[Feature] The Full Draining Process of the FTX Hacker – ETH & renBTC

Are you curious how the FTX Accounts Drainer (aka the “hacker”) drained funds but need help navigating Etherscan? In today’s feature, you will learn the transactions’ ins and outs, and Etherscan links will be provided for your hands-on practice.

1. All hacked funds (mostly altcoins) were consolidated into one address —0x59abf3837fa962d6853b4cc0a19513aa031fd32b. This address is now tagged as the “FTX Accounts Drainer”.

https://etherscan.io/address/0x59abf3837fa962d6853b4cc0a19513aa031fd32b

Transaction records:

https://etherscan.io/tokentxns?a=0x59abf3837fa962d6853b4cc0a19513aa031fd32b&p=16

https://etherscan.io/tokentxns?a=0x59abf3837fa962d6853b4cc0a19513aa031fd32b&p=17

Below is what we call a spoofed token in the Ethereum network, simply ignore all these transations. FTX Accounts Drainer himself did not create the ‘spoofing’ token smart contract, and so did the following transaction. The transfer functions of the smart contract can be modified to allow any arbitrary address to be the token's sender, making the transactions seem legit. Fake transaction records:

2. FTX Accounts Drainer started to swap all the hacked altcoins into ETH. Check out the Uniswap (UNI) transaction; for example, a total of 8003 + 2104 + 5475 = 15,582 ETH was swapped from UNI using CoW Protocol and Uniswap.

https://etherscan.io/tx/0xc5475d0026b74e567ba9fe6b2301e8c8760bcc27670a3fe3e5c984fb3568d153

Other altcoins transactions:

3. Regarding the Paxos Gold (PAXG) transactions, it seems Uniswap only allows swapping a maximum of 1,000 PAXG per transaction. PAXG transfer comes with 0.2% on-chain transaction fees; that’s why a 0.2 PAXG transaction follows suit.

After swapping a large portion of PAXG, FTX Accounts Drainer’s wallet was finally frozen and unable to swap anymore. There is still $14.25M worth of PAXG left in the wallet.

4. Two days later, FTX Accounts Drainer began to move all the hacked funds into this wallet.

5. Sitting still for a few days, the funds started moving out to 2 wallets on 20^th November.

0x866EeEcd1F248d1a0a2e0263F13594a6B8B7c01A – 50,000 ETH (Now left with 9.72ETH)

https://etherscan.io/address/0x866eeecd1f248d1a0a2e0263f13594a6b8b7c01a

0x8059c2B8fF915eC4B615c95e719861f269d68aDa - 15,000 ETH (Now left with 0.95ETH)

https://etherscan.io/address/0x8059c2b8ff915ec4b615c95e719861f269d68ada

All the ETH was swapped for renBTC, one of the ERC-20 bitcoins that live on the Ethereum blockchain. Coincidentally, renBTC was somehow linked to the now-bankrupt Alameda Research. The hacked funds were bridged to the Bitcoin mainnet.

ETH:

https://etherscan.io/tx/0xfcad8bcf21dbf045919655b0fbfdf2fe383d1c3360368c19f575505f5718473a

BTC:

https://www.blockchain.com/btc/address/bc1qaq09p8qy97pf9rhnwtxvj7htqhmyejvv6n0702?page=4

The large sum of bitcoin was split into multiple addresses using a money laundering technique known as “peel chain”.

https://www.blockchain.com/btc/address/bc1qaq09p8qy97pf9rhnwtxvj7htqhmyejvv6n0702?page=2

Illustration of peel chain

Last but not least, FTX Accounts Drainer distributed the funds into 12 different addresses with 15,000 ETH each, a total of 180,000 ETH (~$196M).

A Nansen Portfolio of these wallets is created for your perusal: https://portfolio.nansen.ai/dashboard/APE-K8TA65

ETH’s price has continued falling since the first sale on 20^th November. The 180,000ETH is like the ticking time bomb that haunted all crypto investors, but sadly, there isn’t anything we can do now to stop this madness.