Intro and TL;DR
You've probably seen the news about the FTX hacker account.
There is so much going in this account that anything you think is happening is probably done to hide his tracks. Dozens of tokens and DeFi swap have been used. Some tokens have been sent over Polygon PoS and Bitcoin bridges. PAXG seemed to be his favorite token by far for token laundering before that was blocked. Since then, he has created at least 11 addresses trying to escape everywhere.
These are all the tokens he's been swapping to:
stETH, USDT, LINK, USDP, LDO, WBTC, SUSHI, YFI, 1INCH, UNI, LINK, MATIC, PAXG, SHIB, AAVE, APE, PAXG, SNX, renBTC, WMATIC
I wouldn't trust anything posted by the media or random Twitter posts unless they're citing experts. This should be done by a professional trace analyzer because they have specialized tools for tracing this.
I do not believe the hacker is related to the Bahamian government. These transactions are much too random, chaotic, and swap for too many random token. If it is the Bahamian government, then they're totally letting SBF create chaos with it.
AFAICT, the hacker is not trying to sell ETH for BTC. I'm guessing he's trying to exit using whatever exchange or swap that hasn't yet blacklisted him. PAXG was the weak link on Nov 12. It's now $60M worth of ETH to WBTC and renBTC, which he's using to exit to BTC mainnet.
Update: ZachXBT mentioned that there are multiple groups with their hands in the cookie jar. There are several whitehat addresses, but this "0x59...32b" address is almost certainly a blackhat. That's why there is so much confusion about whether it's the Bahamian government or the group that Kraken knows. There are multiple groups working on different addresses.
Here's my best attempt at an amateur trace analysis
There are at least 11 FTX hacker addresses, most of which were created on the Nov 12. One last one was created today.
Main address: https://etherscan.io/address/0x59abf3837fa962d6853b4cc0a19513aa031fd32b
- History
- This one's been around for 8 days since Nov 12
- It's been growing ETH. Started with 160k ETH. Grew to 200k ETH on Nov 15 and then to 250k ETH on Nov 19. 50k ETH has been swapped or transferred out today.
- On the first day, it was sent out to 26 different addresses.
- Apparently, he found out that PAXG swaps were the weakest link and was able to swap to $60M of it.
- Since then, it has stayed quiet (other than for shitcoin transfers) until today. There was 1 lone Tx on Nov 15 for token approval for DAI on CoW Protocol
- Suddenly today, it has become active again
- Current balance
- 200k ETH, down from 250k ETH yesterday. that's a difference of about $60M USD worth of ETH that went elsewhere.
- $14M of PAXG
- 70+ random shit tokens. Some were sent by others to insult the owner. Some were swapped into by the owner.
- Nov 12 activity
- This guy is an absolute DeFi degenerate. He's possibly testing for blacklists on his first day or trying to exit as fast as he can. He used over a dozen different swaps.
- Did tons of token approval. I stopped listing the duplicates on different dApps. For example, he tested approvals for PAXG on at least a dozen swaps. And these are just what I can see on the blockchain.
- There is: stETH, USDT, LINK, USDP, LDO, WBTC, SUSHI, YFI, 1INCH, UNI, LINK, MATIC, PAXG, SHIB, AAVE, APE, PAXG, SNX
- Swapped 523k USDT for USDC
- Swapped 14M USDT for cUSDT
- Swapped 14.5M USDT for DAI
- Swapped 2M worth of WETH and LDO??
- Swapped Transferred 4M MATIC to the MATIC bridge. Oh boy. Someone will need to analyze this separately. They went to this new address, but some were swapped for WETH
- Swapped 1k PAXG for WETH, $1.4M worth. Interesting since he did it again and again and again. These stand out. Probably hitting liquidity issues.
- Several hours go by
- Swapped PAXG for WETH
- I'm not going to list all of these. He made a dozen more transactions to swap $25M PAXG for WETH using KyberSwap.
- Random Maker proxy registry, it seems for PAXG.
- Nov 20 activity (today)
- Sent $5.9M ETH to Side address 5
- Sent $11.7M ETH to Side address 5
- Sent $11.7M ETH to Side address 5
- Sent $29.3M ETH to Side address 5
Side addresses
- FTX Account Drainer 2 (22 Tx):
- Token approvals for PAXG on multiple swaps
- A mega transcation for PAXG, DAI, WETH, USDC. End result seems to be a $1.7M of PAXG swap to ETH.
- Transferred 1 ETH to FTX Accounts Drainer 3 and this random address
- FTX Account Drainer 3 (2 Tx):
- Has $1k of ETH and $870k of PAXG
- FTX Account Drainer 4 (1 Tx):
- Has $870k of PAXG
- Side Account 5
- This is the one that prompted multiple media posts. These swaps are pretty complicated.
- Spend a lot of transactions on the FTX Bahamas shit token for some reason.
- Swapped $4.8M ETH for WBTC for renBTC
- And again for $3.5M, $1.2M, ... and lots more for a total of $60M worth of tokens to renBTC.
- Burned $1.1M, $16.5M, $29M, $11.4M using the Ren BTC Gateway for a total of ~$60M. - So he's exiting to Bitcoin mainnet, and Bitcoin UTXOs are way harder to trace. Needs professional trace tools.
- Chainanalysis is already on the investigation for the renBTC bridge exit.
There are at least 6 other accounts people have identified. Most of these had $2-10M worth of ETH before being transferred to other addresses and emptied.
- Account 6 - From Polygon
- Account 7
- Account 8
- Account 9
- Account 10
- Account 11
The tokens also exist on many different networks:
- Avalanche C-Chain - $4M in USDT
- BSC - $1.7M
- Polygon PoS - $5M were transferred to FTX Accounts Drainer 6. These were then sent back through the Polygon Bridge back to Ethereum and then all over the place.
- Negligible: Arbitrum One, Optimism, Moonbeam
Shit token transfers to famous people's addresses
You might have noticed that the accounts are sending lots of random shit tokens like Twitter World Cup Inu, FTTCash, and FTX Sucks to random famous people's accounts. These are actually spoofed tokens: https://medium.com/etherscan-blog/spoof-tokens-on-ethereum-c2ad882d9cf6. You can tell because the account initiating the transfer is not the FTX Hacker account.
Here's an example of one
Anyways, I'm just one person tracing this for 2 hours. I'll leave it to the professionals like Chainanalysis to do a better job.
One of the takeaways is that even if you blacklist one account, it's hard to actively trace the other accounts they're going to and actively block them.
Update: ZachXBT has a great thread on this he posted an hour ago. Covers a lot of same topics, but also includes some details I missed, like how there were multiple parties sending to different accounts.
Update 2 - Spoofed tokens: The sent shitcoins are spoofed tokens meant to make it look like the FTX Hacker sent them. But they're actually smart contracts designed so that someone else could transfer them while tricking the block explorer. The way you can tell is that the FTX Hacker account is not the address initiating the token transfer, and I should've noticed that: https://medium.com/etherscan-blog/spoof-tokens-on-ethereum-c2ad882d9cf6
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments