Uncovering Russian Cybercriminal Ties in the $477 Million FTX Heist Investigation

In a bewildering twist of events, the cryptocurrency world was rocked in November 2022 when $477 million was stolen from the Bahamas-based cryptocurrency exchange FTX, according to Elliptic reported. The heist occurred on the very day the exchange filed for bankruptcy, marking a chaotic end to a once-prominent player in the cryptocurrency landscape. As the investigation into this audacious theft unfolds, it has become increasingly evident that the stolen funds are intertwined with Russian cybercriminal organizations.

The identity of the thief behind the FTX heist remains shrouded in mystery. Still, their tactics and intricate web of laundering schemes have attracted significant attention. In the immediate aftermath of the hack, the thief lost a staggering $94 million in their rush to launder the stolen assets. To avoid the risk of having their funds frozen by token issuers, the thief opted to swap the stolen tokens for native assets, such as Ether, the cryptocurrency of the Ethereum blockchain.

Decentralized exchanges (DEXs) like Uniswap and PancakeSwap provided the perfect playground for the thief to exchange hundreds of millions of dollars in tokens. DEXs enable these transactions without the scrutiny of a compliance department, which is typically more stringent at centralized exchanges.

To further obfuscate the money trail, the thief decided to move the stolen assets across different blockchains. This process, known as cross-chain laundering, not only complicates the tracking of funds but also provides access to services on different blockchains for further laundering.

Decentralized services, called cross-chain bridges, became the thief’s choice for moving funds between blockchains. Stolen assets from the Binance Smart Chain and Solana blockchains were moved to the Ethereum blockchain using cross-chain bridges like Multichain and Wormhole. Over the span of three days, the thief had accumulated an impressive 245,000 ETH, now worth around $306 million.

Notably, the thief utilized RenBridge, a cross-chain bridge, to transfer 65,000 ETH to the Bitcoin blockchain. Remarkably, RenBridge is owned by Alameda Research, a sister company of FTX, raising questions about the apparent complicity within the FTX ecosystem.

For those familiar with cryptocurrency’s dark underbelly, the conversion of Ether to Bitcoin is a well-worn tactic. Bitcoin offers the advantage of mixers, services designed to obscure the blockchain trail by blending your cryptocurrency with that of others. The thief executed this maneuver by sending 2,849 BTC through mixers, particularly ChipMixer, further complicating the tracing of these assets. Some of this cryptocurrency was then transferred to exchanges, potentially for cashing out, increasing the complexity of the investigation.

Following these convoluted transactions, approximately 180,000 ETH remained dormant for nine months, until September 30, 2023, when it was valued at $300 million. The thief resumed their activities, once again opting to convert Ether to Bitcoin and funneling the funds through a mixer.

With RenBridge no longer available, the thief turned to THORSwap, another cross-chain bridge, converting 72,500 ETH into Bitcoin. It’s worth noting that THORSwap temporarily suspended its interface due to concerns about the movement of illicit funds.

The thief’s mixer of choice had shifted from ChipMixer, which was seized in an international law enforcement operation, to Sinbad, a mixer launched in late 2022. Sinbad’s ties to North Korea’s Lazarus Group raise questions about potential affiliations, although its laundering methods appear less sophisticated than those typically employed by Lazarus.

A screenshot from Elliptic Investigator, showing the stolen assets being converted to ETH through decentralized exchanges, then being bridged to Bitcoin and sent through ChipMixer. 

Nearly a year after the initial theft, the identity of the thief remains elusive. Several theories have been proposed, including the possibility of an inside job facilitated by lax security measures within FTX. Former employees have reported security lapses that contributed to massive losses. The involvement of North Korea’s Lazarus Group has been suggested, but the methodology seems different from their typical modus operandi.

The stronger possibility points toward a Russia-linked actor, with some of the stolen assets merging with funds from Russian criminal groups. The implication is that an intermediary with connections to Russia may be involved in the laundering process.

Despite the complexity of the investigation and the thief’s relentless efforts to launder the stolen assets, their actions have not gone unnoticed. Seizures by token issuers and the costs of rapidly swapping between assets and blockchains have caused the thief to lose approximately $94 million in the initial days following the hack.

As the world’s attention is once again drawn to the events of November 2022, the enigma surrounding the FTX theft persists, offering a glimpse into the ever-evolving world of cryptocurrency crime and money laundering. The stolen assets continue to be moved, laundered, and concealed through an intricate web of cross-chain techniques, adding yet another chapter to the ever-expanding book of crypto crime.

Read more:

Join us on Telegram

Follow us on Twitter

Follow us on Facebook

Follow us on Reddit

You might also like