On-the-job detective ZachXBT has taken to Twitter to clear up what he calls a "lot of disinformation" about the FTX hack and the individuals who may be responsible for it. He has shared the research he did on what he thinks are the three most common mistakes people make about the breach.
The self-proclaimed "on-chain detective" dispelled many rumours in a long message on Twitter on November 20. Rumours circulated that Bahamian authorities were behind the FTX attack, that exchanges were aware of the hacker's true identity, and that the perpetrator was trading memecoins.
On November 11, the same day that FTX filed for bankruptcy, the cryptocurrency community started reporting strange transactions on wallets affiliated with FTX. These transactions included the movement of more than $650 million out of the wallet.
The Securities Commission of the Bahamas (SCB) issued a statement on November 17 in which it stated that it had ordered the transfer of all digital assets of FTX to a digital wallet owned by the commission around that time. Some people thought that the SCB was behind the alleged "hack," even though no one has been officially named as the culprit.
However, ZachXBT argued that the 0x59 wallet address associated with the hacker was a blackhat address and was not affiliated with either the FTX team or the SCB because it "began selling tokens for ETH, DAI, and BNB and using a variety of bridges so crypto couldn't be frozen on 11/12." ZachXBT's reasoning was based on the fact that the address "began selling tokens for ETH, DAI, and BNB and used a
"The fact that 0x59 was dumping tokens and bridging sporadically was very different behaviour from the other addresses who withdrew from FTX and instead sent to a multisig on chains like Eth or Tron," he added. "The behaviour of the other addresses who withdrew from FTX and sent to a multisig on chains like Ether or Tron was much more consistent."
Zach further mentions that the blackhat wallet spoke with another wallet known as 0x24, which, according to Zach, "had highly suspect behaviour on-chain utilising dodgy services."
ZachXBT also brought to light the possibility of erroneous information regarding the assertion that "Kraken or other exchanges" had uncovered the identity of the hacker.
Since Kraken's chief security officer said in a post on November 12 that "We know the identity of the user," the rumour has been going around.
According to Zach, "In fact," the person who was labelled as the hacker was probably simply the FTX group securing assets to a multi-signature wallet on Tron using Kraken since the FTX hot wallet had run out of gas and was unable to process transactions.
ZachXBT concluded his argument by addressing the persistent claim that the FTX hacker is involved in the trade of memecoins. This rumour was first brought to light by the blockchain analytics company CertiK.
Instead, the blockchain detective asserts that the transactions on the Ethereum network have been "spoofed." As evidence, the blockchain detective cites a blog post written in March by an Etherscan community member named Harith Kamarul, who describes how transactions may be faked.