A bombshell court filing from the bankruptcy proceedings of collapsed cryptocurrency exchange FTX has revealed that the company stored private keys to customer wallets on Amazon Web Services, exposing fundamental security failures that contributed to one of the largest financial collapses in crypto history.
The Threat Landscape
The findings, published on April 9, 2023, in the first interim report by FTX’s current CEO John J. Ray III, paint a devastating picture of operational negligence. FTX Group, which collapsed in November 2022 within a span of just 10 days, failed to implement even the most basic security protocols for safeguarding customer assets. With Bitcoin trading near $29,650 and Ethereum at approximately $1,911, the total value of assets under FTX’s custodial care represented billions of dollars in customer funds.
Private keys are the cryptographic passwords that grant access to cryptocurrency holdings and authorize transactions. Storing these keys on a third-party cloud platform like AWS dramatically increases the risk of unauthorized access, as any compromise of AWS credentials could potentially expose the entire pool of customer funds to theft.
Core Principles
The fundamental principle of cryptocurrency custody is straightforward: whoever controls the private keys controls the funds. Industry best practices dictate that exchanges should store the vast majority of customer funds in air-gapped cold storage — physical devices completely disconnected from the internet. Hot wallet funds, which are kept online for daily operational needs, should be limited to a small fraction of total holdings and protected by multi-signature authorization schemes.
FTX violated virtually every one of these principles. The court documents revealed that the exchange’s control processes were so deficient that executives made misleading statements about the extent of their cold storage implementation when questioned by partners and regulators. The report highlighted systemic failures across finance accounting, management, governance, and information security.
Tooling and Setup
Proper exchange security requires a layered approach. Hardware Security Modules should be used for key generation and signing operations. Multi-signature wallets should require authorization from multiple key holders before any large transfer can be executed. Cold storage systems should be physically secured in multiple geographic locations with strict access controls. Regular security audits by independent third parties should verify that all systems meet established standards.
Amazon Web Services, while offering enterprise-grade security tools, was never designed to be the primary custodian of cryptocurrency private keys. Even with AWS’s own security features like Key Management Service and CloudHSM, the fundamental risk of internet-connected key storage remains significantly higher than properly implemented cold storage solutions.
Ongoing Vigilance
The FTX revelations come at a time when the cryptocurrency industry is already under intense regulatory scrutiny worldwide. The filing underscores the urgent need for standardized security requirements for cryptocurrency exchanges, similar to the banking sector’s regulatory frameworks for asset custody. With several major exchange failures now on record, including Mt. Gox, QuadrigaCX, and now FTX, the pattern of inadequate security practices leading to catastrophic losses has become impossible to ignore.
For individual cryptocurrency users, the lesson from FTX is clear and consistent with long-standing crypto wisdom: not your keys, not your coins. While exchanges provide necessary liquidity and trading services, users should minimize the amount of cryptocurrency they keep on any single platform and maintain personal custody of their long-term holdings through hardware wallets or other cold storage solutions.
Final Takeaway
The FTX court filing reveals not just a single security failure but a comprehensive breakdown of every safeguard that should protect customer funds in a custodial financial institution. The fact that FTX executives were aware of proper security practices — and actively misrepresented their implementation — makes the situation even more damning. As the bankruptcy proceedings continue and more details emerge, the cryptocurrency industry must use this case as a catalyst for establishing and enforcing meaningful security standards that protect users and maintain trust in digital asset markets.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
private keys on AWS. PRIVATE KEYS. ON AWS. john ray must have had a stroke reading through this. billions in customer funds protected by what, an IAM role?
to be fair a lot of smaller exchanges do this too, they just dont have $8bn of customer deposits riding on it. ftx made it catastrophic through sheer scale
mishap_proof smaller exchanges doing the same thing is not the flex you think lol. just means the explosion is smaller when they inevitably get got
an IAM role and apparently a shared google doc for internal accounting. the whole thing reads like a parody of a crypto exchange
shared google doc for accounting and IAM role for billions in keys. every sentence in that John Ray report was more insane than the last
zero audits. not one. billions in customer deposits and nobody thought maybe get a security review. the VCs who backed this should be named and shamed
deadfeed ZERO audits for billions in deposits. any normal fintech gets penetration tested quarterly. crypto exchanges were just out here vibing
the real scandal is how long this went unnoticed. sbf was out here doing podcast tours while the keys to billions sat in a cloud console. no HSM, no multisig, nothing
doing podcast tours while your exchange has zero security audits and keys on AWS. peak crypto grifter energy
and the VC diligence on FTX was apparently just a dinner with SBF. sequoia put $200M into a company storing keys on AWS with no audits
an IAM role and a shared google doc for accounting. this is how a college group project runs not an $8B exchange. every paragraph of that John Ray report was worse than the last