blockchain analysis

FTX hires forensics team to find customers’ missing billions: Report

Lawyers have claimed FTX assets are either stolen or missing and now a team of financial forensic experts is attempting to trace the money trail.

The new management for bankrupt crypto exchange FTX has reportedly hired a team of financial forensic investigators to track down the billions of dollars worth of missing customer crypto.

Financial advisory company AlixPartners was chosen for the task and is led by former Securities and Exchange Commission (SEC) chief accountant Matt Jacques, according to a Dec. 7 report from the Wall Street Journal.

It is understood that the forensics firm will be tasked with conducting “asset-tracing” to identify and recover the missing digital assets and will complement the restructuring work being undertaken by FTX.

On Nov. 11, hackers drained wallets owned by FTX and FTX.US of over $450 million worth of assets.

Former CEO Sam Bankman-Fried claimed in an interview recorded on Nov. 16 with crypto blogger Tiffany Fong that he was close to finding who the hacker was and that he had “narrowed it down to eight people,” believing it was “either an ex-employee or somewhere someone installed malware on an ex-employee’s computer.”

On Nov. 22, a lawyer representing FTX debtors stated that “a substantial amount of assets have either been stolen or are missing” from FTX and revealed at the time that blockchain analytics firms such as Chainalysis had been enlisted to help as part of the proceedings.

The stolen funds from FTX have since been on the move through various crypto mixers and exchanges to launder the funds.

The hacker transferred their Ether (ETH) holdings on Nov. 20 to a new wallet address and swapped some of the ETH for an ERC-20 version of Bitcoin (BTC) afterward bridging the funds to the BTC Network.

They then used a laundering technique called peel chaining that subdivided the holdings into increasingly smaller amounts across multiple wallets and sent the BTC through a crypto mixer and then to the OKX exchange on Nov. 29.

The hacker also attempted more peel chaining by splitting 180,000 ETH across 12 newly created wallets on Nov. 21.

Former CEO Sam Bankman-Fried has also previously claimed to have “unknowingly commingled” customer funds at FTX and its sister trading firm Alameda Research with customer funds at FTX loaned to Alameda.

FTX’s new CEO and chief restructuring officer, John Ray III, was scalding in his initial bankruptcy filing saying that “never” in his 40-year career had he “seen such a complete failure of corporate controls.”

He claimed Bankman-Fried and his closest colleagues are “potentially compromised” and used “software to conceal the misuse of customer funds.”

64% of staked ETH controlled by five entities — Nansen

New report by Nansen delves into the distribution of staked ETH, respective holders and possible ramifications as The Merge looms.

A report from blockchain analytics platform Nansen highlights 5 entities that hold 64% of staked Ether (ETH) ahead of Ethereum’s highly anticipated Merge with the Beacon Chain.

Ethereum’s shift from proof-of-work to proof-of-stake is set to take place in the coming days after final updates and shadow forks have bee completed in early September. The key component of The Merge sees miners no longer used as validators, replaced by stakers that commit ETH to maintain the network.

Nansen’s report highlights that just over 11% of the total circulating ETH is staked, with 65% liquid and 35% illiquid. There are a total of 426,000 validators and some 80,000 depositors, while the report also highlights a small group of entities that command a significant portion of staked ETH.

Three major cryptocurrency exchanges account for nearly 30% of staked ETH, namely Coinbase, Kraken and Binance. Lido DAO, the biggest Merge staking provider, accounts for the largest amount of staked ETH with a 31% share, while a fifth unlabelled group of validators holds 23% of staked ETH.

Lido and other decentralized on-chain liquid staking protocols were initially set up as a counter-risk to centralized exchanges accumulating the majority of staked ETH, given that these firms are required to comply with jurisdictional regulations.

Nansen’s report stresses the need for Lido to be sufficiently decentralized to remain resistant to censorship. Onchain data shows that ownership of Lido’s governance token (LDO) is concentrated, with groups of large tokenholders potentially carrying censorship risk.

“For example, the top 9 addresses (excl. treasury) hold ~46% of governance power, and a small number of addresses typically dominate proposals. The stakes for proper decentralization are very high for an entity with a potential majority share of staked ETH.”

Nansen also concedes that the LIDO community is actively seeking solutions to the potential risk of over-centralization, with initiatives including dual governance as well as a legally and physically distributed validator set proposed.

Given the ongoing slump in cryptocurrency markets, the majority of staked ETH is currently out of profit – down by ~71%. Meanwhile 18% of all staked ETH is held by illiquid stakers that are in-profit.

Nansen suggests that this category of stakers is the most likely to sell their ETH once withdrawals are enabled at the Shanghai upgrade. Fears of a major sell-off at The Merge are unwarranted, though, as ETH withdrawals will only be possible 6 to 12 months after The Merge.

“Even then, not everyone can withdraw their stake at once as there is an exit queue in place for validators similar to the activation queue of around six validators (usually 32 ETH each) per epoch (~6.4 min).”

Nansen notes that if all validators withdrew their staked ETH and stopped being validators, this would take around 300 days with over 13 million ETH staked.

The blockchain and analytics platform announced the launch of a new research and education arm alongside its Merge report, aimed at marrying its on-chain data analytics with masterclasses and research papers. Nansen Research Portal will also publish industry-expert research reports from various partners in the blockchain and cryptocurrency industry.

Curve Finance exploit: Experts dissect what went wrong

Attackers who hijacked Curve Finance’s landing page moved quickly to convert stolen funds to various tokens through different exchanges, wallets and mixers.

Decentralized finance protocols continue to be targeted by hackers, with Curve Finance becoming the latest platform to be compromised after a domain name system (DNS) hijacking incident.

The automated market maker warned users not to use the front end of its website on Tuesday after the incident was flagged online by a number of members of the wider cryptocurrency community.

While the exact attack mechanism is still under investigation, the consensus is that attackers managed to clone the Curve Finance website and rerouted the DNS server to the fake page. Users who attempted to make use of the platform then had their funds drained to a pool operated by the attackers.

Curve Finance managed to remedy the situation in a timely fashion, but attackers still managed to siphon what was originally estimated to be $537,000 worth of USD Coin (USDC) in the time it took to revert the hijacked domain. The platform believes its DNS server provider Iwantmyname was hacked, which allowed the subsequent events to unfold.

Cointelegraph reached out to blockchain analytics firm Elliptic to dissect how attackers managed to dupe unsuspecting Curve users. The team confirmed that a hacker had compromised Curve’s DNS, which led to malicious transactions being signed.

Elliptic estimates that 605,000 USDC and 6,500 Dai was stolen before Curve found and reverted the vulnerability. Utilizing its blockchain analytics tools, Elliptic then traced the stolen funds to a number of different exchanges, wallets and mixers.

The stolen funds were immediately converted to Ether (ETH) to avoid a potential USDC freeze, amounting to 363 ETH worth $615,000.

Interestingly, 27.7 ETH was laundered through the now United States Office of Foreign Assets Control-sanctioned Tornado Cash. 292 ETH was sent to the FixedFloat exchange and coin swap service, while the platform managed to freeze 112 ETH.

Elliptic is now monitoring these flagged addresses in addition to the original Ethereum-based addresses. A further 23 ETH was moved to an unknown exchange hot wallet.

Elliptic also cautioned the wider ecosystem of further incidents of this nature after identifying a listing on a darknet forum claiming to sell “fake landing pages” for hackers of compromised websites.

It is unclear whether this listing, which was discovered just a day before the Curve Finance DNS hijacking incident, was directly related, but Elliptic noted it highlights the methodologies used in these types of hacks.