It is highly likely that a Russian-linked broker or other intermediary was involved in laundering some of the funds stolen from FTX in November 2022. Experts came to this conclusion Elliptic.
The hacker began an unauthorized withdrawal of funds on the day the exchange filed for bankruptcy. In a few hours, he withdrew $477 million in various cryptocurrencies from the platform’s wallets.
Crypto assets stolen from FTX. Data: Elliptic.
Of the stolen assets, $434 million were stablecoins and other tokens, the issuers of which could freeze funds upon request. This is partially what happened, for example, with $31.5 million in USDT.
To avoid further blocking, the hacker began transferring cryptocurrencies to Ethereum. He used decentralized exchanges for conversion, including Uniswap and PancakeSwap, and used cross-chain bridges Multichain and Wormhole.
Just three days after the hack, the attacker’s Ethereum account contained 245,000 ETH (~$306 million at the time of writing). Elliptic experts noted that its production had been “significantly reduced” by that time due to confiscations and the costs of forward swaps.
On November 20, 65,000 ETH from the wallet was transferred to the Bitcoin blockchain through the RenBridge cross-chain protocol owned by Alameda Research, a subsidiary of FTX.
Of the 4,536 BTC received after conversion, the hacker sent 2,849 BTC to mixing services, mainly ChipMixer. Analysts determined that approximately $4 million in assets were cashed out through exchanges this way.
“Significant amounts of stolen assets that can be traced through ChipMixer are combined with funds from Russian-linked criminal groups, including extortion and darknet markets, and then sent to exchanges. This indicates the participation of a broker or other intermediary with connections in the Russian Federation,” Elliptic experts emphasized.
The remaining 180,000 ETH in the attacker’s wallet lay motionless for the next nine months. On September 30, 2023, the hacker resumed money laundering operations.
However, RenBridge went out of business shortly after FTX collapsed. In March 2023, authorities in the United States, Germany and several European countries shut down the infrastructure of the ChipMixer mixer and seized funds on the platform.
Therefore, the attacker continued to implement the scheme using the THORChain cross-chain bridge and the Sinbad mixing service.
The latter is often used by the Lazarus Group, which is accused of some of the largest cryptocurrency hacks. This gave rise to speculation that she was also behind the theft of FTX funds. But Elliptic analysts noticed that North Korean hackers are resorting to more sophisticated and complex methods of money laundering than those of the exchange hacker.
We would like to remind you that, according to company experts, the volume of illegal crypto-assets laundered using cross-chain operations reached a record $7 billion in a year.
Subscribe to ForkLog on social networks
Found an error in the text? Select it and press CTRL+ENTER
ForkLog newsletters: keep your finger on the pulse of the Bitcoin industry!
2023-10-12 15:02:30
#Elliptic #discovered #Russian #connection #laundering #assets #stolen #FTX #ForkLog
