A Deeper Trace Analysis of what the FTX Hacker account is actually doing: Tons of swaps and trying to exit

Intro and TL;DR

You've probably seen the news about the FTX account hacker.

There is SO MUCH going in this account that anything you think is happening is probably done to hide his tracks. Dozens of tokens and DeFi swap have been used. Some tokens have been sent over Polygon PoS and Bitcoin bridges. PAXG seems to be his favorite token by far for token laundering.

These are all the tokens he's been swapping to:

stETH, USDT, LINK, USDP, LDO, WBTC, SUSHI, YFI, 1INCH, UNI, LINK, MATIC, PAXG, SHIB, AAVE, APE, PAXG, SNX, renBTC

I wouldn't trust anything posted by the media or random Twitter posts unless they're citing experts. This should be done by a professional trace analyzer because they have specialized tools for tracing this.

I do not believe the hacker is related to the Bahamian government. These transactions are much too random, chaotic, and swap for too many random token. If it is the Bahamian government, then they're totally letting SBF create chaos with it. He's been constantly sending shitcoins to famous people's Ethereum accounts for the past week.

AFAICT, the hacker is not trying to sell ETH for BTC. I'm guessing he's trying to exit using whatever exchange or swap that hasn't yet blacklisted him. PAXG was the weak link on Nov 12. It's now $60M worth of ETH to WBTC and renBTC, which he's using to exit to BTC mainnet.

Here's my best attempt at an amateur trace analysis

There are at least 11 FTX hacker addresses, most of which were created on the Nov 12. One last one was created today.

Main address: https://etherscan.io/address/0x59abf3837fa962d6853b4cc0a19513aa031fd32b

• History
  • This one's been around for 8 days since Nov 12
  • It's been growing ETH. Started with 160k ETH. Grew to 200k ETH on Nov 15 and then to 250k ETH on Nov 19. 50k ETH has been swapped or transferred out today.
  • On the first day, it was sent out to 26 different addresses.
  • Apparently, he found out that PAXG swaps were the weakest link and was able to swap to $60M of it.
  • Since then, it has stayed quiet (other than for shitcoin transfers) until today. There was 1 lone Tx on Nov 15 for token approval for DAI on CoW Protocol
  • Suddenly today, it has become active again
• Current balance
  • 200k ETH, down from 250k ETH yesterday. that's a difference of about $60M USD worth of ETH that went elsewhere.
  • $14M of PAXG
  • 70+ random shit tokens. Some were sent by others to insult the owner. Some were swapped into by the owner.
• Nov 12 activity
  • This guy is an absolute DeFi degenerate. He's possibly testing for blacklists on his first day or trying to exit as fast as he can. He used over a dozen different swaps.
  • Did tons of token approval. I stopped listing the duplicates on different dApps. For example, he tested approvals for PAXG on at least a dozen swaps. And these are just what I can see on the blockchain.
  • There is: stETH, USDT, LINK, USDP, LDO, WBTC, SUSHI, YFI, 1INCH, UNI, LINK, MATIC, PAXG, SHIB, AAVE, APE, PAXG, SNX
  • Swapped 523k USDT for USDC
  • Swapped 14M USDT for cUSDT
  • Swapped 14.5M USDT for DAI
  • Swapped 2M worth of WETH and LDO??
  • Swapped Transferred 4M MATIC to the MATIC bridge. Oh boy. Someone will need to analyze this separately.
  • Swapped 1k PAXG for WETH, $1.4M worth. Interesting since he did it again and again and again. These stand out. Probably hitting liquidity issues.
  • Several hours go by
  • Swapped PAXG for WETH
  • I'm not going to list all of these. He made a dozen more transactions to swap $25M PAXG for WETH using KyberSwap.
  • Random Maker proxy registry, it seems for PAXG.
• Nov 20 activity (today)
  • Sent $5.9M ETH to Side address 5
  • Sent $11.7M ETH to Side address 5
  • Sent $11.7M ETH to Side address 5
  • Sent $29.3M ETH to Side address 5

Side addresses

• FTX Account Drainer 2 (22 Tx):
  • Token approvals for PAXG on multiple swaps
  • A mega transcation for PAXG, DAI, WETH, USDC. End result seems to be a $1.7M of PAXG swap to ETH.
  • Transferred 1 ETH to FTX Accounts Drainer 3 and this random address
• FTX Account Drainer 3 (2 Tx):
  • Has $1k of ETH and $870k of PAXG
• FTX Account Drainer 4 (1 Tx):
  • Has $870k of PAXG
• Side Account 5
  • This is the one that prompted multiple media posts. These swaps are pretty complicated.
  • Spend a lot of transactions on the FTX Bahamas shit token for some reason.
  • Swapped $4.8M ETH for WBTC for renBTC
  • And again for $3.5M, $1.2M, ... and lots more for a total of $60M worth of tokens to renBTC.
  • Burned $1.1M, $16.5M, $29M, $11.4M using the Ren BTC Gateway for a total of ~$60M. - So he's exiting to Bitcoin mainnet, and Bitcoin UTXOs are way harder to trace. Needs professional trace tools.
  • Chainanalysis is already on the investigation for the renBTC bridge exit.

There are at least 6 other accounts of smaller activity

Sending shitcoins to famous people addresses

If it weren't obvious already that this isn't the government, he's trolling others by sending shitcoins to them.

• Twitter World Cup Inu to Vitalik, FTX Sucks to vitalik
• FTTCash to autistic
• FTTCash to Ukraine Crypto Donation, BAYC
• Follow me to Yannick
• Lots of Shitcoins like What happened, Dontfollowyannick, Fuck FTX, CRO Next to multiple exchanges. I can't list them all.
• FTX Sucks to dozens like Vitalik, Ukraine Crypto, satoshi, multiple exchanges, 420, and dozens of other accounts.

Anyways, I'm just one person tracing this for 2 hours. I'll leave it to the professionals like Chainanalysis to do a better job.

One of the takeaways is that even if you blacklist one account, it's hard to actively trace the other accounts they're going to and actively block them.