As the criminal trial of FTX founder Sam Bankman-Fried unfolds in a Manhattan courtroom, some observers in the cryptocurrency world have been watching a different FTX-related crime in progress: The still-unidentified thieves who stole more than $400 million out of FTX on the same day that the exchange declared bankruptcy have, after nine months of silence, been busy moving those funds across blockchains in an apparent attempt to cash out their loot while covering their tracks. Blockchain watchers still hope that money trail might help to identify the perpetrator of the heist—and according to one crypto-tracing firm, some clues now suggest that those thieves may have ties to Russia.
Today, cryptocurrency tracing firm Elliptic released a new report on the complex path those stolen funds have taken over the 11 months since they were pulled out of FTX on November 11 of last year. Elliptic’s tracing shows how that nine-figure sum, which FTX puts at between $415 million and $432 million, has since moved through a long list of crypto services as the thieves attempt to prepare it for laundering and liquidation, and even through one service owned by FTX itself. But those hundreds of millions also sat idle for all of 2023—only to begin to move again this month, in some cases as Bankman-Fried himself sat in court.
Most tellingly, Elliptic’s analysis is the first to note that whoever is laundering the stolen FTX funds appears to have ties to Russian cybercrime. One $8 million tranche of the money ended up in a pool of funds that also includes cryptocurrency from Russia-linked ransomware hackers and dark web markets. That commingling of funds suggests that, whether or not the actual thieves are Russian, the money launderers who received the stolen FTX’s funds are likely Russian, or work with Russian cybercriminals.
“It’s looking increasingly likely that the perpetrator has links to Russia,” says Elliptic’s chief scientist and cofounder Tom Robison. “We can’t attribute this to a Russian actor, but it’s an indication it might be.”
From the first days of its money laundering process following the theft, Elliptic says the FTX thieves have largely taken steps typical for the perpetrators of large-scale crypto heists as the culprits sought to secure the funds, swap them for more easily laundered coins, and then funnel them through cryptocurrency “mixing” services to achieve that laundering. The majority of the stolen funds, Elliptic says, were stablecoins that, unlike other forms of cryptocurrency, can be frozen by their issuer in the case of theft. In fact, the stablecoin issuer Tether moved quickly to freeze $31 million of the stolen money in response to the FTX heist. So the thieves immediately began exchanging the rest of those stablecoins for other crypto tokens on decentralized exchanges like Uniswap and PancakeSwap—which don’t have the know-your-customer requirements that centralized exchanges do, in part because they don’t allow exchanges for fiat currency.
In the days that followed, Elliptic says, the thieves began a multi-step process to convert the tokens they’d traded the stablecoins for into cryptocurrencies that would be easier to launder. They used “cross-chain bridge” services that allow cryptocurrencies to be exchanged from one blockchain to another, trading their tokens on the bridges Multichain and Wormhole to convert them to Ethereum. By the third day after the theft, the thieves held a single Ethereum account worth $306 million, down about $100 million from their initial total due to the Tether seizure and the cost of their trades.
From there, the thieves appear to have focused on exchanging their Ethereum for Bitcoin, which is often easier to feed into “mixing” services that offer to blend a user’s bitcoins with those of other users to prevent blockchain-based tracing. On November 20, nine days after the theft, they traded about a quarter of their Ethereum holdings for Bitcoin on a bridge service called RenBridge—a service that was, ironically, itself owned by FTX. “Yes, it is quite amazing, really, that the proceeds of a hack were basically being laundered through a service owned by the victim of the hack,” says Elliptic’s Robison.