On Friday night, as the weary crypto world was ready to pack it in after the industry’s most eventful week on record, news began to filter in around 9:45 p.m. Eastern Time that hundreds of millions of dollars were flowing out of FTX wallets.
“Hack or insider actions?” tweeted foobar, a popular figure on Crypto Twitter, along with a screenshot showing the movement from the blockchain explorer Etherscan. “They seem to be moving everything.”
It quickly became clear that nobody would be having a quiet Friday night as amateur investigators rushed to figure out what was happening, pointing to the fact that many of the transactions had been encoded with taunting messages like “Rug Pull All” (a “rug pull” is a common crypto term for when insiders steal money).
About an hour later, the prominent on-chain sleuth ZachXBT tweeted that former FTX employees confirmed they did not recognize the transfers, which added up to around $383 million.
Evidence was pointing to an outside job—a theory strengthened just 20 minutes later, when FTX US general counsel Ryne Miller tweeted that he was “investigating abnormalities with wallet movements related to consolidation of FTX balances across exchanges.”
Matters only grew worse as the figure ballooned to more than $600 million. Just before midnight, an administrator on the official FTX channel on Telegram sent an ominous message.
“FTX has been hacked…Don’t go on FTX site as it might download Trojans,” referring to a malicious type of computer virus.
Users—already concerned about the status of their money, which they were unable to withdraw, and now unable to even log in to the app without risking downloading malware—panicked, with many blaming the hack on an inside job by FTX itself.
“This is the greatest rug pull of the decade,” wrote one user named Mo Bamba.
One user told Fortune that as of Monday, they can no longer log in nor open the app, with the Safari browser just giving them a loading screen and then a Cloudflare error.
Later that evening, Miller of FTX US tweeted that following the companies’ Chapter 11 bankruptcy filings, they had initiated precautionary steps to move all digital assets to cold storage—a process that had been expedited following the unauthorized transactions.
The next day, he tweeted that FTX US and FTX were making every effort to secure the assets, confirming that unauthorized access to certain assets had occurred, attributing the statement to John Ray, who has taken over as CEO of FTX following Sam Bankman-Fried’s resignation.
Who is the hacker?
By Saturday, sentiment seemed to shift on Crypto Twitter that the hacker was in fact an insider at FTX. In a Twitter thread from a cybersecurity auditor laying out evidence, the chief security officer at the exchange Kraken responded, “This has been under investigation,” before writing, “we know the identity of this account.”
Miller, the FTX US general counsel, reached out to Percoco to see if they could work together.
“We have actively monitored recent developments with the FTX estate, are in contact with law enforcement, and have frozen Kraken account access to certain funds we suspect to be associated with “fraud, negligence, or misconduct…related to FTX,” a Kraken spokesperson told Fortune.
As of Monday, many of the details remain uncertain, including the actual figure of the hack. Blockchain analysis firm Elliptic put the outflow at $663 million, although it said that $477 million is suspected to have been stolen.
TRM Labs, a different blockchain analysis firm, calculated the figure at $338 million.
When contacted, a TRM Labs spokesperson pointed to the company’s tweet. An Elliptic spokesperson pointed to the blog post the company published on Saturday.
Most of the money is currently sitting in a handful of wallets, with everyone from blockchain analysis firms to Kraken to FTX itself searching for the origin of the hack. With all eyes on the addresses and the notorious mixing service Tornado Cash incapacitated by U.S. government sanctions, it seems like only a matter of time before the culprit is found.