The FTX attacker, who had previously been funneling their stolen Ethereum holdings through THORChain-based THORSwap, has altered their strategy. This adjustment comes in response to THORSwap’s decision to transition into maintenance mode, citing concerns about facilitating the movement of illicit funds.
On October 6, on-chain analyst Lookonchain revealed that the FTX exploiter had ceased using THORChain for transferring the stolen assets. Instead, they had turned to the Threshold network, marking a significant shift in their modus operandi. Lookonchain’s report showcased a screenshot indicating that the attacker had converted over 3,000 ETH into tBTC through the Threshold Network Chain.
tBTC: Bridging the Gap Between Ethereum and Bitcoin
tBTC, as described on its official website, serves as a decentralized bridge between the Ethereum and Bitcoin blockchains. It offers users a seamless way to convert their assets into an ERC-20 token pegged at a 1:1 ratio to BTC. What sets it apart is its reliance on a randomly selected group of node operators within the Threshold Network, effectively eliminating the need for centralized intermediaries. This approach enhances asset security and ensures a robust defense mechanism.
The attacker’s switch to the Threshold Network comes after BeInCrypto reported that they had moved approximately $10 million worth of Ethereum, marking the first substantial movement in nearly a year. Since then, the attacker has executed a series of swaps, totaling 75,636 ETH, equivalent to a staggering $124 million, all converted into Bitcoin. Nonetheless, the attacker’s wallet still holds 109,485 ETH, roughly valued at $180 million as of the present moment.
Suspicion Surrounds FTX Insider Involvement
It is worth noting that these fund movements align with the trial of ex-FTX founder Sam Bankman-Fried in New York. This synchronicity has raised suspicions within the crypto community that an insider at FTX may be linked to the breach, although concrete evidence remains elusive.
THORSwap, the preferred privacy tool of the FTX attacker, played a pivotal role in this unfolding drama. The platform recently announced its transition into maintenance mode, driven by its desire to distance itself from facilitating illicit fund movements. Consultations with advisors, legal counsel, and law enforcement agencies guided this decision, as THORSwap aims to swiftly curtail any further potential illicit activities. During this period, all coin-swapping features on THORSwap will be restricted, but users can still engage in borrowing and staking assets through the protocol.
As the FTX attacker continues their journey through the crypto landscape, the move to the Threshold Network demonstrates the adaptability of bad actors in the space. This ongoing saga highlights the importance of security and vigilance within the crypto community, all while raising questions about the involvement of insiders in the FTX breach.