📈 Get daily crypto insights that make you smarter about your money

Inside the FTX Wallet Breach: How Million Vanished Within Hours of Bankruptcy

By /
LinkedInMessengerRedditTelegramThreadsWhatsApp

The cryptocurrency world was already reeling from the collapse of FTX when an even more shocking development unfolded. Just hours after the exchange filed for Chapter 11 bankruptcy protection on November 11, 2022, an estimated $477 million in cryptoassets was drained from FTX wallets through a series of unauthorized transactions. The breach sent shockwaves through an already fragile market, with Bitcoin trading near $16,799 and Ethereum at approximately $1,255 as the full scale of the disaster became clear.

The Exploit Mechanics

The attack began at approximately 9:22 PM on November 11, 2022, when 9,500 ETH — then worth roughly $15.5 million — was moved from an FTX-controlled wallet to a newly created address. Over the next several hours, hundreds of additional cryptoasset transfers followed, eventually totaling $477 million in stolen funds. Blockchain analytics firm Elliptic confirmed that $663 million was drained in total from FTX wallets, with approximately $186 million believed to have been moved to secure storage by FTX staff and bankruptcy advisors.

The attacker demonstrated sophisticated knowledge of on-chain asset management. Recognizing that many stolen tokens, particularly stablecoins like USDT, could be frozen by their issuers, the thief immediately began swapping stolen assets for native cryptocurrencies like Ether through decentralized exchanges including Uniswap and PancakeSwap. This is a well-known anti-seizure tactic that converts traceable, freezeable tokens into native blockchain assets that no central authority can freeze.

Tether moved swiftly to freeze approximately $31.5 million in stolen USDT, and by the time the dust settled, roughly $100 million in USDT and Paxos Gold (PAXG) tokens had been frozen by their respective issuers. However, the majority of the stolen assets had already been converted to ETH before these freezes could take effect.

Affected Systems

The breach affected FTX hot wallets across multiple blockchains, including Ethereum, Binance Smart Chain, and Solana. The attacker consolidated stolen assets from these different chains using cross-chain bridges such as Multichain and Wormhole, eventually accumulating approximately 245,000 ETH in a single Ethereum wallet within three days of the initial attack.

The compromised systems included FTX primary trading infrastructure, which was already in a state of chaos following the bankruptcy filing. General Counsel Ryne Miller acknowledged abnormal wallet movements and announced that the company was moving remaining assets to a new cold wallet custodian. CEO John Ray, who had just been appointed as chief restructuring officer, stated that the company was coordinating with law enforcement and relevant regulators.

The timing of the breach — occurring during the administrative chaos of a bankruptcy filing — raised serious questions about internal security controls and access management during periods of organizational upheaval.

The Mitigation Strategy

In response to the breach, FTX leadership implemented emergency measures. Trading and withdrawal functionality were removed entirely, and all identifiable digital assets were transferred to cold wallet storage. The company engaged law enforcement agencies and blockchain analytics firms to trace the stolen funds.

However, the mitigation efforts were complicated by the complex legal situation. The Securities Commission of the Bahamas later claimed it had directed the transfer of FTX Digital Markets assets to a wallet controlled by the Commission for safekeeping. FTX lawyers filed an emergency court motion suggesting that Bahamian regulators had directed Sam Bankman-Fried to gain unauthorized access to FTX systems to transfer assets to Bahamian government custody.

Lessons Learned

The FTX hack underscores several critical security lessons for the cryptocurrency industry. First, exchange hot wallets represent a significant single point of failure, particularly during organizational crises when access controls may be in flux. Second, the speed at which stolen tokens were converted to native assets via DEXs highlights the limitations of issuer-based token freezing as a security mechanism. Third, the involvement of multiple jurisdictions — US bankruptcy proceedings, Bahamian regulators, and anonymous hackers — created a confusing chain of custody that complicated recovery efforts.

User Action Required

For users affected by the FTX collapse, the breach reinforces the fundamental importance of self-custody. Funds held on centralized exchanges are only as secure as the exchange operational security and governance. Users should maintain personal cold storage wallets, use hardware wallets for significant holdings, and never keep more funds on an exchange than necessary for active trading. The phrase “not your keys, not your coins” was never more relevant than on November 12, 2022, when nearly half a billion dollars demonstrated exactly why self-custody matters.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

9 thoughts on “Inside the FTX Wallet Breach: How Million Vanished Within Hours of Bankruptcy”

  1. Nova S.

    the fact that the first 9500 ETH moved at 9:22 PM and nobody at FTX noticed for hours tells you how broken internal controls were. chapter 11 filing and nobody watching the wallets

    Reply
  2. rekt_historian_

    477 million gone in hours and SBF was playing video games while it happened. wild how fast the house of cards fell.

    Reply
    1. DexMonitor

      SBF was literally playing league of legends while 477M drained from wallets. you cannot script this kind of negligence

      Reply
      1. frame_lock_

        the CEO was grinding ranked while $477M drained from cold wallets. you could write the entire FTX story as a dark comedy and it still wouldnt be believable

        Reply
  3. EllipticFan

    the Elliptic breakdown of the $663M vs $477M split was one of the best on-chain forensic pieces of that cycle. the remaining $186M to secure storage was FTX advisors trying to salvage something

    Reply
    1. 0xDrain.eth

      the attacker converting ETH to renBTC then bridging to Bitcoin was a smooth op. whoever ran that knew exactly how to dodge freezes

      Reply
      1. bridge_analyst_

        converting to renBTC was smart because BTC chain analytics are way harder to trace than ETH. the cross-chain hop bought months of obscurity

        Reply
      2. chain_saw_

        converting to renBTC and bridging to BTC mainnet was a genius move by the attacker. once it hit bitcoin the trail got way harder to follow

        Reply
  4. Sam R.

    9,500 ETH moved at 9:22 PM to a fresh address and nobody noticed for hours. that tells you everything about exchange oversight in 2022.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$65,751.00-0.7%ETH$1,795.44+0.4%SOL$73.83+0.1%BNB$605.90-1.7%XRP$1.22-1.4%ADA$0.1730-2.8%DOGE$0.0873-0.9%DOT$1.02+1.3%AVAX$6.90+1.1%LINK$8.30+0.3%UNI$3.29+18.6%ATOM$2.00+2.3%LTC$45.85+0.5%ARB$0.0858+0.2%NEAR$2.32-2.6%FIL$0.8145+3.0%SUI$0.7991+1.0%BTC$65,751.00-0.7%ETH$1,795.44+0.4%SOL$73.83+0.1%BNB$605.90-1.7%XRP$1.22-1.4%ADA$0.1730-2.8%DOGE$0.0873-0.9%DOT$1.02+1.3%AVAX$6.90+1.1%LINK$8.30+0.3%UNI$3.29+18.6%ATOM$2.00+2.3%LTC$45.85+0.5%ARB$0.0858+0.2%NEAR$2.32-2.6%FIL$0.8145+3.0%SUI$0.7991+1.0%
Scroll to Top