On the evening of November 11, 2022, FTX experienced a great commotion. A report shed light on the harrowing moments that followed the massive security breach. After the announcement of the cryptocurrency exchange’s bankruptcy, it fell victim to an attack that siphoned off over $400 million from its coffers.
Desperate attempts to protect the remaining assets saw FTX co-founder Gary Wang resort to using Kumanan Ramanathan’s Ledger Nano to store around $400 to $500 million. Meanwhile, the FTX team anxiously awaited a response from BitGo regarding cold storage solutions, a strategy recommended by Zach Dexter of LedgerX. This substantial sum was then moved to BitGo the following day, where the funds eventually grew to approximately $1 billion of FTX’s remaining assets.
Unraveling the Chaos and Security Flaws
The scene on that night was frenzied. FTX personnel tirelessly tracked the stolen crypto wallets of the company, transferring any recovered amounts to BitGo’s more secure cold wallets. According to the report, much of the chaos stemmed from confusion regarding the locations of the private keys.
For each wallet, the FTX Group stored the three necessary private keys in one place, so anyone with access to any one of them had access to all the keys needed to transfer the wallet’s contents, which went against the purpose of controls.
John J. Ray.
The flawed security model of FTX, which utilized multisig wallets requiring multiple authorizations for transfers, was fundamentally problematic. As highlighted by FTX CEO John J. Ray in a court document, instead of dispersing the private keys, the FTX Group kept the three private keys required for transfers in the same location. This approach rendered the multisig model entirely ineffective, with Ray emphasizing the lack of ‘visibility’ controls to detect potential threats.
The aftermath of the hack raised questions about the authenticity of claims, given the exchange’s bankruptcy status. But as clarity emerged, it became evident that a staggering amount of $500 million from both the international and US divisions had vanished. Following the breach, the wallet addresses involved remained dormant, only showing activity recently when the alleged hacker attempted to convert their ETH to Bitcoin via ThorSwap.