the cryptocurrencies in hot wallets; it left the keys to these wallets unencrypted or failed to properly set up a secure system that required multiple keys to unlock funds; and it lacked a record system and couldn’t even know who transferred funds and when, among many other issues.

The same report described the impossible situation faced by the new FTX regime on November 11th, when it found itself inheriting a severely damaged network on its first day in office. The report stated, “Due to insufficient control over cryptocurrency assets by the FTX Group, the debtor faces the threat of losing billions of additional assets at any time.” The report used the term “debtor” to describe the debtor led by the new FTX government. “In the absence of ‘detailed arrangements’ guidance, the debtor must design technical approaches to transfer various types of assets they identify to cold storage.”

Given the apparent lack of security and organizational chaos, it is perhaps not surprising that FTX became one of the most expensive targets of cryptocurrency heists in history. But if some decisions hadn’t been made quickly in the chaos, the situation could have been even worse.

“It was a very, very crazy night,” said the former FTX employee. “We worked hard, we finished, and we saved a lot of money for the clients.”

We will continue to update Blocking; if you have any questions or suggestions, please contact us!