The curious case of the FTX hacker moving funds during Bankman-Fried trial
Crypto analysts, as well as the services the hacker has used to move the illicit funds, have taken notice of the shift.
“It is notable that much of the stolen funds remained dormant for several months, until just before the start of Bankman-Fried’s trial in New York,” the blockchain analysis firm Elliptic noted in an analysis this morning that breaks down how the hacker has behaved since the theft. “Crypto launderers have been known to wait for years to move and cash-out assets once public attention has dissipated – but in this case they have begun to move just as the world’s attention is once again directed towards FTX and the events of November 2022.”
It’s been an eventful couple weeks for news about the FTX hack. Also this week, Wired published an investigation of the night of the heist, revealing details about how, among other things, the theft could’ve been much worse and a $1 billion heist was averted.
This isn’t the first time the FTX thief has moved around crypto. On the same day FTX declared bankruptcy on Nov. 11, the still-unknown hacker carried out the heist.
“After all this, we’re being hacked?” an unnamed former FTX staffer told Wired’s Andy Greenberg they remembered thinking.
As Elliptic described it, the thief immediately began laundering the funds, but already they were hitting hurdles from the issuers of some cryptocurrency such as Tether, which was able to freeze $31.5 million worth.
As the hacker shifted to other venues to cover their tracks, though, they began to incur expenses.
“The thief lost $94 million in the days following the hack as they rushed to launder the funds through decentralized exchanges (DEXs), cross-chain bridges and mixers,” Elliptic’s analysis reads.
On Nov. 20, the thief ironically transferred the funds using the RenBridge cross-chain bridge.
“Incredibly, the company behind RenBridge was owned by Alameda Research – so funds stolen from FTX were being laundered through a service effectively owned by its sister company,” Elliptic wrote.
The unlaundered haul was worth around $300 million by Sept. 30, Elliptic said. That’s when the hacker moved again, this time using another cross-chain bridge, ThorSwap.
“Yesterday, following a careful evaluation of the situation and consultation with advisors, legal counsel, and law enforcement, the decision was made to temporarily transition the THORSwap interface into maintenance mode,” ThorSwap’s account on X, formerly known as Twitter, relayed on Oct. 6. “This action was taken to swiftly curtail any further potential illicit activity. THORSwap will remain in this mode until a more permanent and robust solution can be implemented to ensure the platform’s continued security and integrity.”
The hacker has acted yet again since.
The hacker’s motive for acting now has prompted some speculation from the industry.
- “With the onset of the FTX trial and the substantial public attention and media coverage it is receiving, the individual accountable for draining the funds might be feeling an increased urgency to conceal the assets,” Hugh Brooks, director of security operations for blockchain security firm CertiK, told Tom Mitchelhill of CoinTelegraph.
- “It’s also plausible that the FTX drainer harbored an assumption that the trial would monopolize so much attention from the Web3 industry that there would be insufficient bandwidth to trace all stolen funds while also covering the trial concurrently,” Brooks continued.
A Google Meet discussion with FTX staffers and advisers on the night of the theft led to the notion that digital asset trust company BitGo could provide a safe haven for the remaining FTX funds, as Greenberg reported.
“BitGo said it could have the wallets ready in around half an hour,” Greenberg wrote. “FTX staffers worried that this would still be too slow. The thieves could take hundreds of millions of dollars more worth of crypto out of the company’s wallets by then.”
Kumanan Ramanathan, an adviser to FTX from Alvarez & Marsal, volunteered to store the funds on a Ledger Nano, a USB drive hardware wallet, according to Wired.
“Soon Ramanathan was holding between $400 [million] and $500 million in the company’s crypto assets on a USB drive in his Westchester County home,” Greenberg reported.
“He took a huge … risk using his personal Ledger,” the former FTX staffer said. “He’s a total boss. It’s my pretty strong feeling that if we hadn’t pulled this Ledger stunt, we would have lost significantly more money.”
SEC investigating mass hack of MOVEit file transfer software
The Securities and Exchange Commission is investigating the hack of the MOVEit secure file transfer software that has compromised over 1,000 organizations and hundreds of thousands of victims since May, TechCrunch’s Carly Page reports.
“In a regulatory filing this week, Progress Software confirmed it had received a subpoena from the U.S. Securities and Exchange Commission (SEC) seeking ‘various documents and information’ relating to the MOVEit vulnerability,” Page writes.
- “The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws,” Progress said.
- It has incurred some $1 million from the MOVEit vulnerability and is expecting close to $2 million in cyber insurance payouts, the report adds.
The hack that first gained prevalence this past summer is tied to the Clop ransomware group, which claimed credit for the attack. Victims across the world have come forward saying they were exposed. Page writes: “Last week, Sony confirmed that more than 6,000 employees had data accessed in a MOVEit-related incident, and Flagstar Bank said more than 800,000 customer records had been stolen.”
- Progress separately incurred additional costs of $4.2 million related to a separate cybersecurity incident last November, according to the SEC filing.
In July, the SEC voted to approve a rule that would require publicly traded companies to report major cyber incidents within four days once it is determined that the hack is significant enough to affect investors’ decisions. The SEC has also gone to court to get cybersecurity information from the private sector.
Correction: A previous version of this newsletter stated that Progress expects to incur $4.2 million in additional costs relating to a separate cybersecurity incident. According to an SEC filing, this cost was incurred in a nine-month period ending in Aug. 2023. This version has been updated.
European standards body mulls publicizing military encryption algorithms
The European Telecommunications Standards Institute (ETSI) is discussing whether to make proprietary encryption algorithms public in the wake of backlash it faced over the summer when security flaws were discovered in them, Kim Zetter reports for her Zero Day Substack.
The algorithms, which have been made for securing police and military equipment, are being considered for public viewing “so that independent researchers and government agencies that rely on the algorithms to protect their communications can examine them for security flaws,” Zetter writes.
The algorithms faced scrutiny in July when Dutch researchers found major flaws in their security frameworks. “The Dutch researchers bypassed this restriction by extracting the four algorithms from a Motorola radio they purchased online and reverse-engineering them. They found numerous critical flaws in the algorithms that would allow adversaries to intercept radio communications, decrypt them and even alter and spoof them,” according to the report.
- ETSI spokeswoman Claire Boyer confirmed the story. “The question as to whether TETRA algorithms will be made public is still open at this time,” she said in an email to Zetter. “Resolution is expected from ETSI TCCE technical committee in charge of TETRA by the end of the year.”
First developed in the 1990s, the algorithms, if breached, would enable hackers to listen in on police activity or intercept critical infrastructure communications. That would enable them to inject commands for shutting down radios, triggering blackouts or changing gas pipeline flows, Zetter reports.
- ETSI technical body chair Brian Murgatroyd previously told Zetter the group intentionally weakened the algorithm’s security as means of ensuring it was more exportable.
E.U. seeks to boost submarine internet cable security in 2024
E.U. officials are pushing to shore up the security of undersea internet cables in an attempt to make them more resilient to sabotage attempts, Politico’s Mathieu Pollet reports, citing a document obtained by the outlet.
- “The EU push is expected to come in early 2024 as part of a new strategy to boost its telecom sector and internet infrastructure,” Pollet writes. It would lay the groundwork for a planned “Digital Networks Act” announced this week by Internal Market Commissioner Thierry Breton.
“European officials have raised alarms over the bloc’s reliance on existing submarine internet infrastructure. The bloc is in the middle of investigating an incident this weekend that damaged a gas pipeline and undersea data cable running between Estonia and Finland,” Pollet writes.
The report comes soon after the United States and E.U. in July signaled that each others’ data protection standards were legally aligned enough to allow for data sharing that would supposedly ensure European citizens’ privacy.
- Huawei, a major supplier of undersea internet cables, has been facing immense scrutiny from several bloc nations seeking to better protect their communications infrastructure from suspected spyware and intelligence-gathering threats that Chinese telco equipment poses.
Worried about the 23andMe hack? Here’s what you can do. (Tatum Hunter)
- CISA Executive Director Brendan Wales and others participate in a Washington Post Live event featuring your newsletter host at 9 a.m.
- State Department CISO Donna Bennett speaks with Billington CyberSecurity at 12:30 p.m.
- FCC Commissioner Nathan Simington speaks with the Hudson Institute on security threats of Chinese telecom equipment in U.S. networks at 2 p.m.
Once you are specifically targeted, chances are very good you will continue to see attempts to breach your defenses. APTs come for a purpose and there’s a reason the Persistent part of the name was chosen. pic.twitter.com/E120TxUuZu
— Rob Joyce (@NSA_CSDirector) October 11, 2023
Thanks for reading. See you next week.