Newsletters
This article is more than six months old

How FTX hacker’s $131m ‘laundering’ spree caused DeFi exchange to shut off

How FTX hacker’s $131m ‘laundering’ spree caused DeFi exchange to shut off
DeFi
THORSwap disabled parts of its website interface as the FTX hacker resurfaced in the same week as Sam Bankman-Fried's trial started. Credit: Andrés Núñez/DL News.
By
Tim Craig
  • THORSwap disables website interface after FTX hacker used exchange to swap stolen funds.
  • The decentralised exchange says it took action after consulting with law enforcement.
  • THORSwap contributor says exchange would be “open to referencing what other DEX interfaces in the industry have implemented,” to ensure compliance.

Decentralised exchange THORSwap disabled parts of its website interface Thursday after the hacker who swiped $450 million from FTX last year started using the platform to convert stolen Ether to Bitcoin.

Since the hacker started moving funds on September 30, they have sent around $131 million worth of Ether to Thorswap and privacy protocol Railgun, according to onchain data compiled by Arkham Intelligence.

In a Friday morning X post, the official THORSwap account said it had transitioned the exchange’s interface into “maintenance mode” after consulting with legal counsel and law enforcement.

The move stops users interacting with the interface for trading, but leaves other services including lending, borrowing and staking operational.

Although this effectively prevents everyday users from interacting with THORSwap, those with sufficient technical ability can still use THORSwap by interacting directly with its smart contracts.

“THORSwap stands firmly against any and all criminal activity — especially on the THORSwap platform,” a THORSwap contributor speaking from the official THORSwap X account told DL News.

The contributor confirmed that the pause had nothing to do with the ongoing FTX trial, where former CEO Sam Bankman-Fried faces charges of wire fraud, securities fraud and conspiracy to commit money laundering, among others.

“[We] will have more updates when a permanent and robust solution is implemented to ensure the platform’s continued security and integrity,” the contributor said, adding that THORSwap would be “open to referencing what other DEX interfaces in the industry have implemented.”

Join the community to get our latest stories and updates

Last year, top decentralised exchange Uniswap blocked 253 crypto addresses linked to sanctioned privacy tool Tornado Cash or to stolen funds from accessing its website.

THORSwap may be considering a similar solution.

THORSwap is one of around 20 interfaces connected to Thorchain, a blockchain that lets users trade native assets between separate blockchains.

Before Thorchain, crypto users who wanted to swap assets on Ethereum for native Bitcoin had to do so through centralised exchanges like Binance. Thorchain lets users make such swaps directly.

‘Turning off the platform makes no sense’

Not everyone in the DeFi community stands behind THORSwap’s decision to pause trading.

“I’m sorry but just turning off the platform makes no sense,” said X user @haboussef in response to the announcement. “Thorchain provides no privacy and doesn’t let hackers cash out their stolen funds.”

Others called the decision “disappointing” and questioned THORSwap’s commitment to creating an open and permissionless platform.

Based on previous hacks, the FTX hacker’s move to convert stolen Ether into Bitcoin is likely the first step in laundering the funds and breaking the chain of traceability.

Once funds are converted to Bitcoin it is much easier to launder them using coin mixing services before attempting to cash out through crypto exchanges that do not require know-your-customer checks, such as Fixed Float.

How hackers turn stolen crypto into cash

How hackers turn stolen crypto into cash (Eric Johansson, Andrés Núñez/Written by Eric Johansson / Graph by Andrés Tapia for DL News)

“THORSwap cannot speculate on objectives,” the anonymous THORSwap contributor said when asked why the FTX hacker was using THORSwap. “Perhaps ease of use and the fact that THORSwap supports native Bitcoin?”

The hacker’s identity remains unknown.

Onlookers have speculated that notorious North Korean hackers known as the Lazarus Group or a rogue FTX employee may be behind the attack.

‘They’re obviously not going to make themselves into criminals’

Still, some are more sympathetic to THORSwap’s situation.

“Part of the team is US-based and subject to US law enforcement,” TCB, a THORSwap community member and Thorchain validator, told DL News. “They’re obviously not going to make themselves into criminals.”

And there’s good reason for THORSwap’s developers to be worried.

In August, Roman Storm and Roman Semenov, developers at privacy protocol Tornado Cash, were charged by the US Department of Justice with money laundering and sanctions violations.

The DoJ alleges Tornado Cash “facilitated more than $1 billion in money laundering,” including “hundreds of millions” for North Korea’s Lazarus Group.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out to him with tips at tim@dlnews.com.

Related Topics
MONEY LAUNDERING
Related articles
Understanding crypto hacks and exploits
DL News
How North Korea used LinkedIn and social engineering to steal $3.4bn in crypto
Eric Johansson, Tyler Pearson
North Korea’s stolen crypto haul reaches $3.4bn — 16 years of Lazarus heists and hacks
Tyler Pearson