WIRED: Investigating the “bizarre hacking incident” on the day FTX went bankrupt
Original author: Wired
Original compilation: Wu Shuo Blockchain
On the evening of November 11 last year, FTX employees had already experienced the worst day in the companys short history. Just 10 months ago, the company, which had just become one of the top cryptocurrency exchanges in the world, declared bankruptcy. After a lengthy effort, executives convinced the companys CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, who is now tasked with steering the company out of a nightmare of debt. predicament, and the company appears to have no means of repaying these debts.
FTX seems to have hit rock bottom. Until someone - one or more as-yet-unidentified thieves - chose that specific moment to make things worse. That Friday evening, exhausted FTX employees began seeing mysterious outflows of the companys cryptocurrency on Etherscan, as hundreds of millions of dollars in cryptocurrency were being stolen in real time.
“Holy shit, after all this, did we get hacked?” recalled one former FTX employee, who asked not to be named because he was not authorized to speak about internal company matters.
According to FTXs own accounts, the company will ultimately lose between $415 million and $432 million in cryptocurrency assets to those unknown thieves, a figure that has been publicly confirmed as part of its bankruptcy proceedings. What FTX has not previously revealed is how close it came to potentially losing more — with its employees and outside advisors scrambling to move more than $1 billion in cryptocurrency to more secure storage where it could not be stolen by malicious entities. There was even a scramble to send nearly $500 million to a physical USB drive in one consultants office to prevent it from falling into the hands of thieves.
Invitation: Urgent
As the trial of FTX’s disgraced founder Sam Bankman-Fried enters its second week, many in the cryptocurrency community are closely watching court proceedings for any insight into how the exchange was taken down just hours after leaving his control. Clues so disastrously looted. The key question is who carried out the theft—and whether the thieves were insiders at FTX or outside hackers. The mystery remains unsolved, and neither Bankman-Fried nor other senior FTX executives have been charged in connection with that theft.
But now, WIRED can shed light on FTXs efforts to limit the damage caused by the theft that night of panic — and stop what could have been a 10-figure theft. The new FTX leadership team, led by its new CEO Ray, declined to be interviewed for this story. But WIRED obtained a minute-by-minute look at the crisis response from detailed invoices filed by restructuring firm Alvarez Marsall in connection with the FTX bankruptcy, interviews with individuals involved in the immediate response to the theft, and blockchain analysis provided by cryptocurrency tracking firm Elliptic detail.
The response began around 10 p.m. on November 11, when Zach Dexter, CEO of FTX subsidiary LedgerX, sent a Google Meet invitation to FTX’s more than 20 remaining employees, bankruptcy attorneys, advisers and consultants. The one line subject of the invitation is: Urgent.
A handful of employees quickly joined that Google Meet video call, which ended up with dozens of participants over the next 12 hours. They can all see the FTX wallet being emptied in real time on Etherscan. But almost no one knows exactly where FTX stores its cryptocurrency, or how it manages the keys that control those wallets. This information is only held by a small group of FTX elites - Bankman-Fried and his inner circle. Bankman-Fried never showed up for the meeting, but FTX co-founder and CTO Gary Wang joined the call, according to sources present.
By this time, sources said, Wang was no longer trusted by many people close to Ray. Wang initially sided with Bankman-Fried during the FTX debacle, and only distanced himself from the former CEO after days of persuasion from others within the company.
Wang failed to win over any of his critics when he initially suggested during the emergency meeting that the ongoing theft could be stopped by simply changing the keys protecting the wallets being emptied. Former FTX employees remember feeling there was no point in doing so because whoever gained access to the network could simply grab new keys and continue their thefts. The fox has entered the chicken coop, you still have to change the key to the chicken coop? the former employee remembers thinking at the time. Wang, who later pleaded guilty to the same criminal charges Bankman-Fried now faces, did not respond to a request for comment sent to his attorney.
However, by the time the Google Meet call started, LedgerX’s Dexter had begun exploring a different approach to protecting FTX’s funds. In the week before the theft, digital asset trust BitGo had been in talks with Sullivan Cromwell, the law firm overseeing FTXs bankruptcy process, to take over the companys remaining cryptocurrency assets. So Dexter is now calling BitGo in an attempt to bypass the lengthy legal contract process Sullivan Cromwell has begun with the company. Instead, Dexter demanded that BitGo immediately create “cold storage” wallets — wallets that would be kept securely in an offline environment — into which FTX could move all of its remaining funds as a safe haven. Dexter did not respond to a request for comment.
BitGo says the wallets will be ready in about half an hour. FTX employees worry that this is still too slow. By then, thieves could have taken hundreds of millions more dollars in cryptocurrency from the companys wallets.
Someone on the Google Meet call asked if anyone had their own hardware wallet where they could store money until BitGo was ready. Alvarez Marsalls FTX consultant Kumanan Ramanathan, who joined the call from his home in suburban New York, volunteered to help. He has a Ledger Nano — a USB hardware wallet — in his home office that he proposes to set up as a temporary safe haven for vulnerable funds.
At approximately 10:30 pm EST on November 11, Ramanathan set up a new wallet on his Ledger Nano. The former FTX employee remembers seeing him checking and double-checking the password he created for the wallet. Wang began sending FTX funds to the wallet, and soon Ramanathan was holding $400 million to $500 million worth of the companys crypto assets on a USB drive at his Westchester County home.
Late night 911 calls
Minutes later, BitGo told FTX employees that its wallet was ready, and they began moving more of the hundreds of millions of dollars in cryptocurrency to BitGos cold storage instead of Ramanathans Ledger device. For the remainder of that sleepless night, employees scoured every wallet where FTX funds were stored and transferred every coin they could find to BitGo. “They were cleaning various systems, trying to find where the various private keys were, where the assets were stored,” said another person involved in the response who was not authorized to speak publicly. Its a mess.
While FTX employees focused on getting executives to approve these potentially vulnerable fund transfers, Ramanathan was left holding onto the cryptocurrency that Wang originally transferred to his Ledger wallet. This creates a strange situation in which one individual actually owns approximately half a billion dollars worth of FTX companies, which itself brings its own unique legal and security risks. That night, FTX general counsel Ryne Miller rushed to Ramanathans home to help secure it. Ryne Miller declined to comment for this story, and Ramanathan did not respond to a request for comment.
At 10:59 p.m. ET, Ramanathan called police to report the theft in progress and explained that he was holding a large amount of the victims money and asked police to come to his home to help secure it. After all, no one knew at the time (or knows now) who stole the other funds, and whether they might have tried to physically access the reserves held by Ramanathan. A police report from the New Rochelle Police Department, obtained by WIRED, shows that Ramanathan told a 911 dispatcher that there is a huge cryptocurrency attack going on right now with a lot of money being sent to this address and that he was concerned that this house was going to become a Target.
Even after the police arrived, Miller, FTXs general counsel, stayed at Ramanathans home most of the night. Ramanathans timekeeping records show he and Miller spent nearly three and a half hours at his home from about 2 a.m. to 5 a.m. on Nov. 12.
There was no material threat to Ramanathan or his home. In fact, the theft of funds from FTX stopped when the funds were transferred to Ramanathans Ledger wallet. He took a huge risk with his personal Ledger, said the former FTX employee. He was so awesome. I have a strong feeling that if we hadnt done this Ledger gimmick, we would have lost more money. Ultimately. , at around 5 a.m. on Saturday, November 12, money from Ramanathan’s home office was transferred to BitGo. The company will eventually hold $1.1 billion of the remaining FTX funds.
Later Saturday, Bankman-Fried and Wang transferred more than $400 million to accounts controlled by the Bahamian government for safekeeping, as reported by Forbes and documented in court documents. For a time, it seemed that the act of transferring funds to the Bahamas was mistaken for theft itself. A week after the theft, some media outlets incorrectly reported that the stolen funds had actually been confiscated by the Bahamian government. As evidence to the contrary, cryptocurrency tracking firms such as Elliptic and Chainalysis have observed portions of actual stolen funds being sent to “coin mixing” services commonly used for money laundering, such as Railgun and cross-chain coin exchange service THORChain, which perform large-scale cryptocurrency Typical behavior of thieves who steal.
No protection, no road map
Since the desperate rescue operation on November 11, the new team overseeing FTXs bankruptcy proceedings have publicly alleged serious security flaws that made the theft possible.
An April report released as part of FTXs bankruptcy proceedings cited examples of this alleged oversight: The previous FTX team did not have an independent chief information security officer or an actual dedicated security team; although employees were instructed to publicly claim that there were only up to 10 % of cryptocurrencies are held in hot wallets (wallets on computers connected to the internet), but it holds almost all cryptocurrencies in hot wallets; it leaves wallet keys unencrypted or fails to be set up correctly The security system required for multiple keys to unlock funds; and the lack of a logging system to even know who was transferring funds when, among other issues.
The report also describes the complex situation faced by the new FTX team on November 11, when on its first day on the job, the team found itself inheriting a network that was already severely broken. “Due to the FTX Group’s lack of effective controls to protect crypto assets, the Debtors face the threat of losing billions of dollars in additional assets at any time,” the report reads, using the word “Debtors” to describe the new FTX management team led by Ray. “As debtors struggled to identify and access cryptoassets without a ‘road map’ to guide them, debtors had to devise technical paths to move the many types of assets they identified into cold wallets.”
Given this apparent disorganization of security and organization, it’s perhaps unsurprising that FTX was the target of the costliest cryptocurrency theft in history. But had some quick decisions not been made in the midst of that chaos, it now looks like things could have been much worse.
“It was a very, very crazy night,” the former FTX employee said. “We worked it out, got the job done, and saved a lot of customers’ money.
