ZachXBT, the cross-series investigator, shared his findings on what he sees as the three most common misconceptions about the FTX hack – taking to Twitter to correct “a lot of misinformation” about the event and potential perpetrators.
In a lengthy November 20 Twitter post, the alleged “on-chain spy” website debunked speculation that Bahamian officials were behind the FTX hack, that exchanges knew the hacker’s true identity, and that the perpetrator traded in memecoins.
On the same day that FTX filed for bankruptcy on November 11, the crypto community began reporting suspicious transactions on wallets linked to FTX, with more than $650 million transferred from the wallet.
Although there was no official culprit, a November 17 statement from the Securities Commission of the Bahamas (SCB) stated that it had ordered the transfer of all FTX digital assets to a digital wallet owned by the commission around that time. Some believe the Savings and Credit Bank was behind the supposed “hack”.
However, ZachXBT argued that the 0x59 wallet address linked to the hacker was a Blackhat address and not affiliated with the FTX or SCB team because it “began selling ETH, DAI, BNB tokens and using a variety of bridges so cryptocurrencies can’t be frozen on 11/12.” “.
“The fact that 0x59 sporadically dumped tokens and pegged was a completely different behavior than other addresses that pulled out of FTX and instead multisig on chains like Eth or Tron,” he added.
Zach also notes that Blackhat wallet has also been in contact with another wallet, 0x24, which he suggests “has very [suspicious] on-chain behavior with inaccurate services:”
“This behavior is very different from what has been said about debtors moving assets into cold storage or the Bahamas government moving assets into Fireblocks.”
ZachXBT says its last key was the wallet address that sells ether
for ren Bitcoin (renBTC) and then using RenBridge, which he says will likely end up sending the funds to a “mixer sometime in the future.”
Blockchain analytics firm Chainalysis came to a similar conclusion in a November 20 post, stating:
“Reports that the money stolen from FTX was actually sent to the Bahamas Securities Commission are incorrect. Some of the money was stolen, and other money was sent to the regulators.”
FTX also commented on the recent fund movements, posting a warning to the exchanges that “certain funds transferred from FTX Global and associated debtors without permission on 11/11/22 are being transferred to them through intermediary wallets.”
ZachXBT also highlighted potential misinformation surrounding the claim that the hacker’s identity was discovered by “Kraken or other exchanges.”
The rumor has been circulating ever since Kraken’s chief security officer claimed in a November 12 post, “We know the user’s identity.”
“Actually,” says Zach, the user identified as the hacker is likely just an FTX group locking assets to a multi-sig wallet on Tron, using Kraken since the hot FTX wallet ran out of gas for transactions, as he states:
“The withdrawals to these multiple lots also match what Ryne Miller (FTX GC) said at the time. This happened hours after the initial 0x59 withdrawals.”
Related: FTX Money On The Go As Thief Converts Thousands Of ETH To Bitcoin
As a final point, ZachXBT took aim at the rumor that the FTX hacker was trading in memecoins, which was first noticed by blockchain analytics firm CertiK.
Instead, a blockchain investigator claims that transfers were “spoofed” on the Ethereum network, citing a March blog post by Etherscan community member Harith Kamarul, explaining how transactions can be forged.