The FTX collapse is funny for all kinds of reasons. Here’s one from a Delaware court filing on Tuesday where the administrators ask for judicial forgiveness for “certain authorised actions”. (Our emphasis, H/T Kadhim):
3. In light of the risk of cyber-attacks and other malicious activity, the Indemnification and Exculpation Motion seeks authorization on an emergency basis to provide indemnification and exculpation of certain individuals for certain authorized actions described in the Indemnification and Exculpation Motion.
4. The Indemnification and Exculpation Motion details certain actions that the Debtors and certain individuals have taken and continue to take in connection with valuable assets that represent a significant share of the Debtors’ estates as well as descriptions of the locations of these assets.
5. The Debtors seek to file the Indemnification and Exculpation Motion under seal to protect confidential commercial information, the public disclosure of which may put certain of the Debtors’ assets at further risk of cyber-attacks or other malicious activity.
Reading between the extremely wide-spaced, crayon-drawn lines here, it sounds like the company in the chaos of FTX’s collapse authorised some stuff that we assume was important but not entirely best practice, and it doesn’t want to say what it did or who did it?
Listen, we’ve all been there — the Caribbean crypto empire is collapsing, your boss’s pro-gaming career isn’t taking off, you’re all being cyber-bullied by this guy. And to top it all off, you’re being abnormally transacted with. What’s an FTX-er to do?
Well, probably whatever you can to get things to calm down. In the case of that grab bag of
magic beans shitcoins crypto “assets” (for want of a better term) you’ve assembled, that might involve moving them away from somewhere vulnerable to hacking. In doing so, you might make some unconventional decisions!
Occasional Alphaville contributor Dan Davies has a theory on where this might leave you:
Or actually they’ve shifted it to a cold wallet, and there’s someone in the Bahamas who is nervous about the fact they have no insurance for the $5bn flash drive in their hotel safe
— Dan Davies (@dsquareddigest) November 22, 2022
We’re sure this will produce hilarity when details eventually emerge (things are unfolding, etc), and we want to stress that a lot is unknown at the moment. But this did provide us with a neat excuse to do some wallet inspecting.
(Buried lede begins.)
Earlier this month, we revealed FTX’s shoddy balance sheet. This showed that it was roughly $8bn short of its liabilities and its assets were mostly chaff. We also shared their extremely confident “term sheet”. (Side note: FTX management tracks down $1.24bn in cash holdings)
But there’s more! Moderately less excitingly, other documents extracted from FTX’s data room included a list of all the hot (ie internet-connected) wallets held by FTX US. The data were held in an Excel file, which according to its metadata was initially created by Gary Wang, FTX’s chief technical officer and co-founder. The file version we have was last modified on November 10th at 13:39:36.
Here is the first sheet (as obtained, with the exception that FTAV has sorted the values by size, and added asset/liability totals at the bottom):
These aren’t overly exciting on a surface level. As you might expect, FTX US’s hot wallet tokens assets matched its customer liabilities. Meanwhile, it was about $13mn short of its liabilities across a range of currencies (which feels small, relatively speaking).
(It’s worth a quick reminder about what FTX offered, which was at least partially a wrapper service to allow normies to do crypto trading through derivatives without really getting their hands dirty.)
More interestingly, the document also includes a list of all of FTX US’s hot wallet addresses at the time it was created. These addresses are perhaps best thought of as being like individual current accounts, with each one sending or receiving crypto within the bounds of its blockchain protocol.
Here are the top few rows:
All in all, there are 76 unique (in terms of either wallet name or coin held) entries in this sheet, and a further 47 across further sheets (there are some entries that appear to be duplicates).
Here, for example, are FTX US’s various hot wallets containing bitcoin:
through desperate, blind groping systemically, FTAV naturally went straight to the top, following the money from FTX US’s biggest BTC address — row 12 above.
This address is catchily hashed as 36mSujwwRR4LM5m2MtsjimuKzJRb1FehW4. At the time it was added to the sheet, it contained 977.8218867 bitcoin, worth about $15.9mn at the time. We’re gonna call it a completely random name as it is basically unimportant.
Hello, Suman! Let’s learn about you. Suman’s address hash is all we need. Thanks to the magic of the blockchain, transparency is easy! Per Blockchain.com, Suman has handled two transactions in its life:
— At 11:48 on November 10th, it received 978.02192791 BTC from address 3Fb79abn2MKhyYdSHXhFmDFdwDDti6fhP9, which we’ll call Naseem.
— At 12:16 the same day, it sent 977.82188672 BTC to 12 addresses, incurring a small fee.
— The biggest share by far (976.99792909 BTC) went to bc1qj2lwyjey8vl85stky7fhfvs572nv8akclkudxn, which we’ll call Zheng.
So, big chunk of money goes from Naseem to Suman, sits with Suman for less than half an hour, then mainly goes off to Zheng.
All we’ve learned at this point is that the address listed in Wang’s wallet document was incorrect — Suman had in fact been emptied about an hour before the version we obtained was made.
FTAV initially tried to work Naseemwards, aka backwards through time. Going back through dozens of addresses, it was a similar story: a large block of BTC landed, remained in the address for a very short period, and then moved on.
Naseem held the BTC for about an hour . ..
. . . the account before him had it for about the same . ..
. . . and so on.
Sometimes, the movement included several small payments, but often it was only split two ways: the big chunk, and what appears to have been a small fee. Frequently, this fee was of 0.2 BTC, and went to address 1BejpJzSYnydbvbpar1qwrjjMLuQY1c5DF. We’ll call this address Jo.
So, it looks like FTX US was moving its money frequently, though not with any immediately discernible pattern and sometimes seemingly with little clear purpose, and in the process possibly leaking money to Binance through handling fees.
It’s not clear how far we’d have to go back to find the end of this pattern (if you know a good way to do so, please let us know!) Still, this is weird, right?
Giving up, and cursing ourselves for having never learned to code, we headed Zhengwards (ie forward in time). Again, similar quick movements, with dozens in a row.
In a couple of instances, bigger blocks came off and went to 17QyR2ixNj1AgpD5ZuXubvSJ3gPPQVcsvp, aka Ayolede. Ayolede appears to be some kind of intermediary address — more than $3bn of BTC has flown through her, though she was empty at time of pixel. She has previously been featured by Whale Alert, a site which tracks big crypto transfers.
But the biggest part of the Suman block kept going, moving through dozens and dozens of transactions. Until, suddenly, it stopped.
At 22:03 on November 11, address 38ijhiFYiBWKo2p48K78Gmpx5nspUQnqAw (Merlyn) transferred 736.20098821 BTC of the 736.21102453 BTC it had received ten minutes earlier to bc1q8umytnw6dh6f909c9r53ae4n08uqmtyw88v0ge (Jessy).
Jessy then chilled for about six hours, before sending all they had to 325gSHHe7UGvzEc9kGx43VqPboXUVwa26i, which behindthename.com has called Wisdom, at 4:38am on November 12 — about fourteen hours after FTX Group (including FTX US) declared bankruptcy.
Let’s end with some Wisdom.
Wisdom contains, at time of pixel, 3871.694 BTC, which was worth, at time of pixel, about $62.6mn. We can assume that FTX wants Wisdom to have this money. After all, FTX claimed to control Suman, a link in the link in the chain that led to Wisdom.
Wisdom has already gathered a bit of attention online (this roughly feels like in Monty Python and the Holy Grail when they finally discover the grail castle only to find the French are already there).
ZachXBT (an “on-chain sleuth” who is likely much better at this than us) reckons this address is controlled by “white hat” (aka non-evil) hackers.
>funds withdrawn later on
>funded via CEX
>funds sent to multisig
— ZachXBT (@zachxbt) November 12, 2022
Much to consider.
So what did we learn?
— blockchains are hard
— the money is resting
We can hypothesise that, with unlimited time and resources OR simply learning to code, following other Sumans might lead us to further Wisdoms.
But exactly what Wisdom is, and how many other addresses like that exist, could be one of the many revelations of the coming weeks. Could Wisdom be, as floated thousands of words ago, on a cold-storage USB drive being held by some mid-ranking FTX staffer who has been locked in their Bahamas flat eating nothing but takeaway for two weeks? Only time, and lawyers, may tell.
For those people who deposited with FTX US, they’ll be hoping Wisdom is on their side.