As the criminal trial of FTX founder Sam Bankman-Fried unfolds in a Manhattan courtroom, some observers in the cryptocurrency world have been watching a different FTX-related crime in progress: The still-unidentified thieves who stole more than $400 million out of FTX on the same day that the exchange declared bankruptcy have, after nine months of silence, been busy moving those funds across blockchains in an apparent attempt to cash out their loot while covering their tracks. Blockchain watchers still hope that money trail might help to identify the perpetrator of the heist—and according to one crypto-tracing firm, some clues now suggest that those thieves may have ties to Russia.

Today, cryptocurrency tracing firm Elliptic released a new report on the complex path those stolen funds have taken over the 11 months since they were pulled out of FTX on November 11 of last year. Elliptic's tracing shows how that nine-figure sum, which FTX puts at between $415 million and $432 million, has since moved through a long list of crypto services as the thieves attempt to prepare it for laundering and liquidation, and even through one service owned by FTX itself. But those hundreds of millions also sat idle for all of 2023—only to begin to move again this month, in some cases as Bankman-Fried himself sat in court. 

Most tellingly, Elliptic's analysis is the first to note that whoever is laundering the stolen FTX funds appears to have ties to Russian cybercrime. One $8 million tranche of the money ended up in a pool of funds that also includes cryptocurrency from Russia-linked ransomware hackers and dark web markets. That commingling of funds suggests that, whether or not the actual thieves are Russian, the money launderers who received the stolen FTX's funds are likely Russian, or work with Russian cybercriminals. 

“It’s looking increasingly likely that the perpetrator has links to Russia,” says Elliptic's chief scientist and cofounder Tom Robison. “We can’t attribute this to a Russian actor, but it’s an indication it might be.”

From the first days of its money laundering process following the theft, Elliptic says the FTX thieves have largely taken steps typical for the perpetrators of large-scale crypto heists as the culprits sought to secure the funds, swap them for more easily laundered coins, and then funnel them through cryptocurrency "mixing" services to achieve that laundering. The majority of the stolen funds, Elliptic says, were stablecoins that, unlike other forms of cryptocurrency, can be frozen by their issuer in the case of theft. In fact, the stablecoin issuer Tether moved quickly to freeze $31 million of the stolen money in response to the FTX heist. So the thieves immediately began exchanging the rest of those stablecoins for other crypto tokens on decentralized exchanges like Uniswap and PancakeSwap—which don't have the know-your-customer requirements that centralized exchanges do, in part because they don't allow exchanges for fiat currency.

In the days that followed, Elliptic says, the thieves began a multi-step process to convert the tokens they'd traded the stablecoins for into cryptocurrencies that would be easier to launder. They used “cross-chain bridge” services that allow cryptocurrencies to be exchanged from one blockchain to another, trading their tokens on the bridges Multichain and Wormhole to convert them to Ethereum. By the third day after the theft, the thieves held a single Ethereum account worth $306 million, down about $100 million from their initial total due to the Tether seizure and the cost of their trades.

From there, the thieves appear to have focused on exchanging their Ethereum for Bitcoin, which is often easier to feed into "mixing" services that offer to blend a user's bitcoins with those of other users to prevent blockchain-based tracing. On November 20, nine days after the theft, they traded about a quarter of their Ethereum holdings for Bitcoin on a bridge service called RenBridge—a service that was, ironically, itself owned by FTX. “Yes, it is quite amazing, really, that the proceeds of a hack were basically being laundered through a service owned by the victim of the hack,” says Elliptic's Robison.

On December 12, a month after the theft, most of the bitcoins from that RenBridge trade were then fed into a mixing service called ChipMixer. Like most mixing services, the now-defunct ChipMixer offered to take in user funds and return the same amount, minus a commission, from other sources, in theory muddling the money's trail on the blockchain. But Elliptic says it was nonetheless able to trace $8 million worth of the money to a pool of funds that also included the proceeds from Russia-linked ransomware and dark web markets, which was then sent to various exchanges to be cashed out. 

 “There might have been a handoff from a thief to a launderer,” says Robison. “But even if that was the case, it would mean the thief was in contact with someone who is part of a Russian money laundering operation.” Robison adds that Elliptic has other intelligence pointing to the money launderers' Russian ties, but doesn't yet have permission from the source to make it public.

After their initial attempt to launder a portion of the funds through ChipMixer, the thieves went strangely quiet. The rest of their Ethereum would remain dormant for the next nine months.

Only on September 30, just days ahead of Bankman-Fried's trial, did the remainder of the funds begin to move again, Elliptic says. By that time, both RenBridge and ChipMixer had been shut down—RenBridge due to its parent company FTX's collapse and ChipMixer due to a law enforcement seizure. So the thieves pivoted to trading their Ethereum for Bitcoin on a service called THORSwap and then routing those bitcoins into a mixing service called Sinbad.

Sinbad has over the past year become a popular destination for criminal cryptocurrency, particularly crypto stolen by North Korean hackers. But Elliptic's Robison notes that despite this, the movement of funds appears less sophisticated than what he's seen in the typical North Korean heist. “It doesn't use some of the services that Lazarus typically use,” Robison says, referring to the broad group of North Korean state-sponsored hackers known as Lazarus. “So it doesn't look like them.” Robison notes that Sinbad is likely a rebranding of a mixing service called Blender that was hit with US sanctions last year, in part for helping to launder funds from Russian ransomware groups. Sinbad also offers customer support in English and Russian.

Does the timing of those new movements of funds ahead of—and even during—Bankman-Fried's trial suggest someone with insider knowledge is involved? Elliptic's Robison notes that, while the timing is conspicuous, he can only speculate at this point. It's possible that the timing has been purely coincidental, Robison says. Or someone might be moving the money now to make it look like an FTX insider—potentially one who fears they might be about to lose their internet access. Neither Bankman-Fried nor his fellow executives have been charged with the theft, and some of the money movements have taken place while Bankman-Fried has been in court, with only a laptop disconnected from the internet.

Eventually, no doubt, the thieves will attempt to cash out more of their stolen and laundered cryptocurrency for some sort of fiat currency. Robison is still hopeful that, despite their use of mixers, they can be further identified at that point. “I think they probably will be successful in cashing out at least some of these funds. I think whether they're going to get away with it is a separate question,” says Robison. “There's already a blockchain trail to be followed, and I think that trail will only become clearer with time.”

Two other cryptocurrency tracing firms, TRM Labs and Chainalysis, have both been hired by FTX's new regime under CEO John Ray III to aid in the investigation. TRM Labs declined to comment on the case. Chainalysis didn’t respond to WIRED’s request for comment, nor did FTX itself.

As those cryptocurrency tracers continue to follow the money, we may someday have a clearer answer to the mystery of the FTX heist. In the meantime, however, FTX's many aggrieved creditors will be left to keep one eye on Bankman-Fried's trial and the other on the Bitcoin blockchain.

Updated at 8:45 am ET, October 12, 2023, to add that Elliptic researchers found links to Russian cybercriminals.