On November 12, 2022, within hours of FTX filing for Chapter 11 bankruptcy in the United States, $477 million in crypto was drained from the exchange's wallets in a coordinated attack. The episode happened during the most chaotic 24 hours in modern crypto history; the DOJ later confirmed the cause was a SIM-swap attack and indicted three individuals connected to it.
What happened
FTX's collapse was the larger story — Sam Bankman-Fried's exchange had imploded over the preceding week as the gap between customer deposits and Alameda Research's positions became public. On the morning of November 11, 2022, FTX filed for bankruptcy. Within hours, wallets across multiple chains began bleeding in transactions that bore no resemblance to the bankruptcy estate's ongoing operations.
Elliptic, Chainalysis and on-chain investigators tracked roughly $663M in outflows in the immediate post-filing window. FTX's bankruptcy team identified roughly $186M of that as internal transfers to cold storage during the chaos. The remaining ~$477M was unauthorised theft.
The attacker's behaviour was textbook for funds-in-flight:
- Rapid swapping of stablecoins and other tokens to ETH and DAI on decentralised exchanges, to prevent token-issuer freezes.
- Cross-chain bridging to obscure trails.
- Sinbad and Tornado Cash routing for the final laundering legs.
The DOJ subsequently revealed the breach was a SIM-swap operation: the attackers had taken control of an FTX employee's phone number, used the SMS/MFA reset paths it controlled to gain administrative access to FTX's internal wallet-signing systems, and used that access to authorise unauthorised withdrawals before the bankruptcy estate had locked everything down. Three individuals were indicted in connection with the SIM-swapping ring.
Aftermath
- FTX's bankruptcy estate ultimately recovered a meaningful percentage of the stolen funds through forensic tracing and exchange-coordinated freezes — though the bulk of laundering paths terminated at Tornado Cash and could not be reversed.
- The bankruptcy itself proceeded for years, with creditors eventually receiving cash distributions at 100%+ of dollar-denominated claims (a consequence of crypto's price appreciation between filing and distribution, paid for in time).
- Sam Bankman-Fried was tried and convicted on separate fraud charges in 2023 and sentenced to 25 years in 2024.
Why it matters
The FTX hack is a study in how cleanly attackers can exploit operational chaos. SIM-swap as a vector had been documented for years; what made it devastating here was the timing — at the exact moment when normal change-control, anomaly-detection and incident-response systems at FTX were collapsing, the attacker walked in through a known crack and walked out with $477M.
The lesson generalises: the security of an exchange is not what its controls look like in steady state; it's what they look like during a worst-day-of-the-year incident. Cold-storage migration playbooks need to assume the operational environment is on fire when they execute. The post-FTX industry response — bankruptcy-mode wallet lockdown procedures, out-of-band authentication for emergency transfers, SIM-swap-resistant authentication paths for privileged operations — was driven directly by the November 2022 events.
Sources & on-chain evidence
- [01]cnbc.comhttps://www.cnbc.com/2022/11/12/ftx-says-its-removing-trading-and-withdrawals-moving-digital-assets-to-a-cold-wallet-after-a-477-million-suspected-hack.html
- [02]elliptic.cohttps://www.elliptic.co/blog/analysis/477-million-in-unauthorized-transfers-from-ftx
- [03]coindesk.comhttps://www.coindesk.com/business/2022/11/12/ftx-crypto-wallets-see-mysterious-late-night-outflows-totalling-more-than-380m