By the evening of November 11 of last year, FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.
FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.
“Holy shit,” one former FTX staffer, who asked not to be named because they weren’t authorized to speak about internal company matters, remembers thinking. “After all this, we’re being hacked?”
According to its own accounting, FTX would ultimately lose between $415 million and $432 million worth of its cryptocurrency holdings to those unidentified thieves, numbers it has publicly confirmed as part of its bankruptcy process. What FTX hasn’t previously revealed is how close it may have come to losing vastly more—how its staff and outside consultants raced to move more than $1 billion worth of crypto to more secure storage before it could be stolen by the malevolent presence on its network—even, at one point, scrambling to send close to half a billion dollars to a physical USB drive in one consultant’s office in an effort to keep it out of the thieves’ hands.
As theenters its second week, many in the cryptocurrency community are for any hint of how the exchange was so catastrophically looted, just hours after it left his control. The question of who carried out that theft—and whether the thieves were FTX insiders or external hackers—looms largest of all. That mystery remains unsolved, and neither Bankman-Fried nor other top FTX executives have been charged with that theft.
But now, WIRED can reveal the events of FTX’s panicky night working to limit the damage from that theft—and to prevent what might otherwise have been a 10-figure heist. The new FTX leadership under Ray, its new CEO, declined to be interviewed about the incident. But WIRED learned the hour-by-hour details of the crisis response from a detailed invoice submitted by the restructuring firm Alvarez & Marsall for its work on FTX’s bankruptcy case, interviews with individuals who participated in the immediate response to the theft, and blockchain analysis provided by the cryptocurrency tracing firm Elliptic.
That response started around 10 pm on the evening of November 11, when Zach Dexter, the chief executive of FTX subsidiary LedgerX, sent a Google Meet invite to a group of more than 20 of FTX’s remaining staff, bankruptcy lawyers, advisers, and consultants. The invitation’s one-word subject line: “urgent.”
A handful of staffers quickly joined that Google Meet video call, which would eventually grow to dozens of participants over the next 12 hours. They could all see FTX wallets being drained in real time on Etherscan. But almost no one on the call had any idea where exactly FTX stored its cryptocurrency or how it managed the secret keys that controlled those wallets. That knowledge was held only by a small group of FTX elite—Bankman-Fried and his inner circle. Bankman-Fried never appeared in the meeting, according to sources who were present, but Gary Wang, the FTX cofounder and CTO, did join the call.