As the Lehman Moment in the field of cryptocurrency, it has been more than a year since the collapse of FTX. What has happened in this year? Where has the development and regulatory compliance of cryptocurrency come? On this equally special day today, we Let’s analyze and discuss together. After the collapse of FTX, a lot of things happened. Some of the events that we think are relatively critical are as follows. If there are any incompleteness, please feel free to add.
US SEC Commissioner Hester Peirce: The collapse of FTX may eventually become a catalyst for regulation. The collapse of FTX and its subsequent bankruptcy filing have brought a lot of negative attention to the encryption industry. Regulators need to formulate clear regulations and understand what norms are. It is proposed that cryptocurrencies and the blockchain technology they underlie can be “integrated into the back-end of the financial system” and therefore the SEC’s jurisdiction is justified. “If we all work together, the SEC will be a good regulator for the spot cryptocurrency market,” Pierce said.
Federal Reserve Vice Chairman Michael Barr testified before Congress that “recent cryptocurrency events have highlighted the risks to investors and consumers without strong guardrails.” Michael Barr pointed out that the FTX crash that occurred outside the banking system is the focus of its supervision. Recent events remind us that if there are interconnections between crypto systems and traditional financial systems, there may be systemic risks.
U.S. Treasury Secretary Janet Yellen said FTX exposed weaknesses in the crypto industry and the U.S. government has considered regulating the industry under President Biden’s executive order.
More than 130 FTX-related companies have sought court protection without filing any court motions or explanatory documents in a major U.S. bankruptcy case.
Audit firms Armanino and Prager Metis linked to FTX will face scrutiny.
Visa CEO Al Kelly said in an interview with CNBC, “One good thing that I hope the FTX disaster brings to its investors and employees is that we see an acceleration of regulation and a tilt toward good stablecoin regulation. Because I think thats whats needed to rebuild peoples confidence. Well see over time. The FTX incident will accelerate regulation of the crypto market.
On November 19, 2022, FTX announced that as part of its bankruptcy proceedings, it would initiate a strategic review of its global assets to maximize recoverable value. The FTX debtors have hired Perella Weinberg Partners LP as lead investment banker and begun preparations to sell or reorganize certain businesses.
At least one potential buyer has approached FTX Japan in an attempt to make an acquisition. FTX Japan has 19.6 billion yen ($140 million) in cash and deposits and about 10 billion yen in equity. It holds crypto assets for more than 100,000 clients, but has more assets than liabilities.
On June 28, 2023, FTX began negotiations on a restart plan.
Ryne Miller, general counsel of FTX US, said that FTX US and FTX initiated precautionary measures to move all digital assets to cold wallets. Processes have been expedited to mitigate losses caused by unauthorized transactions.
BlackRock, NYDIG, Nasdaq and other companies may be interested in the FTX 2.0 restart. Alvarez Marsal, an advisory firm to FTX, released a list of interested parties under a Section 363 sale of the U.S. Bankruptcy Code, which allows for the sale of company assets. This list represents entities interested in the FTX 2.0 reboot who have been contacted and signed non-disclosure agreements seeking more details about the FTX reorganization and reboot.
It can be seen that when the U.S. SEC, Treasury, Federal Reserve and other institutions dealt with the impact of the FTX incident, after a short period of chaos and adjustments in the early stage, they quickly entered the orderly bankruptcy liquidation and FTX 2.0 restart stages. This reflects the U.S.’s role in cryptocurrency supervision. It already has a high level of management and risk management capabilities, as evidenced by the successive disposals of FTX and Binance within 2 years.
ChainAegis data shows that FTX has total liabilities of nearly US$9 billion, cash arrears of more than US$5 billion, and a single claim amount of more than US$11 million. Bankruptcy liquidation and compensation are still in progress and have not yet been completed. From the perspective of on-chain analysis, let us find out how many assets FTX has, how it was disposed of after the US government took over FTX, and how compensation was carried out.
1. On-chain capital flow analysis
On November 19 last year, FTX started asset review and liquidation. In September this year, the bankruptcy reorganization plan was officially launched. Recently, the price of FTX’s native token FTT has grown rapidly, rising from a low of around US$1.8 to US$3.2, an increase of up to 78%.
In recent months, FTX and Alameda-related wallets have frequently carried out large-amount asset transfers, suspected of liquidation compensation. The outflow of token assets from FTX/Alameda related addresses will be explained in detail below. At the same time, according to on-chain address tracking, FTX hackers have also been transferring funds recently. The following will provide a detailed analysis of recent FTX fund flows from FTX cold wallets, FTX-related official addresses and FTX hacker fund transfers.
1.1 FTX/Alameda address fund flow analysis
The official FTX account includes hot wallets and cold wallets. Amid the FTX bankruptcy collapse last year, FTX US and FTX initiated preventive measures to move all digital assets to cold wallets to mitigate losses from unauthorized transactions. FTX has multiple cold wallet addresses on multiple chains such as BTC, ETH, Solana, etc. Taking Solana as an example, there are three cold wallet addresses starting with 6b4aypBh (FTX Cold Storage #1), 9uyDy9VD (FTX Cold Storage #2 ) and 6wEMcwrc (FTX Cold Storage #3).
6b4aypBh (FTX Cold Storage #1) and 9uyDy9VD (FTX Cold Storage #2) started fund transfers at the end of October. The specific fund transfer situation is shown in the figure below. 6b4aypBh transferred a total of 46,000 SOL, which is currently equivalent to approximately 3.06 million U.S. dollars. 9uyDy9VD (FTX Cold Storage #2) transferred out 21 transactions. About 7 million SOL was transferred out, which was approximately 460 million U.S. dollars. The single transfer amount exceeded 2, million dollars. Both cold wallets continuously transfer funds to three intermediate addresses, starting with 5RAHKkXd, 4Axqyo8x and K1c4Q9cH. Among them, the SOL transferred to 4Axqyo8x accounted for the highest proportion, about 220 million US dollars, followed by the address starting with 5RAHKkXd, which received SOL worth about 200 million US dollars.
According to ChainAegis on-chain data, FTX’s three cold wallets currently hold approximately $40 million in BTC, as well as other tokens such as JSOL, mSOL, RAY, ETH, SHDW, SAMO, WUSDC, SRM, and MNDE, with a total value of approximately $130 million.
Figure: FTX’s cold wallet on Solana recently transferred large amounts out of SOL
Indirect addresses 5RAHKkXd 4Axqyo8x quickly made fund transfers after receiving FTX cold wallet SOL funds (as shown in the figure below). From late October to today, the intermediate address starting with 5RAHKkXd has dispersed and transferred 3.87 million SOL to 4 new intermediate addresses, starting with 3ADzk5YD, 5sTQ5ih7, 8CAAyVNz and Ca469SFV. Among them, 3ADzk5YD received the largest number and frequency of SOLs, receiving a total of 2.45 million SOLs. The indirect address 4Axqyo8x transferred all the SOL transferred from the cold wallet to the new address 3vxheE5C, in 7 transfers, with an average transfer of 470,000 SOL each time, which is much higher than the number of transfers from other intermediate addresses.
Figure: Indirect address 5RAHKkXd 4Axqyo8x fund transfer (transfer out) tracking
Table: Indirect address 5RAHKkXd 4Axqyo8x fund transfer (transfer out) SOL statistics table
According to the chain-level tracking of addresses on the ChainAegis analysis platform, it was found that the indirect address 5 RAHKkXd finally passed through four intermediate addresses, and most of the funds were transferred out of the Binance, Kraken and Coinbase exchanges. Part of the funds going to the 4Axqyo8x indirect address was transferred to Solana on-chain equity. Account, which is a different type of account than one used to simply send and receive tokens, in preparation for later staking SOL on Solana. In addition to this, a considerable amount of SOL was transferred out to new addresses, which again transferred all funds to 4Axqyo8x a few days later. A small amount of funds eventually flowed to the Kraken exchange.
Figure: Where the funds go to the indirect address 5RAHKkXd
Figure: Where the funds go to indirect address 4Axqyo8x
In addition to the recent large-scale fund flows in the FTX cold wallet, FTX official accounts and other official addresses of Alameda have transferred 45 token assets worth US$450 million to Kraken since October 24, as of November 16 , Binance and Coinbase. The picture below shows the top 20 funds transferred out. Among them, SOL ranks first, with approximately 7 million SOL (approximately US$280 million), accounting for half of the total. Followed by ETH worth $41.3 million, MATIC worth $26.6 million, RNDR worth $22 million and LINK worth $11 million.
Figure: FTX and Alameda’s other official addresses TOP 20 token transactions
There are nearly 50 intermediate addresses related to FTX and other official addresses of Alameda. Here, 0xde9A is selected as an example to illustrate its capital flow. As can be clearly seen in the figure below, 19 fund transfers have been carried out since October 25, with the total fund transfer amounting to more than 30 million US dollars. According to the value of token transfers, ETH accounts for the largest proportion, with 2,904 ETH (approximately $5.18 million) transferred to Binance Exchange, followed by 198,000 LINK (approximately $4.1 million) and 1.14 million DYDX (approximately $4.1 million). (approximately US$2.26 million), and were eventually transferred to the Binance exchange.
Figure: Token transfers from intermediate address 0xde9A since late October
According to on-chain transaction analysis, the funds for the intermediate address 0xde9A mainly come from FTX (accounting for 61%) and Alameda Research (37%). The main types of tokens accepted are DYDX, LINK, LDO, CHZ and GALA, etc.
Figure: Fund source of intermediate address 0xde9A
Summary: The assets that have been disposed of have exceeded 1 billion US dollars. It is speculated that the assets in the cold wallet will be used for the restart of FTX 2.0, and the addresses in other accounts have gradually begun to pay compensation to institutional customers.
1.2 Analysis of fund transfer on FTX hacker chain
Following the collapse of FTX, $477 million worth of assets were stolen from FTX’s crypto wallets by “hackers” within hours of filing for bankruptcy. The stolen assets spanned hundreds of cryptocurrencies. Immediately, the hackers began laundering money. First, in order to prevent the stolen assets from being frozen, the hacker quickly exchanged the stolen assets into mainstream tokens such as ETH through Uniswap and PancakeSwap. Second, to cover their tracks, the hackers immediately dispersed the assets across different blockchains and then merged the stolen assets via Multichain and Wormhole cross-chain bridges. Immediately afterwards, funds were decentralized and transferred to the Bitcoin network through the RenBridge and Thorswap cross-chain bridge platforms. In addition, hackers also use currency mixing platforms to avoid tracking.
Since the FTX hacking incident, a total of two large-scale fund transfers have occurred. The first was a few days after the attack, on November 20, 2022, when 65,000 ETH was transferred. After a nine-month hibernation, the hacker transferred funds again on September 30, 2023, which lasted for eight days and transferred approximately 90,000 ETH.
The FTX attackers address (0x3e957E) made the first transfer in 10 months at 4 a.m. on September 30, 2023, transferring 2,500 ETH to a new address (0x396120). The address then conducted a dispersed transfer of funds. At 4 a.m. on the 30th, Between 0:00 and 09:00, funds were dispersed through 12 intermediate addresses, and 2, 448 ETH was finally successfully transferred through Railgun Helper and THORChain. Immediately afterwards, a second fund transfer was carried out, and 2500 ETH was again transferred from the FTX attacker address (0x3e957E) to an intermediate address (0xcBCEF2). This address was exchanged for 153.6 tBTC via 2 intermediate addresses (0x94143E and 0x25a918) at an average price of $27,281. In addition, 1,250 ETH, 2,500 ETH, 1,500 ETH and 4,750 ETH were successively transferred to EOA addresses 0x 41555 A, 0x 368129, 0x 3 ca 0 F 8 and 0x cd 8 2B 7 respectively. These intermediary addresses disperse funds through multiple addresses respectively. In the end, the FTX attacker address (0x3e957E) transferred a total of 15,000 ETH (approximately $31.5 M) through 6 addresses, of which 12,447 ETH (approximately $26 M) was transferred cross-chain, and 2,500 ETH was transferred through Metamask Built-in Swap, converted to 153.6 tBTC.
Figure: Mainline of Funds Transfer from FTX Hacker 0x3E957E
The FTX attacker changed the attack addresses 0x7F3DeB, 0xD53C2e and 0x9B10ca and continued to transfer funds on the afternoon of October 1, with a total of 6 transactions. The amount of ETH transferred was significantly higher than the first transfer amount. The first 4 transactions were all 7,500 ETH. There were 5 transfers of 5,625 ETH, and the last transfer was as high as 9,375, totaling 45,000 ETH, about 94.5 million US dollars. During this period, 6 intermediate addresses were involved, and these intermediate addresses were transferred through layer 2-3 transactions and dispersed.
Figure: Another Six Transactions of FTX Hacker 0x7F3DeB, 0xD53C2e and 0x9B10ca.
The FTX attacker conducted another fund transfer between October 5 and October 7, transferring a total of 30,000 ETH, and then transferred a large amount of funds across the chain through THORChain. In the middle, 500 ETH is exchanged for 40 tBTX, which is cross-chained to the Bitcoin network through TheTNetwork.
Figure: Another Five Transactions of FTX Hacker 0xa122d2 and 0x5ab55a.
From September 30 to October 7, the total amount of funds transferred was as high as 90,000 ETH, approximately US$189 million. Six FTX attacker addresses on Ethereum were eventually transferred to nearly 60 addresses on Bitcoin, and the hackers used the Sinbad mixer to mix the coins.
Figure: Specific Swaps between ETH and BTC occurred on THORChain by FTX Hacker.
2. Summary and Enlightenment
The FTX thunderstorm, the arrest of SBF, the resignation of CZ, and the fine of Binance revealed the opacity of centralized exchanges. Especially in the current environment of international geopolitical conflicts, the borderlessness and anonymity of cryptocurrency can easily be used by terrorism and money laundering. Gangs and others take advantage of it, and cryptocurrency regulation is urgent.
From FTX’s liquidation and disposal process, we can see that whether it is stricter protection for consumers or clearer rules for institutions, the pace of supervision is becoming increasingly clear. The collapse of FTX has also attracted close attention from many countries and regions, especially the U.S. regulators. From the SEC and CFTC to the White House and Congress, they have all expressed their opinions on the need to regulate cryptocurrencies. Subsequently, South Korea, Japan, Australia, Europe and other countries have launched investigations into the encryption market. How to comply with the operating rules of the encryption market and conduct effective supervision is a very important issue. To carry out cryptocurrency supervision and fund tracking, on the one hand, we must build on-chain and off-chain analysis and evidence collection capabilities, and on the other hand, we must launch APT-level security attack and defense at the network security level, and have the ability to integrate attack and defense.
It can be seen that when the U.S. SEC, Treasury, Federal Reserve and other institutions dealt with the impact of the FTX incident, after a short period of chaos and adjustments in the early stage, they quickly entered the orderly bankruptcy liquidation and FTX 2.0 restart stages. This reflects the U.S.’s role in cryptocurrency supervision. It already has a high level of management and risk management capabilities, as evidenced by the successive disposals of FTX and Binance within 2 years.
About us
SharkTeams vision is to secure the Web3 world. The team consists of experienced security professionals and senior researchers from around the world, who are proficient in the underlying theory of blockchain and smart contracts. It provides services including on-chain big data analysis, on-chain risk warning, smart contract audit, crypto asset recovery and other services, and has built an on-chain big data analysis and risk warning platform ChainAegis. The platform supports unlimited levels of in-depth graph analysis and can effectively fight against Advanced Persistent Threat (APT) risks in the Web3 world. It has established long-term cooperative relationships with key players in various fields of the Web3 ecosystem, such as Polkadot, Moonbeam, polygon, Sui, OKX, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org
Twitter:https://twitter.com/sharkteamorg
Discord:https://discord.gg/jGH9xXCjDZ
Telegram:https://t.me/sharkteamorg