The tokens were quickly converted to ether, the second-largest cryptocurrency, a popular technique used by hackers to prevent their funds from being seized.
Tom Robinson, co-founder of Elliptic, clarified the numbers in an email late Saturday afternoon. He said that the group had tracked a total of $663 million that had moved from FTX. Of that, $477 million is suspected to have been stolen, with the remainder authorized by FTX itself. He said the numbers could fluctuate slightly as the group did more research.
Earlier Saturday afternoon, the chief security officer at another major exchange, Kraken, said that a verified account on its platform had been used in the breach.
“We know the identity of the user,” Kraken’s Nick Percoco tweeted. He said that a statement from FTX was expected soon.
Meanwhile, a prominent crypto investigator, known online as ZachXBT, said he had tracked two accounts that were moving funds — the hacker and one at FTX that tried to stem the damage.
“The attacker withdrew assets from FTX/FTX U.S. and began selling them for assets that can’t be frozen,” ZachXBT wrote in a message to The Washington Post. “It appears FTX employees then began to save the remaining assets.”
Some crypto entities were able to freeze the hacked assets, making them unusable, he added. Tether, the coin pegged to the U.S. dollar, was able to freeze about $31 million.
In his view, it remains unclear whether the attacker was a person with inside knowledge of FTX’s systems. (The blockchain — the digital ledger used in the analysis — does not offer personally identifying data.) Some experts have noted that when a company winds down operations quickly, security can be left weakened, aiding opportunistic hackers.
Outside security experts said that since a verified account was used at Kraken, and FTX was warning users not to employ the app, an insider was likely involved either as a perpetrator or as a victim who had credentials compromised as a steppingstone in the attack. “It looks like they have an app update that is malicious coming down. If that is verified, this is someone trying to rob FTX while they still can before everything is frozen because of Chapter 11,” said Joe Roosen, a hacking threat researcher at Intel471.
While FTX did not directly respond to The Post for comment right away, Miller later tweeted a statement on behalf of new chief executive John J. Ray III that the company’s executives “continue to make every effort to secure all assets, wherever located.”
“We have been in contact with, and are coordinating with law enforcement and relevant regulators,” Ray added.
Miller had tweeted earlier Saturday that the exchange had “initiated precautionary steps to move all digital assets to cold storage.” Cold storage refers to crypto wallets that are not connected to the internet to guard against hackers. The firm is “investigating abnormalities with wallet movements,” but the facts remain “unclear” and FTX will “share more info as soon as we have it,” he wrote.
FTX appeared to have verified rumors of a potential hack on the exchange’s Telegram channel and has asked customers to stay off the firm’s website and delete FTX apps, CoinDesk reported.
The Post could not confirm the details of messages in the firm’s private Telegram channel.
Sam Bankman-Fried, the co-founder and chief executive of FTX, resigned Friday after the exchange he founded had gone from being an industry giant valued at $32 billion to facing collapse over the course of just three years.
In the wake of the crisis, some critics have called for tighter government scrutiny on crypto companies, which have largely avoided regulation. They say that could have helped prevent situations like that at FTX, which is now the subject of a slew of questions about a lack of separation between the exchange and Bankman-Fried’s trading firm, Alameda Research.
On Saturday, Treasury Secretary Janet L. Yellen said she agreed with the criticism.
“In other regulated exchanges, you would have segregation of customer assets,” she told Bloomberg News. “The notion you could use the deposits of customers of an exchange and lend them to a separate enterprise that you control to do leveraged, risky investments — that wouldn’t be something that’s allowed.”
The FBI and Justice Department did not immediately respond to requests for comment.