On-chain sleuth ZachXBT has shared his findings on what he sees as the three most common misconceptions about the FTX hack — taking to Twitter to correct a “ton of misinformation” about the event and the possible culprits.
In a lengthy Nov. 20 post on Twitter, the self-proclaimed “on-chain sleuth” debunked speculation that Bahamian officials were behind the FTX hack, that exchanges knew the hacker’s true identity, and that the culprit is trading memecoins.
On the same day that FTX filed for bankruptcy on Nov. 11, the crypto community began flagging suspicious transactions on wallets associated with FTX, with more than $650 million transferred off the wallet.
While there was no official culprit has been identified, a Nov. 17 statement from the Securities Commission of the Bahamas (SCB) that stated it had ordered the transfer of all digital assets of FTX to a digital wallet owned by the commission around that time prompted some to believe the SCB was behind the supposed “hack.”
However, ZachXBT argued that the 0x59 wallet address associated with the hacker was a blackhat address and not affiliated with either the FTX team or the SCB because it “began selling tokens for ETH, DAI, and BNB and using a variety of bridges so crypto couldn't be frozen on 11/12.”
“The fact 0x59 was dumping tokens and bridging sporadically was very different behavior from the other addresses who withdrew from FTX and instead sent to a multisig on chains like Eth or Tron,” he added.
Zach also notes that the blackhat wallet also had contact with another wallet, 0x24, which he suggests “has very [suspicious] behavior on-chain using sketchy services:”
“This behavior completely differs what was said about the Debtors moving assets to cold storage or Bahamian government moving assets to Fireblocks.”
ZachXBT says his final clue was the wallet address selling Ether (ETH) for ren Bitcoin (renBTC) and then using RenBridge, which he says will most likely end with the funds being sent to “a mixer at some point in the future.”
Blockchain analytics firm Chainalysis came to a similar conclusion in a Nov. 20 post, noting that:
“Reports that the funds stolen from FTX were actually sent to the Securities Commission of The Bahamas are incorrect. Some funds were stolen, and other funds were sent to the regulators.”
FTX has also commented on the recent fund movements, posting a warning to exchanges “that certain funds transferred from FTX Global and related debtors without authorization on 11/11/22 are being transferred to them through intermediate wallets.”
ZachXBT also highlighted the potential misinformation surrounding the claim the hacker’s identity had been discovered by “Kraken or other exchanges.”
The rumor had been circulating since Kraken’s chief security officer claimed in a Nov.12 post that, “We know the identity of the user.”
Zach says “In reality,” the user identified as the hacker was likely just the FTX group securing assets to a multi-signature wallet on Tron, using Kraken due to the FTX hot wallet being out of gas for transactions, stating:
“The withdrawals to these multisigs also matched what Ryne Miller (FTX GC) had said at the time. This took place hours after the initial 0x59 withdrawals.”
Related: FTX funds on the move as thief converts thousands of ETH into Bitcoin
As his last point, ZachXBT took aim at the rumor that the FTX hacker is trading memecoins, which was first noted by blockchain analytics firm CertiK.
Instead, the blockchain detective claims the transfers have been "spoofed" on the Ethereum network, citing a March blog by Etherscan community member Harith Kamarul, explaining how transactions can be faked.