WIRED Investigating the Mysterious Hacker Incident on the Day of FTX Bankruptcy

WIRED Unravels the Enigmatic Hacker Event During FTX's Bankruptcy

Author | Wired

Compiled by | Wu Blockchain

Original article link:

https://www.wired.com/story/ftx-1-billion-crypto-heist/

• Filecoin virtual currency mining losses, can we really defend our rights?
• Why aren’t people talking about blockchain technology anymore? Is this a good thing?
• Inside story How FTX stays up all night to prevent a $1 billion cryptocurrency theft case

On the evening of November 11th last year, employees of FTX experienced the worst day in the company’s short history. Just 10 months earlier, this company, which had just become one of the top global cryptocurrency exchanges, announced bankruptcy. After a long effort, the executives convinced the company’s CEO, Sam Bankman-Fried, to transfer power to John Ray III, the new CEO whose current task is to guide the company out of a nightmarish debt crisis with seemingly no means to repay that debt.

FTX seemed to have hit rock bottom. Until someone – one or more as-yet-unknown thieves – chose that particular moment to make things worse. On that Friday evening, exhausted FTX employees began to see the mysterious outflow of the company’s cryptocurrency on Etherscan, with billions of dollars worth of cryptocurrency being stolen in real time.

“Holy cow, after everything, we’re hacked too?” recalled a former FTX employee who requested anonymity because he was not authorized to discuss internal company affairs.

According to FTX’s own accounts, the company eventually lost between $415 million and $432 million in cryptocurrency assets due to those unknown thieves, a number that has been publicly confirmed as part of its bankruptcy proceedings. What FTX had not previously disclosed is how close it came to potentially losing more – its employees and external advisors urgently moved over $1 billion worth of cryptocurrency to more secure storage spaces to prevent it from being maliciously seized. At one point, they even raced to send nearly $500 million to a physical USB drive in an advisor’s office to prevent it from falling into the hands of the thieves.

“Invitation: Urgent”

As the trial of FTX’s infamous founder Sam Bankman-Fried enters its second week, many in the cryptocurrency community are closely watching the courtroom proceedings for any clues as to how the exchange was so catastrophically looted mere hours after he left its control. The question of who carried out the theft – and whether the thieves were insiders at FTX or external hackers – is crucial. This puzzle remains unsolved, and neither Bankman-Fried nor other senior FTX executives have been charged in connection with the theft.

However, now WIRED can reveal the events of that panic-filled night when FTX worked to limit the damage caused by the theft – and potentially prevent a heist worth tens of billions. The new FTX leadership team, under the leadership of their new CEO Ray, declined an interview about the incident. But WIRED has learned about the crisis response in real-time through detailed invoices filed by restructuring firm Alvarez & Marsall regarding the FTX bankruptcy case, interviews with individuals involved in responding to the theft, and blockchain analysis provided by cryptocurrency tracing company Elliptic.

This response began around 10 pm on November 11th, when Zach Dexter, the CEO of FTX subsidiary LedgerX, sent a Google Meet invitation to the remaining 20+ FTX employees, bankruptcy lawyers, advisors, and consultants. The subject line of the invitation read: “Emergency.”

A few employees quickly joined the Google Meet video call, which would ultimately have dozens of participants in the next 12 hours. They could all see in real-time on Etherscan that the FTX wallet was being emptied. But almost no one knew where exactly FTX stored its cryptocurrencies or how it managed and controlled the keys to those wallets. This information was only known by a small group of FTX elites – Bankman-Fried and his inner circle. According to sources present, Bankman-Fried never appeared in the meeting, but FTX co-founder and CTO Gary Wang joined the call.

By this point, Wang had already lost the trust of many who were close to Ray. During the collapse of FTX, Wang initially sided with Bankman-Fried, only distancing himself from the former CEO after days of persuasions from others within the company.

During the emergency meeting, Wang initially proposed that the ongoing theft could be stopped by simply changing the keys that protected the wallets being emptied. However, this suggestion did not win the support of any critics. Former FTX employees remember feeling that it made no sense since anyone with network access could simply grab the new keys and continue their theft. “The fox is already in the henhouse, and you’re going to change the keys to the henhouse?” former employees recalled thinking. Wang later pleaded guilty to the same criminal charges Bankman-Fried now faces and did not respond to requests for comment sent to his lawyers.

However, as the Google Meet call began, LedgerX’s Dexter had already started exploring a different approach to protect FTX’s funds. In the week preceding the theft, digital asset custodian BitGo had been negotiating with Sullivan & Cromwell, the law firm responsible for overseeing FTX’s bankruptcy process, to take over the company’s remaining cryptocurrency assets. As a result, Dexter called BitGo, attempting to bypass Sullivan & Cromwell and their lengthy legal contract process. Instead, Dexter requested that BitGo immediately create “cold storage” wallets – wallets that would be securely stored offline – where FTX could move all its remaining funds as a safe haven. Dexter did not respond to requests for comment.

BitGo stated that these wallets could be ready in about half an hour. FTX employees were concerned that this was still too slow. By then, the thieves could potentially take hundreds of millions of dollars’ worth of cryptocurrencies from the company’s wallets.

In the middle of a Google Meet call, someone asked if anyone had their own hardware wallet to store their money until it was ready on BitGo. Kumanan Ramanathan, an FTX advisor from Alvarez & Marsall participating in the call from his home in the suburbs of New York, volunteered to help. He had a Ledger Nano – a USB hardware wallet – in his home office and proposed setting it up as a temporary safe haven for the vulnerable funds.

On November 11, around 10:30 PM EST, Ramanathan set up a new wallet on his Ledger Nano. Former FTX employees remember seeing him check and double-check the password he created for the wallet. Wang started sending FTX funds to this wallet, and soon Ramanathan held nearly $400-500 million worth of encrypted assets in his USB drive located at his Westchester County home.

Late-night 911 call

A few minutes later, BitGo informed FTX employees that their wallet was ready, and they began transferring hundreds of millions of dollars’ worth of cryptocurrency to BitGo’s cold storage instead of Ramanathan’s Ledger device. Throughout the remainder of that sleepless night, employees searched every wallet storing FTX funds and transferred every coin they could find to BitGo. “They were cleaning up various systems, trying to find where various private keys were, where assets were stored,” said another person involved in the response who was not authorized to speak publicly. “It was chaotic.”

While FTX employees focused on getting approval from executives for these potentially vulnerable fund transfers, Ramanathan was left holding the cryptocurrency that Wang initially transferred to his Ledger wallet. This created a strange situation in which an individual actually possessed funds worth approximately $500 million from FTX, bringing with it its own unique legal and security risks. That evening, FTX’s general counsel, Ryne Miller, rushed to Ramanathan’s home to help safeguard it. Ryne Miller declined to comment on this story, and Ramanathan did not respond to requests for comment.

At 10:59 PM EST, Ramanathan called the police to report the ongoing theft and explained that he was holding a large amount of the victim’s funds, requesting that the police come to his home to assist in protecting it. After all, at that time, no one knew (or knows now) who had stolen the other funds and whether they might attempt physical contact with Ramanathan’s holdings. A police report obtained by WIRED from the New Rochelle Police Department shows that Ramanathan told the 911 dispatcher, “There is a massive cryptocurrency attack going on right now with a lot of money being sent to this address,” and he is “concerned that this house will become a target.”

Even after the police arrived, FTX’s general counsel, Miller, remained at Ramanathan’s home for most of the night. Ramanathan’s billing records show that he and Miller spent close to three and a half hours at his home from around 2 AM to 5 AM on November 12.

Ramanathan or his family have not faced any substantial threats. In fact, the theft of funds from FTX stopped when the funds were transferred to Ramanathan’s Ledger wallet. “He took a huge risk with his personal Ledger,” a former FTX employee said. “He’s a genius. I have a strong feeling that if we didn’t have this Ledger, we would have lost more money.” Ultimately, on November 12, around 5 am on Saturday, the money in Ramanathan’s home office was transferred to BitGo. The company would eventually hold the remaining FTX funds of $1.1 billion.

Later on Saturday, Bankman-Fried and Wang transferred over $400 million to an account controlled by the Bahamian government for safekeeping, as reported by Forbes and documented in court filings. For a while, the act of transferring the funds to the Bahamas seemed to be mistaken as the theft itself. A week after the theft occurred, some media outlets erroneously reported that the stolen funds had actually been confiscated by the Bahamian government. As evidence to the contrary, cryptocurrency tracking companies like Elliptic and Chainalysis observed that a portion of the stolen funds were sent to “mixing” services commonly used for money laundering, such as Railgun and the cross-chain cryptocurrency exchange service THORChain, which is typical behavior of thieves executing large-scale cryptocurrency thefts.

No protection, no roadmap

Since the desperate rescue operation on November 11, the new team responsible for the FTX bankruptcy process has publicly alleged serious security flaws that allowed the theft to occur.

A 4-month report released as part of the FTX bankruptcy proceedings listed examples of such alleged negligence: the previous FTX team had no independent Chief Information Security Officer or an actual dedicated security team; despite instructions to publicly claim that only a maximum of 10% of cryptocurrencies were held in hot wallets (wallets connected to the internet), it stored almost all cryptocurrencies in hot wallets; it left unencrypted wallet keys or failed to properly configure multiple key unlocking systems required for accessing the funds securely; and it lacked even a log system to know who and when funds were being transferred, among other issues.

The report also described the complex situation the new FTX team faced on November 11, when it took over a network that was already severely compromised. “Due to a lack of effective control by the FTX Group to safeguard the encumbered digital assets, the Debtors face the threat of the potential loss of billions of dollars of additional assets,” the report wrote, using the term “Debtors” to describe the new FTX management team led by Ray. “The Debtors have had to devise technical pathways to move many types of assets they have identified into cold wallets because of the Debtors’ efforts to identify and access the encumbered digital assets without a ‘roadmap’ guiding them.”

Given the obvious security and organizational chaos, it is perhaps not surprising that FTX became the target of the most expensive cryptocurrency theft in history. But if it wasn’t for making some quick decisions in that chaos, it seems that the situation could have been even worse.

“It was a very, very crazy night,” said a former FTX employee. “We worked hard to resolve the issues, completed the mission, and saved a significant amount of customers’ money.”

We will continue to update Blocking; if you have any questions or suggestions, please contact us!