FTX hacker still draining exchange wallets? Analyst calls it on-chain spoofing

The FTX hacker that drained over $450 million worth of assets just moments after the doomed crypto exchange filed for bankruptcy on Nov. 11, continues to drain assets from the exchange, four days after the hack was first flagged.

Crypto analytic firm Certik, in a tweet, noted that the hacker wallet is still draining crypto assets from the wallets associated with the FTX and FTX.US. The FTX hacker wallet currently holds $62 million worth of assets.

Since Nov. 12 the hacker wallet has received and swapped 3.2 billion meme tokens and sent 2.8 billion of these tokens to popular addresses. These meme tokens mostly comprised profanity tokens such as FTX Sucks, Fuck FTX, CRO Next and more.

Meme tokens sent and received by FTX exploit address. Source: Certik

A crypto analyst who goes by the Twitter name of ZachXBT claimed that the recent movement of funds is just on-chain token spoofing. The analyst claimed that Etherscan transfer logs can be spoofed and the recent movement of funds in the FTX hack saga is one example of that.

The ERC-20 standard “transfer” and “transfer from” functions can be modified to allow any arbitrary address to be the sender of tokens, as long as this is specified within the smart contract, resulting in a token being transferred from a different address than the one that initiated the transaction.

These tokens can be sent to any address and then sent out of that address (to any other address) without the address owner having any control of those tokens. If you open the transaction and see “sent from,” it will show a different address.

As Cointelegraph reported on Nov, 12, the hack was flagged right after FTX announced bankruptcy. At the time, out of the $663 million drained, around $477 million were suspected to be stolen, while the remainder is believed to be moved into secure storage by FTX themselves.

The wallet owner was found swapping $26 million Tether (USDT) to Dai (DAI) via 1inclh and approved Pax Dollar (USDP) — a Paxos-issued stablecoin — for trade on CoW Protocol. The wallet also approved transfers and sales of other cryptocurrencies, including Chainlink (LINK), Compound USDT (cUSDT) and Staked Ether (stETH).

The fact that hackers managed to drain assets from FTX global and FTX.US at the same time, despite these two entities being completely independent, became a hot topic of discussion raising speculations about it being an inside job

Certik’s director of security operations, Hugh Brooks, told Cointelegraph that on-chain evidence points strongly toward that possibility:

“Sticking to onchain evidence, unless there was a private key compromise (of which there is no evidence of at current), then we can’t rule out that someone with access to the FTX exchange and FTX US wallets moved the funds into the black hat wallets”

Kraken’s chief security officer Nick Percoco later tweeted that they were aware of the user’s identity but did not share any more information publicly. Certik told Cointelegraph that Percoco might be referring to the white hack involved in moving the funds to cold wallets.