A Deeper Trace Analysis of what the FTX Hacker account is actually doing: Tons of swaps and trying to exit
5 min read
Intro and TL;DR
You’ve probably seen the news about the FTX hacker account.
There is SO MUCH going in this account that anything you think is happening is probably done to hide his tracks. Dozens of tokens and DeFi swap have been used. Some tokens have been sent over Polygon PoS and Bitcoin bridges. PAXG seems to be his favorite token by far for token laundering.
These are all the tokens he’s been swapping to:
stETH, USDT, LINK, USDP, LDO, WBTC, SUSHI, YFI, 1INCH, UNI, LINK, MATIC, PAXG, SHIB, AAVE, APE, PAXG, SNX, renBTC
I wouldn’t trust anything posted by the media or random Twitter posts unless they’re citing experts. This should be done by a professional trace analyzer because they have specialized tools for tracing this.
I do not believe the hacker is related to the Bahamian government. These transactions are much too random, chaotic, and swap for too many random token. If it is the Bahamian government, then they’re totally letting SBF create chaos with it. He’s been constantly sending shitcoins to famous people’s Ethereum accounts for the past week. (Edit: Correction. These token transfers are actually being spoofed. My bad. I should’ve caught that. The way you can tell is that the FTX Hacker account is not the address initiating the token transfer.)
AFAICT, the hacker is not trying to sell ETH for BTC. I’m guessing he’s trying to exit using whatever exchange or swap that hasn’t yet blacklisted him. PAXG was the weak link on Nov 12. It’s now $60M worth of ETH to WBTC and renBTC, which he’s using to exit to BTC mainnet.
Here’s my best attempt at an amateur trace analysis
There are at least 11 FTX hacker addresses, most of which were created on the Nov 12. One last one was created today.
Main address: https://etherscan.io/address/0x59abf3837fa962d6853b4cc0a19513aa031fd32b
History This one’s been around for 8 days since Nov 12 It’s been growing ETH. Started with 160k ETH. Grew to 200k ETH on Nov 15 and then to 250k ETH on Nov 19. 50k ETH has been swapped or transferred out today. On the first day, it was sent out to 26 different addresses. Apparently, he found out that PAXG swaps were the weakest link and was able to swap to $60M of it. Since then, it has stayed quiet (other than for shitcoin transfers) until today. There was 1 lone Tx on Nov 15 for token approval for DAI on CoW Protocol Suddenly today, it has become active again Current balance 200k ETH, down from 250k ETH yesterday. that’s a difference of about $60M USD worth of ETH that went elsewhere. $14M of PAXG 70+ random shit tokens. Some were sent by others to insult the owner. Some were swapped into by the owner. Nov 12 activity This guy is an absolute DeFi degenerate. He’s possibly testing for blacklists on his first day or trying to exit as fast as he can. He used over a dozen different swaps. Did tons of token approval. I stopped listing the duplicates on different dApps. For example, he tested approvals for PAXG on at least a dozen swaps. And these are just what I can see on the blockchain. There is: stETH, USDT, LINK, USDP, LDO, WBTC, SUSHI, YFI, 1INCH, UNI, LINK, MATIC, PAXG, SHIB, AAVE, APE, PAXG, SNX Swapped 523k USDT for USDC Swapped 14M USDT for cUSDT Swapped 14.5M USDT for DAI Swapped 2M worth of WETH and LDO?? Swapped Transferred 4M MATIC to the MATIC bridge. Oh boy. Someone will need to analyze this separately. Swapped 1k PAXG for WETH, $1.4M worth. Interesting since he did it again and again and again. These stand out. Probably hitting liquidity issues. Several hours go by Swapped PAXG for WETH I’m not going to list all of these. He made a dozen more transactions to swap $25M PAXG for WETH using KyberSwap. Random Maker proxy registry, it seems for PAXG. Nov 20 activity (today) Sent $5.9M ETH to Side address 5 Sent $11.7M ETH to Side address 5 Sent $11.7M ETH to Side address 5 Sent $29.3M ETH to Side address 5
Side addresses
FTX Account Drainer 2 (22 Tx): Token approvals for PAXG on multiple swaps A mega transcation for PAXG, DAI, WETH, USDC. End result seems to be a $1.7M of PAXG swap to ETH. Transferred 1 ETH to FTX Accounts Drainer 3 and this random address FTX Account Drainer 3 (2 Tx): Has $1k of ETH and $870k of PAXG FTX Account Drainer 4 (1 Tx): Has $870k of PAXG Side Account 5 This is the one that prompted multiple media posts. These swaps are pretty complicated. Spend a lot of transactions on the FTX Bahamas shit token for some reason. Swapped $4.8M ETH for WBTC for renBTC And again for $3.5M, $1.2M, … and lots more for a total of $60M worth of tokens to renBTC. Burned $1.1M, $16.5M, $29M, $11.4M using the Ren BTC Gateway for a total of ~$60M. – So he’s exiting to Bitcoin mainnet, and Bitcoin UTXOs are way harder to trace. Needs professional trace tools. Chainanalysis is already on the investigation for the renBTC bridge exit.
There are at least 6 other accounts of smaller activity
####Sending shitcoins to famous people addresses
If it weren’t obvious already that this isn’t the government, he’s trolling others by sending shitcoins to them.
Edit: These are actually Spoofed tokens
Anyways, I’m just one person tracing this for 2 hours. I’ll leave it to the professionals like Chainanalysis to do a better job.
One of the takeaways is that even if you blacklist one account, it’s hard to actively trace the other accounts they’re going to and actively block them.
Edit: ZachXBT also has a good thread on this he posted an hour ago. Covers a lot of same topics, but also includes some details I missed.
Spoofed tokens: I made a mistake. The sent shitcoins are likely being spoofed to make it look like the FTX Hacker sent them. But they’re actually smart contracts designed so that someone else could transfer them while tricking the block explorer. The way you can tell is that the FTX Hacker account is not the address initiating the token transfer, and I should’ve noticed that: https://medium.com/etherscan-blog/spoof-tokens-on-ethereum-c2ad882d9cf6
submitted by /u/Maleficent_Plankton
[link] [comments]
