Tech

FTX-owned service being used to launder hundreds of millions 'hacked' from FTX, researchers say

Key Points
  • Hackers who stole around $477 million worth of cryptocurrency from collapsed exchange FTX have started to launder the funds into bitcoin.
  • The stolen money has been converted into different digital coins but the bulk of it — more than $280 million — was changed into the cryptocurrency ether.
  • Tom Robinson, co-founder of Elliptic, told CNBC that the hackers were converting the ether into a crypto product called RenBTC which is then being converted into bitcoin via a bridge.
FTX filed for bankruptcy in the U.S. on Nov. 11, 2022, seeking court protection as it looks for a way to return money to users.
Jonathan Raa | Nurphoto | Getty Images

Hackers who stole around $477 million worth of cryptocurrency from collapsed exchange FTX have started to launder the funds into bitcoin.

This month, after FTX filed for bankruptcy, new CEO John Ray III said that "unauthorized access to certain assets has occurred."

Blockchain analytics company Elliptic estimates that around $477 million worth of cryptocurrency had been stolen from FTX.

The theft adds insult to injury to FTX, a once $32 billion crypto empire who collapse has sent shockwaves across the industry.

The stolen money has been converted into different digital coins but the bulk of it — more than $280 million — was changed into the cryptocurrency ether, according to public blockchain records of the account linked to the hackers.

First FTX-centered congressional hearing scheduled for December
VIDEO2:1002:10
First FTX-centered congressional hearing scheduled for December

Tom Robinson, co-founder of Elliptic, told CNBC that the hackers were converting the ether into a crypto product called RenBTC which is then being converted into bitcoin via a bridge. This allows one crypto to be converted into another without going through a centralized exchange.

"This is a common tactic in the laundering of crypto thefts," Robinson said.

Elliptic researchers have documented how RenBridge has been used to launder "hundreds of millions" of dollars in cryptocurrency suspected of being sourced from ransomware attacks or hacks. Some of those hacks have connections to Russian-backed ransomware groups, according to Elliptic.

So far, $74 million has been moved to bitcoin from RenBTC using RenBridge.

Alameda, a trading firm and sister company to FTX, acquired RenBridge in 2021 as part of FTX's broader efforts to build out Solana and Serum.

Serum is a "decentralized exchange," with a Serum token running natively on Solana, promising users faster settlement and execution times. FTX and Alameda were large backers of the project, which was forked in an attempt to prevent FTX control following the bankruptcy.

On Nov. 11, FTX users noted unusual transfers of cryptocurrency, sparking fears that FTX's platform had been compromised. Posts in FTX's Telegram thread indicated that the app and platform had in fact been infiltrated and compromised.

Further allegations that Bankman-Fried worked with the regulators in the Bahamas to move crypto out of FTX wallets came after a Vox interview — which Bankman-Fried would later claim he understood as a casual conversation with a reporter friend — in which the ex-CEO of FTX pinned the suspected theft of FTX crypto on a disgruntled employee. 

FTX filings said they discovered the Bahamian transfers while investigating the weekend crypto theft. What those filings left unanswered was if those two were one and the same, or two separate occurrences.

It is yet unclear how much the assets that Bahamian regulators took into custody are worth. CNBC reported on an emergency court filing by FTX on Nov. 18 to stop further action by the Bahamas regulators. FTX filings alleged that Bankman-Fried was possibly working in concert with those regulators.

Hackers are some point will want to cash that money out into fiat. However, Robinson said that will be "challenging" due to the "traceability of crypto."

He said that he expects the hackers to use "mixers to cover their blockchain trail."

Mixers are services or software that allow a crypto transaction trail to be obfuscated on the blockchain, making it difficult or impossible to trace these funds, Robinson said.

"This may be one of the motivations behind moving these assets to bitcoin — the greater availability of mixing services," he added.

The blockchain is a public ledger of crypto activity. Each coin may have its own blockchain. That makes it possible to trace, to an extent, where funds are moving. The use of mixers could make this difficult.

Crypto compliance software company Chainalysis in a tweet on Sunday also confirmed that hackers are moving funds.

FTX on Sunday urged cryptocurrency exchanges to keep an eye out for the stolen funds if the hackers try to process the money via one of their services.

"Exchanges should take all measures to secure these funds to be returned to the bankruptcy estate," FTX said in another tweet.

FTX owes its largest creditors some $3.1 billion, according to court filings. Put another way, the hacked money is about 15% of what FTX owes its biggest clients alone.

Bankman-Fried once oversaw a sprawling crypto empire that spanned every inhabited continent and claimed billions in assets. The implosion of FTX has left Bankman-Fried a paper pauper and investors left unable to access their crypto assets.