Transfer spoofing evident in FTX Exploiter wallet meme tokens transfers — ZachXBT

On Nov. 20, on-chain detective ZachXBT set out a Twitter thread to debunk the three most commonly misunderstood issues surrounding the FTX case.

The three areas ZachXBT set out to cover were:

• Bahamian officials being behind the FTX hack
• Exchanging knowing the identity of the hacker
• The FTX hacker trading meme coins.

1/ I have seen a ton of misinformation being spread on Twitter and in the news about the FTX event so let me debunk the three most common things I’ve seen

“Bahamian officials are behind the FTX hack”
“Exchanges know who the hacker is”
“FTX hacker is trading meme coins” pic.twitter.com/IAtHnpJI44

— ZachXBT (@zachxbt) November 20, 2022

ZachXBT began by alleging that the ‘0x59’ wallet was a blackhat address and not affiliated with either the FTX team or Bahamian officials.

The hacker used very high slippage in trades when selling tokens for Ethereum (ETH), DAI, and BNB and was then bridged to avoid the assets being frozen on Nov. 12. This sporadic behavior was noted to be “very different” from other addresses that withdrew from FTX by ZachXBT.

3/ The fact 0x59 was dumping tokens and bridging sporadically was very different behavior from the other addresses who withdrew from FTX and instead sent to a multisig on chains like Eth or Tron. https://t.co/WE3Zyax2ub

— ZachXBT (@zachxbt) November 20, 2022

ZachXBT pointed out suspicious on-chain movement following a transaction of 3168 BNB from 0x59 to 0x24, then to Huobi – 0x24, having used potentially insecure services like Laslobit.

ZachXBT explained that this behavior was wholly different from the information provided regarding the Debtors moving assets to cold storage or the Bahamian government moving assets to the digital asset custody platform, Fireblocks.

5/ This behavior completely differs what was said about the Debtors moving assets to cold storage or Bahamian government moving assets to Fireblocks. pic.twitter.com/wMekRhzOPR

— ZachXBT (@zachxbt) November 20, 2022

Next, ZachXBT highlighted potential misinformation surrounding exchanges being aware of the hacker’s identity.

In response to the “we know the identity of the user” claim from Kraken’s team member, Nick Percoco, ZachXBT explained that it was likely the “FTX recovery side and not the attacker.” Additionally, ZachXBT asserted in his thread that it was the FTX group securing assets to a multi-signature wallet on Tron — using Kraken due to the FTX hot wallet being out of gas for transactions.

8/ This matched the behavior for 0x97 multisig which had also been funded via a CEX as well. pic.twitter.com/J2uHIpe7Oj

— ZachXBT (@zachxbt) November 20, 2022

Lastly, covering the third most common spread of misunderstanding, Zach addressed the rumors surrounding the FTX hacker trading meme coins.

Zach explained that the transfers were being spoofed to make it seem like the FTX hacker wallet was trading meme coins. CryptoSlate reviewed the on-chain data and can confirm that the transactions appear to come from an alternate address which was funded through 1inch on Nov.11.

The alternate address appears to have permission to mint tokens such as WHATHAPPENED thus confirming the origin of the token. To better understand how transactions can be spoofed on the Ethereum network, a Medium article by Etherscan community member, Harith Kamarul, explains the issue.

11/ Please triple check who you get your info from. Many people are using the FTX event to appear knowledgeable for engagement when in fact they have zero clue what is going on.

— ZachXBT (@zachxbt) November 20, 2022

CryptoSlate reported the movement of newly created ‘meme’ tokens from the FTX Exploiter account on Nov. 11 with a focus on the transfer of tokens to Uniswap and the potential for a pump-and-dump scam. The article has been updated to include the transaction spoofing information for clarity.

»

Source