{"id":510334,"date":"2022-11-15T14:55:25","date_gmt":"2022-11-15T11:55:25","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/ftx-hacker-still-draining-exchange-wallets-analyst-calls-it-on-chain-spoofing\/"},"modified":"2022-11-15T14:55:25","modified_gmt":"2022-11-15T11:55:25","slug":"ftx-hacker-still-draining-exchange-wallets-analyst-calls-it-on-chain-spoofing","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/ftx-hacker-still-draining-exchange-wallets-analyst-calls-it-on-chain-spoofing\/","title":{"rendered":"# FTX hacker still draining exchange wallets? Analyst calls it on-chain spoofing"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a27f8f7c122e\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a27f8f7c122e\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/ftx-hacker-still-draining-exchange-wallets-analyst-calls-it-on-chain-spoofing\/#%E2%80%9D_FTX_hacker_still_draining_exchange_wallets_Analyst_calls_it_on-chain_spoofing_%E2%80%9C\" >&#8221; FTX hacker still draining exchange wallets? Analyst calls it on-chain spoofing  &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_FTX_hacker_still_draining_exchange_wallets_Analyst_calls_it_on-chain_spoofing_%E2%80%9C\"><\/span>&#8221; FTX hacker still draining exchange wallets? Analyst calls it on-chain spoofing  &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div class=\"post-content\" data-v-887bb764>The FTX hacker that drained over $450 million worth of assets just moments after the doomed crypto exchange filed for bankruptcy on Nov. 11, continues to drain assets from the exchange, four days after the hack was first flagged.<\/p>\n<p>Crypto analytic firm Certik, in a tweet, noted that the hacker wallet is still <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/CertiKAlert\/status\/1592337867426127874?s=20&amp;t=0fg-BmO6eEoENkA8EaFt-Q\">draining<\/a> crypto assets from the wallets associated with the FTX and FTX.US. The FTX hacker wallet currently holds $62 million worth of assets.<\/p>\n<p>Since Nov. 12 the hacker wallet has received and sw<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ed 3.2 billion meme tokens and sent 2.8 billion of these tokens to popular addresses. These meme tokens mostly comprised profanity tokens such as FTX Sucks, Fuck FTX, CRO Next and more.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2022-11\/c1930584-1e59-4d47-9910-08c7ed3f7778.jpg\" alt=\"\" title=\"\"><figcaption style=\"text-align: center;\"><em>Meme tokens sent and received by FTX exploit address. Source: Certik<\/em><\/figcaption><\/figure>\n<p>A crypto analyst who goes by the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> name of ZachXBT <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/zachxbt\/status\/1592338915075428352?s=20&amp;t=0fg-BmO6eEoENkA8EaFt-Q\">claimed<\/a>\u00a0that the recent movement of funds is just on-chain token spoofing. The analyst claimed that Etherscan transfer logs can be spoofed and the recent movement of funds in the FTX hack saga is one example of that.<\/p>\n<p>The ERC-20 standard \u201ctransfer\u201d and \u201ctransfer from\u201d functions can be modified to allow any arbitrary address to be the sender of tokens, as long as this is specified within the smart contract, resulting in a token being transferred from a different address than the one that initiated the transaction.<\/p>\n<p>These tokens can be sent to any address and then sent out of that address (to any other address) without the address owner having any control of those tokens. If you open the transaction and see \u201csent from,\u201d it will show a different address.<\/p>\n<p>As Cointelegraph reported on Nov, 12, the hack was flagged right after FTX announced bankruptcy. At the time, out of the $663 million drained, around $477 million were suspected to be stolen, while the remainder is believed to be moved into secure storage by FTX themselves. <\/p>\n<p>The wallet owner was found swapping $26 million Tether (USDT) to Dai (DAI) via 1inclh and approved Pax Dollar (USDP) \u2014 a Paxos-issued stablecoin \u2014 for trade on CoW Protocol. The wallet also approved transfers and sales of other cryptocurrencies, including Chainlink\u00a0(LINK), Compound USDT (cUSDT) and Staked Ether (stETH).<\/p>\n<p>The fact that hackers managed to drain assets from FTX global and FTX.US at the same time, despite these two entities being completely independent, became a hot topic of discussion raising speculations about it being an inside job.\u00a0<\/p>\n<p>Certik\u2019s director of security operations, Hugh Brooks, told Cointelegraph that on-chain evidence points strongly toward that possibility:<\/p>\n<blockquote><p>\u201cSticking to onchain evidence, unless there was a private key compromise (of which there is no evidence of at current), then we can\u2019t rule out that someone with access to the FTX exchange and FTX US wallets moved the funds into the black hat wallets\u201d<\/p><\/blockquote>\n<p>Kraken\u2019s chief security officer Nick Percoco later <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/c7five\/status\/1591434844760076290?s=20&amp;t=3LXzhWfhNMZZxTHIdlHuFw\">tweeted<\/a>\u00a0that they were aware of the user\u2019s identity but did not share any more information publicly. Certik told Cointelegraph that Percoco might be referring to the white hack involved in moving the funds to cold wallets.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"law_decoded\"><\/template><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/ftx-hacker-still-draining-exchange-wallets-analyst-calls-it-on-chain-spoofing\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; FTX hacker still draining exchange wallets? Analyst calls it on-chain spoofing &#8220; The FTX hacker that drained over $450 million worth of assets just moments after the doomed crypto exchange filed for bankruptcy on Nov. 11, continues to drain assets from the exchange, four days after the hack was first flagged. Crypto analytic firm&#8230;<\/p>\n","protected":false},"author":1,"featured_media":510335,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMTEvYzU3NzNjYmUtNzI0OS00MTVjLWI1NzEtMzY2NDJhNTU1Y2M2LmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74894,74863,135234,89897,74892,117,71407],"class_list":["post-510334","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-blockchain","tag-cryptocurrencies","tag-ftx","tag-sam-bankman-fried","tag-tokens","tag-business","tag-trading"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/510334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=510334"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/510334\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/510335"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=510334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=510334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=510334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}