As the criminal trial of FTX founder Sam Bankman-Fried unfolds in a Manhattan courtroom, some observers in the cryptocurrency world have been watching a different FTX-related crime in progress: The still-unidentified thieves who stole more than $400 million out of FTX on the same day that the exchange declared bankruptcy have, after nine months of silence, been busy moving those funds across blockchains in an apparent attempt to cash out their loot while covering their tracks. Blockchain watchers still hope that money trail might help to identify the perpetrators of the heist—and answer the looming question of whether someone with insider knowledge of FTX was involved.
Today, cryptocurrency tracing firm Elliptic released a new report on the complex path those stolen funds have taken over the 11 months since they were pulled out of FTX on November 11 of last year. Elliptic’s tracing shows how that nine-figure sum, which FTX puts at between $415 million and $432 million, has since moved through a long list of crypto services as the thieves attempt to prepare it for laundering and liquidation, and even through one service owned by FTX itself. But those hundreds of millions also sat idle for all of 2023—only to begin to move again this month, in some cases as Bankman-Fried himself sat in court, raising new and unanswered questions about the thieves’ identities and plans.
“The funds basically didn’t move for nine months, and then a couple of days before the trial starts, they start to move again,” says Tom Robison, Elliptic’s cofounder and chief scientist. “Why did they have to move the funds now? It doesn’t really make sense to start laundering funds at the time when there’s so much attention on the victim of the hack.”
Aside from that strange timing, Elliptic says the FTX thieves have largely taken steps typical for the perpetrators of large-scale crypto heists as the culprits sought to secure the funds, swap them for more easily laundered coins, and then funnel them through cryptocurrency “mixing” services to achieve that laundering. The majority of the stolen funds, Elliptic says, were stablecoins that, unlike other forms of cryptocurrency, can be frozen by their issuer in the case of theft. In fact, the stablecoin issuer Tether moved quickly to freeze $31 million of the stolen money in response to the FTX heist. So the thieves immediately began exchanging the rest of those stablecoins for other crypto tokens on decentralized exchanges like Uniswap and PancakeSwap—which don’t have the know-your-customer requirements that centralized exchanges do, in part because they don’t allow exchanges for fiat currency.
In the days that followed, Elliptic says, the thieves began a multi-step process to convert the tokens they’d traded for the stablecoins into cryptocurrencies that would be easier to launder. They used “cross-chain bridge” services that allow cryptocurrencies to be exchanged from one blockchain to another, trading their tokens on the bridges Multichain and Wormhole to convert them to Ethereum. By the third day after the theft, the thieves held a single Ethereum account worth $306 million, down about $100 million from their initial total due to the Tether seizure and the cost of their trades.
From there, the thieves appear to have focused on exchanging their Ethereum for Bitcoin, which is often easier to feed into “mixing” services that offer to blend a user’s bitcoins with those of other users to prevent blockchain-based tracing. On November 20, nine days after the theft, they traded about a quarter of their Ethereum holdings for Bitcoin on a bridge service called RenBridge—a service that was, ironically, itself owned by FTX. “Yes, it is quite amazing, really, that the proceeds of a hack were basically being laundered through a service owned by the victim of the hack,” says Elliptic’s Robison.