On-chain detective ZachXBT: FTX hacker is real, don't confuse with the government of the Bahamas!

share
On-chain detective ZachXBT: FTX hacker is real, don

After FTX filed for bankruptcy, there were reports of hackers or internal theft of funds, with hundreds of millions of dollars in assets being transferred and liquidated on centralized and decentralized platforms. There are various claims regarding the aftermath of this incident:

1. Bahamas Government Involvement

On 11/11, FTX officials and former employees stated that they were complying with regulatory requirements from the Bahamas government. However, on 11/13, Bahamian authorities denied giving any instructions to FTX. On 11/18, Bahamas authorities admitted to controlling some of FTX's assets on 11/12.

2. Former Employees or Hackers

At the time of the incident, FTX officials stated that the transactions were unauthorized. Former CEO SBF mentioned in an interview that it was either a former employee or an employee's computer compromised by malicious software.

Regardless, addresses marked as "stolen" on the blockchain are still converting various stolen assets. According to the Bahamas government, the digital assets they safeguard are stored in Fireblocks custodian accounts, indicating that it is unlikely for further on-chain transfers and liquidations to occur.

3. Kraken Exchange Identifies the Hacker

A founder of an investment firm cited a cybersecurity company stating that the unauthorized transactions on FTX were likely initiated by an inexperienced insider who used the US exchange Kraken to release funds. Although this claim lacks concrete evidence, Kraken's Chief Security Officer responded: "We are aware of the user's identity."

4. Misidentified FTX Hacker

Online news claimed that the hacker behind FTX was a former engineer Samuel Hyde, but Samuel Hyde is actually an American comedian. The alleged FTX hacker photo circulating on Twitter under the account @tittyrespecter is just a meme image.

Due to various rumors spreading, renowned blockchain investigator ZachXBT conducted a detailed analysis to debunk misleading information such as "hacker = Bahamas government" and "Kraken knows the hacker's identity."

Hacker Address 0x59 Does Not Belong to FTX or the Bahamas

ZachXBT stated that the address 0x59 used to be a hacker and is not affiliated with the Bahamas government or the FTX team. The address mentioned by ZachXBT

The evidence to support this claim is that starting from 11/12, the address 0x59 has been using various cross-chain bridges to sell ETH, DAI, and BNB in a way that prevents these coins from being frozen. ZachXBT emphasized the significant slippage that occurred when 0x59 exchanged coins on the chain, such as when he sold AAVE for a slippage of up to four million dollars.

The pattern of asset liquidation is a key factor in ZachXBT's judgment. He mentioned that the behavior of 0x59 is different from other addresses withdrawn from FTX, as other addresses have multi-signature custody of funds, while 0x59 sells tokens and occasionally transfers assets to other chains.

Second Clue: Using Suspicious Services

On 11/12, 0x59 transferred 3168 BNB through the BNB Chain to an address starting with 0x24, which then moved to the Huobi exchange. This 0x24 address has been associated with some suspicious small exchanges, including the Russian exchange Laslobit.

Third Clue: Funds Washed Through Ren Cross-Chain Bridge

0x59 converted ETH into renBTC and then used the REN cross-chain bridge. This clearly indicates an attempt to launder funds through cross-chain transfers. Note: Ren Protocol was acquired by Alameda in early 2021.

Clarification: Kraken Did Not Discover the Hacker

ZachXBT clarified that there is misinformation suggesting Kraken or other exchanges found the hacker, when in fact, FTX moved funds to a TRON chain wallet using a multisignature address. Kraken was involved because FTX's hot wallet lacked TRX for gas fees. A similar pattern was observed with another multisignature address, 0x97.

Transfer of Funds by Multisignature Addresses for Fund Protection Only

ZachXBT mentioned that the transfer of funds by these multisignature addresses aligns with FTX's legal counsel's statement that, for security reasons, all digital assets are being moved to cold storage. These actions were taken after the incident involving 0x59.

The Hacker Did Not Engage in Sh*tcoin Trading

ZachXBT also debunked rumors that the hacker engaged in sh*tcoin trading. In reality, this was a deception through smart contracts to trick the block explorer Etherscan into displaying the token sender incorrectly. Read more here.

Examine the Information You See and Choose Media Wisely

ZachXBT emphasized the importance of scrutinizing the information received, as many are creating false narratives around the FTX incident.