On the evening of November 11th last year, FTX found itself in the throes of a crisis. Once a prominent cryptocurrency exchange valued at $32 billion merely ten months prior, FTX had declared bankruptcy, thrusting it into a dire financial predicament. Its CEO, Sam Bankman-Fried, had reluctantly handed over control to John Ray III, tasked with navigating the company through a labyrinthine maze of insurmountable debts.
As FTX teetered on the edge of collapse, an unforeseen calamity struck. Unknown individuals, perhaps thieves, seized the opportune moment to exacerbate the chaos. On that fateful Friday evening, exhausted FTX employees observed mysterious cryptocurrency outflows, vividly displayed on the Etherscan platform, which tracks Ethereum blockchain transactions. This real-time theft amounted to hundreds of millions of dollars in crypto vanishing into the ether.
Shock and disbelief gripped the FTX team. “After all this, we’re being hacked?” pondered one former employee, who wished to remain anonymous due to the sensitive nature of internal company matters.
FTX publicly acknowledged losing between $415 million and $432 million in cryptocurrency to these unidentified thieves during its bankruptcy process. However, what remained hidden until now was the perilously close brush with a much greater loss. FTX’s staff and external consultants worked feverishly to move over $1 billion worth of crypto to more secure storage, frantically attempting to shield it from the clutches of the malevolent actors on the network.
At one point, they even scrambled to transfer nearly half a billion dollars onto a physical USB drive, stored in a consultant’s office, in a desperate bid to thwart the thieves.
As the trial of FTX’s fallen founder, Sam Bankman-Fried, entered its second week, the cryptocurrency community eagerly awaited any insight into how the exchange had been so catastrophically plundered shortly after his departure. The question of the culprits, whether insiders or external hackers, loomed large. This enigma remained unsolved, and neither Bankman-Fried nor other top FTX executives faced charges related to the theft.
Now, DB Investing brings to light the harrowing events of FTX’s frantic night, where they fought to contain the damage and avert a potential ten-figure heist. While FTX’s new leadership under CEO John Ray declined to comment on the incident, DB Investing pieced together the hour-by-hour details from an invoice submitted by restructuring firm Alvarez & Marsall, interviews with those involved in the immediate response, and blockchain analysis provided by cryptocurrency tracing firm Elliptic.
The ordeal commenced around 10 pm on November 11 when Zach Dexter, CEO of FTX subsidiary LedgerX, urgently summoned a group comprising over 20 FTX employees, bankruptcy lawyers, advisors, and consultants to a Google Meet. The subject line of the invitation was a terse “urgent.”
By this point, some close to Ray had lost faith in Wang, who initially sided with Bankman-Fried and distanced himself only after persistent internal persuasion.
In the emergency meeting, Wang suggested a solution of changing the secret keys protecting the wallets being emptied—a proposition that appeared futile to many. They realized that the thieves, having breached the network, could easily snatch the new keys and continue their looting. “The fox is in the hen house, and you’re going to change the keys to the hen house?” one participant remembered thinking.
As the Google Meet call commenced, Dexter explored an alternative strategy to safeguard FTX’s assets. The week before the theft, digital asset trust company BitGo had been in discussions with Sullivan & Cromwell, the law firm overseeing FTX’s bankruptcy, to assume custody of the remaining crypto holdings. Dexter urgently contacted BitGo, bypassing the protracted legal process initiated by Sullivan & Cromwell. He requested BitGo to promptly create “cold storage” wallets, which are securely offline, for FTX to transfer its remaining funds into.
BitGo committed to delivering these wallets within roughly thirty minutes. FTX employees feared that even this might be too slow, given the potential for the thieves to abscond with hundreds of millions more in crypto.
Amidst the chaos, someone inquired if anyone possessed a hardware wallet to temporarily store the funds until BitGo’s solution was ready. Kumanan Ramanathan, an advisor to FTX from Alvarez & Marsall, offered his assistance. In his office, he had a Ledger Nano, a USB drive hardware wallet, which he promptly configured as a temporary sanctuary for the vulnerable funds.
Around 10:30 pm ET on November 11, Ramanathan set up a new wallet on his Ledger Nano. Wang initiated the transfer of FTX’s funds to it, resulting in Ramanathan temporarily safeguarding between $400 and $500 million in the company’s crypto assets on a USB drive.
Within minutes, BitGo informed FTX that their cold storage wallets were prepared, prompting the team to shift hundreds of millions more in crypto to BitGo’s secure storage, abandoning Ramanathan’s Ledger device. Throughout that sleepless night, the team scoured various systems to identify FTX’s funds and transferred every coin they could find to BitGo. “They were scrubbing various systems trying to find where various private keys were, where assets were held,” one participant recalled.
While FTX staff concentrated on obtaining approvals for the transfers, Ramanathan was left holding the crypto initially transferred to his Ledger wallet. This peculiar situation placed him in a precarious legal and security position. Ryne Miller, FTX’s general counsel, hastened to Ramanathan’s office to assist in safeguarding the assets.
Ramanathan’s billable hours record reveals that he and Miller spent nearly three and a half hours in his office, from approximately 2 am to 5 am on November 12. At some point, Ramanathan contacted the police to report an ongoing theft and explained that he held a substantial sum of the victim’s money, requesting officers’ presence to protect it. The identity of the thieves remained unknown, and there was concern they might attempt to physically seize the assets Ramanathan held.
Fortunately, no such physical threat materialized. The siphoning of funds from FTX ceased once the assets were moved to Ramanathan’s Ledger wallet. “He took a huge risk using his personal Ledger,” noted the former FTX employee. “He’s a total boss.
It’s my strong belief that if we hadn’t pulled this Ledger stunt, we would have lost significantly more money.” The funds in Ramanathan’s office were eventually transferred to BitGo by approximately 5 am on Saturday, November 12, with the company eventually securing $1.1 billion of the remaining FTX funds.
Subsequently, Bankman-Fried and Wang transferred over $400 million to accounts controlled by the Bahamian government for safekeeping, as reported by Forbes and documented in a court filing. At times, the movement of funds to the Bahamas appeared to be conflated with the theft itself. A week after the theft, some media outlets erroneously reported that the Bahamian government had seized the stolen funds.
Contrary to these reports, cryptocurrency tracing firms such as Elliptic and Chainalysis observed portions of the stolen funds being sent to “mixing” services often used to launder stolen crypto funds, behaviors typical of large-scale crypto heists.
In the months following the frantic rescue effort on November 11, FTX’s new management, overseeing the bankruptcy process, publicly pointed to glaring security deficiencies that had enabled the theft. An April report submitted as part of FTX’s bankruptcy proceedings cited examples of these alleged lapses: the absence of an independent chief information security officer or a dedicated security team, the storage of virtually all cryptocurrency in hot wallets, and the inadequately encrypted keys to these wallets, among other issues.
The report also depicted the daunting predicament faced by the new FTX regime on November 11, discovering they had inherited a severely compromised network on their first day in charge. “Due to the FTX Group’s deficient controls to secure crypto assets, the Debtors faced the threat that billions of dollars of additional assets could be lost at any moment,” the report stated, referring to the new FTX administration led by Ray. “
As the Debtors worked to identify and access crypto assets with no ‘map’ to guide them, the Debtors had to engineer technological pathways to transfer many types of assets they identified to cold storage.”
Given the apparent security deficiencies and organizational chaos, FTX became the target of one of the most expensive cryptocurrency heists in history. However, had it not been for quick decisions amidst the pandemonium, the outcome could have been far more catastrophic.
“It was a very, very crazy night,” remarked the former FTX employee. “We worked on it, we got it done, and we saved a massive amount of customers’ money.”
