Transfer spoofing evident in FTX Exploiter wallet meme tokens transfers – ZachXBT

This post was originally published here

On Nov. 20, on-chain detective ZachXBT set out a Twitter thread to debunk the three most commonly misunderstood issues surrounding the FTX case.

The three areas ZachXBT set out to cover were:

  • Bahamian officials being behind the FTX hack
  • Exchanging knowing the identity of the hacker
  • The FTX hacker trading meme coins.

ZachXBT began by alleging that the ‘0x59’ wallet was a blackhat address and not affiliated with either the FTX team or Bahamian officials.

The hacker used very high slippage in trades when selling tokens for Ethereum (ETH), DAI, and BNB and was then bridged to avoid the assets being frozen on Nov. 12. This sporadic behavior was noted to be “very different” from other addresses that withdrew from FTX by ZachXBT.

ZachXBT pointed out suspicious on-chain movement following a transaction of 3168 BNB from 0x59 to 0x24, then to Huobi – 0x24, having used potentially insecure services like Laslobit.

ZachXBT explained that this behavior was wholly different from the information provided regarding the Debtors moving assets to cold storage or the Bahamian government moving assets to the digital asset custody platform, Fireblocks.

Next, ZachXBT highlighted potential misinformation surrounding exchanges being aware of the hacker’s identity.

In response to the “we know the identity of the user” claim from Kraken’s team member, Nick Percoco, ZachXBT explained that it was likely the “FTX recovery side and not the attacker.” Additionally, ZachXBT asserted in his thread that it was the FTX group securing assets to a multi-signature wallet on Tron — using Kraken due to the FTX hot wallet being out of gas for transactions.

Lastly, covering the third most common spread of misunderstanding, Zach addressed the rumors surrounding the FTX hacker trading meme coins.

Zach explained that the transfers were being spoofed to make it seem like the FTX hacker wallet was trading meme coins. CryptoSlate reviewed the on-chain data and can confirm that the transactions appear to come from an alternate address which was funded through 1inch on Nov.11.

The alternate address appears to have permission to mint tokens such as WHATHAPPENED thus confirming the origin of the token. To better understand how transactions can be spoofed on the Ethereum network, a Medium article by Etherscan community member, Harith Kamarul, explains the issue.

CryptoSlate reported the movement of newly created ‘meme’ tokens from the FTX Exploiter account on Nov. 11 with a focus on the transfer of tokens to Uniswap and the potential for a pump-and-dump scam. The article has been updated to include the transaction spoofing information for clarity.

Leave a Comment