Cryptocurrency has always offered a strange mix of temptations and challenges for anyone trying to steal it. As digital cash, held in multibillion-dollar sums on hackable, internet-connected networks, it presents a lucrative target. But once it’s stolen, the blockchains that almost every cryptocurrency is built on make it possible to follow that money’s every movement and, very often, to identify the thieves. So after a massive heist pulled nearly half a billion dollars worth of funds out of the already collapsing FTX cryptocurrency exchange yesterday, the world’s crypto tracers are now closely tracking where that loot ends up—and looking for any clues that reveal the thief to be an FTX insider or just an opportunistic hacker.
On Friday, hours after the major cryptocurrency exchange FTX had filed for bankruptcy in the wake of its epic, 10-figure collapse, FTX’s remaining funds were drained of more than $663 million worth of cryptocurrency, much of which appears to have been stolen. “FTX has been hacked,” wrote an administrator in FTX’s Telegram channel. “FTX apps are malware. Delete them.” Exactly how FTX might have been breached—and whether its apps are, in fact, compromised—is far from clear, and FTX hasn’t officially announced any theft. But the company’s US general counsel wrote in a tweet that “unauthorized access to certain assets has occurred.” (FTX did not respond to WIRED’s request for comment.)
Soon, the crypto-tracing and blockchain analysis firm Elliptic revealed that the $663 million outflow seemed to be a combination of FTX’s movement of coins into its own storage wallets and a mysterious theft. According to Elliptic, fully $477 million of the funds appear to have been stolen, though another crypto-tracing firm, TRM Labs, puts the number at $338 million. Twenty-four hours after the theft, most of that money had moved into just a handful of cryptocurrency addresses—where the entire crypto-tracing industry, a vast community of amateur crypto sleuths, and no doubt law enforcement agencies around the globe are now all watching it with an unblinking gaze.
That observability, for the FTX funds and for other stashes of stolen crypto, presents a serious challenge for any thief trying to cash out their haul into traditional currency. In this case, where regulators and an army of aggrieved creditors are looking for any sign that FTX’s staff or owners may themselves be the culprits, it could ultimately help confirm that insiders were responsible for the theft—or instead show that external hackers took advantage of the chaos at FTX to pull off a burglary.
“We’re definitely watching the movements of these funds,” says Chris Janczewski, the head of investigations at TRM Labs and a former special agent at the IRS’s criminal investigations division. “This potential thief has hundreds of millions of dollars. But it’s like they went into a bank, took as much cash as they could carry, and then the dye packs went off. They’ve got all this money, but now everyone knows it’s connected to this bank robbery. What can you actually do with it?”
According to Elliptic’s analysis, at least $220 million of funds stolen in the form of a variety of cryptocurrencies were quickly traded through decentralized exchanges—trading platforms that allow users to swap coins without giving identifying information—to convert them into the cryptocurrencies ether and dai. But cashing out those coins and the rest of the stolen loot will likely require trading it on a centralized exchange, which almost always requires users to hand over identifying information. The thieves may try to put the money through a “mixing” service that launders the coins by blending them with those of other users. But crypto-tracing blockchain analysts have proven they can often defeat those mixers—particularly when users are feeding very large sums into them. And some mixers, like the Tornado Cash service that was sanctioned by the US Treasury in August, render cryptocurrency untouchable for many exchanges or vulnerable to seizure.