Blockchain surveillance firm Elliptic now says there’s a “stronger possibility” that fallen crypto exchange FTX’s mysterious hacker was a Russian-linked entity.

For starters, the fact that funds moved while FTX founder Sam Bankman-Fried was in a Manhattan courtroom casts doubt on the hypothesis that he stole the money.

“At 3:41pm EST on October 4th 2023, $15 million of the stolen crypto was moved—at which time Bankman-Fried was reportedly in court, without internet access,” Elliptic wrote in a blog post.

On Thursday the company provided a timeline detailing the on-chain movements of the hacker’s stolen funds. Since the hack took place, much of the proceeds were bridged to Bitcoin and run through ChipMixer—an unlicensed Bitcoin privacy mixer shuttered by the Justice Department earlier this year.


“Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges,” wrote Elliptic. “This points to the involvement of a broker or other intermediary with a nexus in Russia.”

On the same day that FTX filed for bankruptcy last November, the exchange lost 9,500 Ethereum (ETH) to a still unknown hacker, who transferred their assets from one of FTX’s wallets to a new address. The hacker later claimed a host of other crypto assets totaling $477 million, including Pax Gold (PAXG), Tether (USDT), Wrapped Bitcoin (WBTC), and others.

While some funds were frozen in compliance with regulators, most were successfully swapped for other cryptocurrencies and bridged to other blockchains in the following days.

“This helps to break the blockchain trail, making it more difficult to trace funds, as well as providing access to services on blockchains that facilitate further laundering,” said Elliptic.


On November 20th, hackers transferred 65,000 ETH to Bitcoin using RenBridge, of which many were later sent to ChipMixer. RenBridge was ironically owned by Alameda Research, which shared a balance sheet with the hacked FTX exchange.

After a nine-month delay, another 72,500 ETH ($120 million) were transferred to Bitcoin using THORSwap, which has since suspended its interface to address money laundering concerns. With ChipMixer gone, much of those funds were instead mixed through Sinbad—a mixer Elliptic believes is a rebrand of Blender, which was sanctioned by the U.S. Treasury Department for aiding the North Korean Lazarus Group.

Despite the connection, Elliptic doesn’t believe Lazarus is behind the FTX hack due to the hacker’s relatively “unsophisticated” money laundering methods compared to the former.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.