WIRED: Investigation into the "bizarre hacking incident" on the day of FTX's bankruptcy

Original Title: Inside FTX's All-Night Race to Stop a $1 Billion Crypto Heist

Original Author: Wired

Original Translation: Wu Says Blockchain

On the evening of November 11 last year, FTX employees had endured the worst day in the company's brief history. Just 10 months earlier, the company, which had recently become one of the world's top cryptocurrency exchanges, had declared bankruptcy. After a long struggle, executives persuaded the company's CEO Sam Bankman-Fried to hand over control to John Ray III, the new CEO whose task now was to guide the company out of a nightmarish debt situation, with seemingly no means to repay those debts.

FTX appeared to have hit rock bottom. Until someone—one or more thieves whose identities remain unknown—chose that particular moment to make things worse. That Friday evening, exhausted FTX employees began to see mysterious outflows of the company's cryptocurrency on Etherscan, with hundreds of millions of dollars in cryptocurrency being stolen in real-time.

"Oh my god, after all this, are we still getting hacked?" recalled a former FTX employee who requested anonymity because he was not authorized to discuss internal company matters.

According to FTX's own accounts, the company ultimately lost between $415 million and $432 million in cryptocurrency assets due to those unknown thieves, a figure that has been publicly confirmed as part of its bankruptcy proceedings. What FTX had not previously disclosed was how close it came to potentially losing more—its employees and external advisors hurriedly transferred over $1 billion in cryptocurrency to safer storage to prevent it from being stolen by malicious actors. At one point, they even rushed to send nearly $500 million to a physical USB drive at a consultant's office to prevent it from falling into the hands of the thieves.

"Invitation: Urgent"

As the trial of FTX's disgraced founder Sam Bankman-Fried entered its second week, many in the cryptocurrency community were closely watching the courtroom events for any clues about how the exchange was so catastrophically looted just hours after leaving his control. Who conducted the theft—and whether the thieves were insiders at FTX or external hackers—was the most critical question. This mystery remains unsolved, and neither Bankman-Fried nor other senior FTX executives have been charged in connection with the theft.

But now, WIRED can reveal the events of that frantic night as FTX struggled to limit the damage caused by the theft—and to prevent what could be a nine-figure heist. The new leadership team at FTX, under its new CEO Ray, declined to be interviewed about the incident. However, WIRED learned the minute-by-minute details of the crisis response from detailed invoices submitted by the restructuring firm Alvarez & Marsall regarding the FTX bankruptcy case, interviews with individuals who participated in the immediate response to the theft, and blockchain analysis provided by cryptocurrency tracking firm Elliptic.

The response began around 10 PM on November 11, when Zach Dexter, CEO of FTX subsidiary LedgerX, sent a Google Meet invitation to the remaining 20 or so FTX employees, bankruptcy lawyers, advisors, and consultants. The subject line of the invitation read: "Urgent."

A handful of employees quickly joined the Google Meet video call, which would eventually have dozens of participants over the next 12 hours. They could all see in real-time on Etherscan that FTX wallets were being drained. But very few knew where FTX actually stored its cryptocurrency or how to manage the keys that controlled those wallets. This information was held by a small group of FTX elites—Bankman-Fried and his inner circle. According to sources present, Bankman-Fried never appeared in the meeting, but FTX co-founder and CTO Gary Wang joined the call.

By this time, sources said, Wang had lost the trust of many close to Ray. During the collapse of FTX, Wang had initially sided with Bankman-Fried, only distancing himself from the former CEO after days of persuasion from others within the company.

Wang initially suggested in the emergency meeting that the ongoing theft could be stopped simply by changing the keys protecting the wallets that were being drained, a point that did not win him any support from his critics. A former FTX employee recalled feeling that this was pointless, as whoever had gained network access could simply grab the new keys and continue their theft. "The fox is already in the henhouse; you want to change the keys to the henhouse?" the former employee remembered thinking. Wang later pleaded guilty to the same criminal charges that Bankman-Fried now faces and did not respond to requests for comment sent to his lawyer.

However, just as the Google Meet call began, LedgerX's Dexter had already started exploring a different approach to protect FTX's funds. In the week leading up to the theft, digital asset trust company BitGo had been negotiating with the law firm Sullivan & Cromwell, which was responsible for overseeing FTX's bankruptcy process, to take over the company's remaining cryptocurrency assets. Therefore, Dexter now called BitGo, trying to bypass the lengthy legal contract process that Sullivan & Cromwell had started with the company. Instead, Dexter requested that BitGo immediately create "cold storage" wallets—these wallets would be securely kept in an offline environment—where FTX could transfer all its remaining funds as a safe haven. Dexter did not respond to requests for comment.

BitGo indicated that the wallets would be ready in about half an hour. FTX employees worried that this was still too slow. By then, the thieves could take hundreds of millions of dollars more in cryptocurrency from the company's wallets.

Someone on the Google Meet call asked if anyone had their own hardware wallet that could temporarily hold the funds before BitGo was ready. Kumanan Ramanathan, an FTX advisor from Alvarez & Marsall who joined the call from his home in the suburbs of New York, volunteered to help. He had a Ledger Nano—a USB hardware wallet—in his home office and proposed setting it up as a temporary safe haven for the vulnerable funds.

Around 10:30 PM Eastern Time on November 11, Ramanathan set up a new wallet on his Ledger Nano. A former FTX employee recalled seeing him check and recheck the password he created for that wallet. Wang began transferring FTX's funds to this wallet, and soon, Ramanathan held $400 million to $500 million in cryptocurrency assets on the USB drive at his home in Westchester County.

Late Night 911 Call

Minutes later, BitGo informed FTX employees that its wallets were ready, and they began transferring hundreds of millions of dollars more in cryptocurrency to BitGo's cold storage instead of Ramanathan's Ledger device. For the rest of that sleepless night, employees searched every wallet where FTX funds were stored and transferred every coin they could find to BitGo. "They were cleaning up various systems, trying to find where various private keys were, where assets were stored," said another person involved in the response who was not authorized to speak publicly. "It was chaos."

As FTX employees focused on getting executives to approve these potentially vulnerable fund transfers, Ramanathan was left holding the cryptocurrency that Wang had initially transferred to his Ledger wallet. This created a strange situation where an individual actually held about $500 million worth of FTX company funds, which in itself posed unique legal and security risks. That night, FTX's general counsel Ryne Miller rushed to Ramanathan's home to help safeguard it. Ryne Miller declined to comment on this story, and Ramanathan also did not respond to requests for comment.

At 10:59 PM Eastern Time, Ramanathan called the police to report the ongoing theft, explaining that he was holding a significant amount of funds belonging to the victim and requesting police to come to his home to help protect it. After all, no one at that time knew (or knows now) who was stealing the other funds and whether they might attempt to physically access the reserves held by Ramanathan. A police report obtained by WIRED from the New Rochelle Police Department shows that Ramanathan told the 911 dispatcher, "There is a massive cryptocurrency attack happening right now, with a large amount of money being sent to this address," and that he "worried that this house would become a target."

Even after the police arrived, FTX's general counsel Miller stayed at Ramanathan's home for most of the night. Ramanathan's timekeeping records show that he and Miller were at his home for nearly three and a half hours from around 2 AM to 5 AM on November 12.

Neither Ramanathan nor his home faced any substantial threat. In fact, by the time the funds were transferred to Ramanathan's Ledger wallet, the theft from FTX's funds had already stopped. "He took a huge risk with his personal Ledger," a former FTX employee said, "he was amazing. I have a strong feeling that if we hadn't done this Ledger thing, we would have lost more money." Ultimately, around 5 AM on Saturday, November 12, the funds in Ramanathan's home office were transferred to BitGo. The company would ultimately hold the remaining $1.1 billion of FTX's funds.

Later on Saturday, Bankman-Fried and Wang transferred over $400 million in funds to accounts controlled by the Bahamian government for safekeeping, a fact reported by Forbes and recorded in court documents. For a time, the transfer of funds to the Bahamas seemed to be misinterpreted as the theft itself. A week after the theft, some media erroneously reported that the stolen funds had actually been seized by the Bahamian government. As counter-evidence, cryptocurrency tracking firms like Elliptic and Chainalysis observed that portions of the actual stolen funds were sent to "mixing" services commonly used for money laundering, such as Railgun and cross-chain coin exchange service THORChain, typical behavior of thieves executing large-scale cryptocurrency thefts.

No Protection, No Roadmap

Since that desperate rescue operation on November 11, the new team responsible for FTX's bankruptcy proceedings has publicly accused the serious security flaws that made the theft possible.

An April report released as part of the FTX bankruptcy proceedings listed examples of this alleged negligence: the previous FTX team had no independent chief information security officer or actual dedicated security team; although employees were instructed to publicly claim that only up to 10% of cryptocurrency was stored in hot wallets (wallets on computers connected to the internet), it stored nearly all of its cryptocurrency in hot wallets; it left unencrypted wallet keys or failed to properly set up security systems requiring multiple keys to unlock funds; and it lacked even a log system to know who was transferring funds when, among other issues.

The report also described the complex situation faced by the new FTX team on November 11, when this team, on its first day in office, found itself taking over a network that had already severely collapsed. "Due to the FTX group's lack of effective controls to protect crypto assets, the debtors faced the threat of potentially losing billions of additional assets at any moment," the report stated, using the term "debtors" to describe the new FTX management team led by Ray. "As the debtors struggled to identify and access crypto assets without a 'roadmap' to guide them, they had to design technical paths to transfer many types of assets they identified into cold wallets."

Given this apparent chaos in security and organizational disarray, it may not be surprising that FTX became the target of the largest cryptocurrency theft in history. But had it not been for some quick decisions made in that chaos, things might have turned out worse.

"It was a very, very crazy night," a former FTX employee said, "we worked hard to solve the problem, get the job done, and save a lot of customer money."