Elliptic finds apparent Russian connection in laundering of FTX stolen funds

Quick Take

  • Elliptic found on-chain indications of Russian actors in the laundering of the assets stolen from FTX last year.
  • The analytics firm believes a Russia-linked broker or intermediary might have been involved.

Days after the collapse of crypto exchange FTX, as though things couldn't get any worse, the beleaguered exchange was hacked for over $475 million. Elliptic, a blockchain analytics firm, said it has now found some clues that might shed light on who was behind the attack.

Shortly after the breach happened, $74 million was channeled via RenBridge, a platform associated with FTX’s sister company, Alameda Research.

Out of the 4,536 bitcoins ($74 million) converted from ether at RenBridge in November, 2,849 BTC were processed through mixers, primarily the ChipMixer service. These funds then intermingled with assets connected to Russian criminal networks, encompassing ransomware culprits and darknet marketplaces, Elliptic said.

“A Russia-linked actor is likely. Upon tracing the stolen assets through ChipMixer, we found significant amounts mingled with funds from Russian-affiliated criminal entities, before their dispatch to exchanges. This convergence signals the possible engagement of a broker or intermediary rooted in Russia,” analysts at Elliptic said.

The majority of the stolen funds from the FTX hack lay dormant until just prior to the recent Bankman-Fried trial, only to resurface in the early hours of Sept. 30. The perpetrator converted about 72,500 ETH ($120 million) to Bitcoin using the THORSwap cross-chain exchange. Even after THORSwap paused operations on Oct. 6, the hacker managed to bridged funds through THORChain via other venues, Elliptic noted.

Following the conversion, the bridged bitcoin was passed through Sinbad, a mixer service with documented affiliations to North Korea’s Lazarus Group. While the use of Sinbad introduces suspicions surrounding the Lazarus Group, Elliptic argued that the laundering strategies employed here are less intricate and suggested the laundering method makes a Russian link more probable.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Hacker identity still remains unclear

Nevertheless, the identity of the hacker remains elusive, according to Elliptic. Speculations abound, suggesting the heist might have been an internal operation, potentially implicating FTX staff or even pointing to Bankman-Fried as a suspect.

Yet, concerning fund laundering, Bankman-Fried might have an alibi. Elliptic highlighted a specific instance on October 4, 2023, when $15 million of the stolen assets was moved via ThorChain — a time when Bankman-Fried was reportedly in court without internet access.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Tim Copeland at
[email protected]