A complete analysis of the FTX money-sucking incident: hackers stealing coins or intentionally running away

The market has not yet recovered from the shock of the collapse of the FTX building and the announcement of bankruptcy and reorganization a few days ago. One wave of troubles has not yet subsided when another wave of troubles arises.

In recent days, although user deposits cannot be withdrawn, FTX is still open for trading, and user deposits are also jokingly called "happy beans", and many users still hold out hope to operate.

Since this morning, user deposit values, deposit and withdrawal records, and transaction records have all disappeared. For FTX users, the last glimmer of hope has almost been shattered.

At noon today, FTX was suspected to be hacked. On-chain records show that a large number of exchange assets of FTX and FTX US began to be aggregated to the same on-chain address 0x59abf3837fa962d6853b4cc0a19513aa031fd32b. Some wallets were marked as fucksbf and fuckftxandsbf.eth, which also made people wonder whether FTX was hacked.

Multiple project parties have reminded users of the possibility of information leakage and recommended uninstalling the FTX App. Do not download the new version of FTX or perform version updates.

In addition, FTX Telegram administrator Rey said that FTX was hacked and warned people not to visit the FTX website because it might download Trojan viruses.

FTX US General Counsel Ryne Miller responded that they are investigating wallet movements related to the consolidation of FTX balances across exchanges and will share more information as soon as possible.

So far, FTX has not given a detailed explanation for the "hacker" incident. However, it declared bankruptcy yesterday, and most of its assets were stolen today. It is hard to believe that this is not directed by someone. The strange behavior of the wallet makes people wonder whether this is an accidental "coin theft" or the team ran away with the money.

After the funds were collected, a large amount of funds were transferred out of FTX and sold through DEX, and the sellers did not care about slippage at all. Currently, UNI, stETH, 1INCH, WBTC, SUSHI, YFI, LDO, LINK, MATIC, AAVE, SHIB, and APE with addresses starting with 0x59ab are being sold.

Surprisingly, the slippage of these token sales was extremely high. Take MATIC as an example. The hacker sold MATIC worth about $9.13 million, but only received ETH worth about $6.23 million. The loss caused by slippage was as high as nearly 3 million. The urgency of cashing out is shocking.

After selling a large amount of tokens, the hacker address did something even more bizarre. Unlike previous hackers who held a large amount of ETH to cash out, the FTX hacker address (starting with 0x59ab) not only used ETH and DAI, but also used 46.2 million USDT to buy 116,915 BNB at a unit price of $395.

The hackers' timely appearance also made the market inevitably make some more associations about the direction of things.

Autism Capital, a Twitter user who has been following the incident, gave a more sensational guess: the hacker did not exist and it was an insider who absconded with the money.

Autism Capital found that the hacker's operation records did not match the time point when FTX disclosed information to the outside world, and the hacker's operation authority was extremely high. Some people believed that this was not something that outsiders could achieve.

Some community users found that Gary Wang, the founder and CTO of FTX, was still contributing code on his Github on November 11. This active "work" situation is also puzzling. On the FTX official website, only Gary Wang and SBF have the title of "Founder".

This afternoon, Reuters' report also revealed more doubts. The FTX legal and financial team found that SBF implemented a so-called "backdoor" in FTX's accounting system, which was built using custom software. The "backdoor" allows SBF to perform work that could change the company's financial situation without alerting others (including external accountants). They said that this setting meant that the transfer of $10 billion in funds to Alameda did not trigger any internal compliance or accounting risk alerts at FTX.

At least $1 billion in customer funds have disappeared from crypto exchange FTX, according to two people familiar with the matter. People familiar with the matter said Sam Bankman-Fried has secretly transferred $10 billion in customer funds from FTX to Alameda Research. One source estimated the unaccounted amount to be around $1.7 billion. Another said it was between $1 billion and $2 billion.

As the number one internet celebrity, Musk is naturally present at such a phenomenal event.

At 14:00 today, Elon Musk tweeted that he was tracking the FTX crash/investigation in real time on Twitter. Later, he also participated in the SPACE thread on the FTX incident, but did not reveal more information on whether he would participate in the incident.

At 15:00 today, FTX US General Counsel Ryne Miller responded, "Following the Chapter 11 bankruptcy filing, FTX US and FTX initiated preventive measures to transfer all digital assets to cold wallets. The process has been accelerated to mitigate losses caused by unauthorized transactions." However, he did not specify whether today's "hacking" behavior was an official "transfer". At present, FTX has not made an official statement on this incident.

The FTX hacking incident is still unfolding, and the truth is still unclear. Odaily Planet Daily will continue to track the progress of this incident.