Elliptic Finds Link Between Russia and Laundering of FTX Assets

There is a strong likelihood that a broker or other intermediary linked to Russia participated in laundering part of the funds stolen from FTX in November 2022. Experts from Elliptic arrived at this conclusion.

\n\n

The hacker began unauthorized withdrawals on the day of the exchange’s bankruptcy filing. Within a few hours he drained $477 million from the platform’s wallets in various cryptocurrencies.

\n\n

\n\n

Of the stolen assets, $434 million comprised stablecoins and other tokens whose issuers could freeze funds upon request. This partially happened, for example, with $31.5 million in USDT.

\n\n

To avoid further blocks, the hacker began moving the crypto to the Ethereum chain. He used decentralized exchanges for the conversions, including Uniswap and PancakeSwap, and employed cross-chain bridges Multichain and Wormhole.

\n\n

Just three days after the hack, the attacker’s Ethereum account held 245,000 ETH (~$306 million at the time of writing). Elliptic experts noted that by then his haul had “shrunk considerably” due to seizures and the costs of urgent swaps.

\n\n

On November 20, 65,000 ETH were transferred to the Bitcoin blockchain via the cross-chain protocol RenBridge, owned by Alameda Research — an FTX subsidiary.

\n\n

Of the 4,536 BTC obtained after the conversions, the hacker sent 2,849 BTC to mixing services, predominantly ChipMixer. Analysts determined that through this route assets worth about $4 million were laundered through exchanges.

\n\n

\n

“Significant sums of stolen assets that can be traced using ChipMixer are combined with funds of Russia-linked criminal groups, including those involved in extortion and dark-net markets, and then sent to exchanges. This points to the involvement of a broker or another intermediary with ties to the Russian Federation,” noted Elliptic experts.

\n

\n\n

The remaining 180,000 ETH in the hacker’s wallet lay dormant for the next nine months. On September 30, 2023, the hacker resumed money-laundering operations.

\n\n

However, RenBridge ceased operations soon after the FTX collapse. In March 2023, US and German authorities and several European countries shut down the ChipMixer infrastructure and seized funds on the platform.

\n\n

Therefore the hacker continued the scheme using the THORChain cross-chain bridge and the Sinbad mixing service.

\n\n

The latter is often associated with the Lazarus Group, accused in a number of major crypto hacks. This sparked speculation that it was behind the theft from FTX. Yet Elliptic analysts noted that North Korean hackers employ more sophisticated and complex methods of money laundering than the exchange hacker.

\n\n

As noted by Elliptic, the volume of illicit crypto assets laundered via cross-chain operations reached a record $7 billion for the year .