Elliptic, the blockchain surveillance firm, has now said that there is a ‘stronger possibility’ that a Russian-linked entity was behind the mysterious hack that occurred on the collapsed FTX crypto exchange.
The initial hypothesis was that it was Sam Bankman-Fried, the co-founder and former CEO of the crypto exchange, had stolen the money.
But, the fact that he was in a Manhattan courtroom at the time the hack occurred cast doubt on this theory right away.
Elliptic’s statement
In a blog post, Elliptic said that $15 million worth of the crypto tokens that were stolen in the hack were moved on October 4th, 2023 at about 3:41 pm EST.
At that time, Bankman-Fried did not have internet access because he was in court. A timeline was shared by the company on Thursday, which outlined the on-chain movement of the funds stolen by the hacker.
Since the hack occurred, most of the proceeds have been bridged to Bitcoin, and a Bitcoin privacy mixer named ChipMixer, which is unlicensed has been used to run them.
Earlier this year, the Department of Justice (DOJ) had shut down the said mixer.
The funds
According to Elliptic, significant amounts of the assets that had been stolen and run through the mixer were traced.
They had been mixed with funds of criminal groups linked to Russia, including darknet markets and ransomware gangs, and then transferred to exchanges.
The blockchain surveillance firm said that this was an indication of an intermediary or broker present in Russia.
Last November, on the day that crypto exchange FTX had filed for bankruptcy, an unknown hacker had stolen 9,500 ETH tokens.
The tokens had been transferred from a wallet on the FTX exchange to a new address. A number of other crypto assets had been claimed by the hacker, which were valued at $477 million.
Some of the tokens that had been compromised included Wrapped Bitcoin (WBTC), Tether (USDT), and Pax Gold (PAXG).
Some of these funds had been frozen on the direction of regulators, but most of them were swapped for other tokens successfully and had been bridged to other blockchains in the next few days.
Additional details
Elliptic said that the blockchain trail had been broken in this way, which had made tracing funds more difficult and had also given access to services on blockchains that can help in laundering them further.
On 20th November, hackers used RenBridge to convert 65,000 ETH tokens to Bitcoin and most of them were later sent to ChipMixer.
Ironically, Alameda Research had owned RenBridge, the sister trading desk of the hacked crypto exchange FTX.
Nine months later, THORSwap was used for transferring another 75,000 ETH tokens that were valued at $120 million. The service has been suspended since then due to money laundering concerns.
As ChipMixer had already been shut down, another mixer called Sinbad, considered a rebranding of Blender that the US Treasury Department had sanctioned, had been used.
North Korean hacker group Lazarus had used Blender, but it is unlikely to be behind the hack because the money laundering methods used here are ‘unsophisticated’ as compared to the group.