Several wallets allegedly belonging to FTX were drained of hundreds of millions of dollars in coins late on Friday night, with much of the funds transferred from Tether (USDT) into stablecoin DAI, and from staked Ethereum (stETH) into Ethereum (ETH).
It was the same day that FTX filed for Chapter 11 bankruptcy, and it looked too soon, too late at night, and too sophisticated for the actions to be attributed to liquidators.
The exodus, all visible on blockchain tracker Etherscan, totaled around $650 million according to pseudonymous blockchain sleuth ZachXBT, widely trusted by the DeFi community.
It took until after 2 am EST for FTX US general counsel Ryne Miller to call the transfers “unauthorized” and add that FTX had begun moving assets to cold wallets to “mitigate the damage.”
It was a nightmare evening for anyone with funds on FTX. As the hysteria mounted, rumors flew, including one about whether FTX CEO Sam Bankman-Fried was on a plane to Argentina, and a Reuters report claiming he used a secret “back door” built into his exchange to $10 billion to his hedge fund Alameda.
Another eagle-eyed blockchain sleuth who goes by the pseudonym Foobar noticed the first transfer of $26 million and issued an alert at 9:47 pm EST.
As the movement continued in real time, Crypto Twitter erupted in theories. Was it a hack, or an inside job from FTX leadership safeguarding their own funds, directly disobeying the bankruptcy proceedings?
“Hundreds of millions of dollars are now flowing out of FTX wallets. Some speculate liquidators, but it’s late on a Friday night, not typical times for such rapid heavy movements,” Foobar tweeted.
“Multiple former FTX employees confirmed to me they do not recognize these transfers,” ZachXBT tweeted at 10:48 pm EST.
According to blockchain tracking website DeBank, $280,726,364 in ETH, $99,276,088 in BNB, and $3,970,099 in AVAX were sent to one of the receiving wallets.
The draining continued.
At 11:08 pm EST, FTX US general counsel Ryne Miller tweeted, “Investigating abnormalities with wallet movements related to consolidation of ftx balances across exchanges.” As crypto sleuths on Twitter surmised, Miller would have been informed if the funds were being moved as part of the liquidation process.
Just before midnight, an FTX Telegram administrator named Rey posted: “Ftx has been hacked. All funds seem to be gone.”FTX apps are malware. Delete them. Chat is open. Don’t go on ftx site as it might download Trojans.”
In cybersecurity, Trojans (named after the Trojan Horse of Greek mythology) are programs that claim to perform one function but actually do another, typically malicious. Trojans can take the form of attachments, downloads, and fake videos.
But many onlookers did not buy the idea that this was a hack.
“If you think FTX is being hacked right now, you should consider quitting crypto. you are too kind and gullible for this industry,” DeFi Pulse founder Scott Lewis tweeted.
Twitter “chief Twit” Elon Musk took the opportunity to point out that all the action was playing out on Twitter.
Miller provided another update at 2:07 am EST. He claimed that earlier on Friday FTX and FTX US had “initiated precautionary steps to move all digital assets to cold storage” and that the “process was expedited this evening to mitigate damage upon observing unauthorized transactions.”
On Thursday, the securities commission of the Bahamas, where FTX is headquartered, ordered FTX’s assets frozen and assigned a liquidator to the company.
So far, $3 billion in crypto has been stolen in 2022 through 125 different hacks, according to Chainalysis.
Once the dust settles from the FTX draining, if it was indeed a hack, that figure will surpass the previous all-time high of $3.2 billion set last year.
Stay on top of crypto news, get daily updates in your inbox.