Blockchain study of cryptocurrency may give a solution.
Anyone attempting to steal cryptocurrency has always faced an unusual mixture of incentives and hurdles.
It's an attractive target because it is digital currency housed in multibillion-dollar quantities on hackable, internet-connected networks.
The blockchains on which the vast majority of cryptocurrencies are based, however, make it easy to track the whereabouts of stolen funds and, in many cases, to identify the perpetrators.
Crypto tracers across the globe are keeping a tight eye on the whereabouts of roughly $500 million that was stolen from the failing FTX cryptocurrency exchange yesterday in the hopes of uncovering the identity of the perpetrator, whether they be an insider at FTX or an opportunistic hacker.
On Friday, only hours after the large cryptocurrency exchange FTX declared bankruptcy in the aftermath of its dramatic, 10-figure collapse, FTX's remaining reserves were drained of more than $663 million in bitcoin, most of which looks to have been stolen.
"FTX has been hacked," an administrator posted on the FTX Telegram channel.
"FTX applications are malicious.
Remove them."
It's unclear how FTX was stolen or if its applications were affected, and the company hasn't formally reported any theft.
However, in a tweet, the company's US general counsel said that "unauthorized access to some assets has happened."
As it turned out, the $663 million outflow seemed to be the result of FTX moving funds into its own storage wallets and an unknown theft, as reported shortly afterwards by the crypto-tracing and blockchain research business Elliptic.
According to Elliptic, all $477 million of the assets seem to have been taken, however TRM Labs, another cryptocurrency-tracing outfit, estimates the figure at $338 million.
Twenty-four hours after the apparent heist, the vast majority of the money had been transferred to a handful of cryptocurrency addresses, where the entire crypto-tracing industry, a vast community of amateur crypto sleuths, and no doubt law enforcement agencies around the world are now all keeping a close eye.
That observability, for the FTX monies and other stolen crypto stashes, provides a significant obstacle for any crook attempting to pay out their hoard into conventional currency.
It might indicate that insiders were responsible for the crime, or it could demonstrate that external hackers took advantage of the instability at FTX to carry off a burglary, in a situation where regulators and an army of angry creditors are seeking for any hint that FTX's workers or owners may actually be the perpetrators.
"We're absolutely keeping an eye on these money," says Chris Janczewski, TRM Labs' head of investigations and a former special agent with the IRS's criminal investigations section.
"This would-be robber has hundreds of millions of dollars."
But it's as if somebody walked into a bank, stole all the money they could carry, and then the dye packets exploded.
They have all this money, but everyone knows it's linked to the bank heist.
"What exactly can you do with it?"
According to Elliptic's study, at least $220 million in stolen cash in the form of several cryptocurrencies were immediately converted into the cryptocurrencies ether and dai through decentralized exchanges (trading platforms that let users to transfer coins without providing identifying information).
However, paying out those coins and the remainder of the stolen treasure would almost certainly need exchanging it on a controlled exchange, which nearly usually necessitates users providing identifying information.
The criminals may attempt to launder the money by mingling it with coins from other users via a "mixing" service.
However, crypto-tracing blockchain experts have shown that they can often overcome such mixers, especially when consumers pour extremely significant quantities into them.
And certain mixers, such as the Tornado Cash service approved by the US Treasury in August, make cryptocurrencies unusable by many exchanges or subject to confiscation.
Elliptic co-founder and principal scientist Tom Robinson subsequently updated Elliptic's findings to note that the Securities Commission of the Bahamas, where FTX is domiciled, now claims to have confiscated some of the FTX funds, which might explain the money's transit once again:
Perhaps someone on FTX's staff transferred the funds into a government account at the request of the Bahamian authorities.
However, Robinson points out that this scarcely explains the flow of millions of dollars via decentralized exchanges, which is not typical of a government regulator dealing with confiscated monies.
"It's possible that one or more accounts are under the jurisdiction of Bahamas authorities, while others aren't," Robinson adds.
Michelle Lai, a cryptocurrency privacy advocate, investor, and consultant who says she has been watching the movements of the FTX assets with "sick curiosity," claims that if FTX was emptied out by true robbers or insider embezzlers, they would find it difficult to flee with their earnings in a spendable form without being recognized.
The key issue, according to Lai, is whether identifying those thieves would provide any recourse:
After all, many of the most prolific cryptocurrency criminals are Russians or North Koreans working in non-extradition nations, where Western law enforcement is unable to intervene.
"It's not a matter of if they'll figure out who did it.
"The question is whether it will be actionable," Lai adds.
"Whether they're onshore or offshore."
Meanwhile, Lai and many other cryptocurrency observers have been keeping a careful eye on one Ethereum address on the blockchain-tracking site Etherscan, which is now holding roughly $192 million in money.
The account has been transferring modest amounts of Ethereum-based tokens, some of which seem to be worthless, to a number of exchange accounts, as well as Ethereum founder Vitalik Buterin and Ukrainian cryptocurrency fundraising accounts.
However, Lai believes that these activities are likely intended to confuse law authorities or other observers before any actual effort to launder or pay out the money.
And, according to Elliptic's Tom Robinson, those transactions seem to be the work of a hoaxer who produced their own bogus cryptocurrency tokens to influence Etherscan, rather than genuine payments made by the bearer of FTX's erroneous money.
Tobias Silver, creator of crypto service Just.Money, made a key observation on Twitter: it seems that one of the criminals' transactions was financed by transaction fees from an account on the Kraken cryptocurrency exchange, which is likely obligated to hold identifying information for that account under "know-your-customer" legislation.
"We know the identity of the user," Kraken's chief security officer, Nicholas Percoco, subsequently tweeted.
When Percoco was aksed for comment, a Kraken spokeswoman said, "We have carefully observed recent events with the FTX estate, are in communication with law authorities, and have blocked Kraken account access to some monies we think are tied to 'fraud, carelessness or misconduct' relating to FTX (as set out in our Terms of Service)."
The theft or seizure of FTX's assets, whether $338 million or $477 million, is not unique in the realm of cryptocurrency crime.
North Korean criminals stole $540 million in the late-March breach of the Ronin bridge, a gaming cryptocurrency exchange.
In addition, bitcoin tracking led to the arrest earlier this year of a New York couple suspected of laundering $4.5 billion in cryptocurrencies.
However, in the instance of the high-profile FTX robbery and the exchange's general demise, tracking the misdirected cash might help lay to rest—or confirm—swirling suspicions that someone inside FTX was responsible for the theft.
Sam Bankman-Fried, the company's Bahamas-based CEO who resigned Friday, lost almost his entire $16 billion fortune in the collapse.
According to an unsubstantiated CoinTelegraph source, he and two other FTX officials are "under surveillance" in the Bahamas and are not permitted to leave the country.
Reuters also reported late last week that Bankman-Fried had a "back door" constructed into FTX's compliance system that allowed him to take monies without informing others at the business.
Despite these reservations, TRM Labs' Janczewski believes that the pandemonium of FTX's breakdown created a chance for hackers to abuse terrified workers and deceive them into, say, clicking on a phishing email.
As Michelle Lai points out, bankrupted insider personnel may have worked with hackers to retrieve part of their own lost assets.
As speculation mounts over whether—or to what extent—own FTX's management is to blame for the missing assets, the story has starting to mirror a much older one: the loss of a half billion dollars worth of bitcoins from Mt. Gox, the original cryptocurrency exchange, found in 2014.
In that instance, blockchain research performed by cryptocurrency tracking startup Chainalysis, in collaboration with law enforcement, assisted in pinning the theft on external hackers rather than Mt. Gox's own employees.
In the end, a Russian citizen named Alexander Vinnik was arrested in Greece in 2017 and eventually convicted of laundering the stolen Mt. Gox assets, exonerating Mt. Gox's troubled leaders.
It is unclear if history will repeat itself and bitcoin tracking will reveal the innocence of FTX's workers.
But, with more eyes than ever scouring the blockchains of the cryptocurrency economy, it's a safer bet that the mystery behind the FTX heist will be solved sooner or later.