New bankruptcy report shows FTX sucked on cyber security
FTX, the one once loved crypto exchange that went down in a ball of financially damaging flames last November doesn’t seem to have cared much about protecting its customers’ digital assets.
Actually the company’s latest bankruptcy report reveals that, in addition to managing its finances like a cross between a Jim-Beam-spouting monkey and a debauched Roman emperor, disgraced crypto exchange FTX apparently also had some of the worst cybersecurity practices imaginable.
Yep, this company was just asking to be hacked. And of course it did.
Last November, less than 24 hours after the company declared Chapter 11 bankruptcy and not long after its former leader, Sam Bankman-Fried (or SBF) stepped down as CEO, the company suffered a massive digital robbery where a still-unidentified fiend escaped with $432 million in assets, a wad of digital cash that remains unaccounted for—just as much more of FTX customers’ money.
G/O Media may receive a commission
Save $400
2021 14″ 1TB MacBook Pro
MacBook Pro is the way to go
Up to 10-core CPU delivers up to 3.7x faster performance to fly through professional workflows faster than ever. Up to 32-core GPU with up to 13x faster performance for graphics-intensive apps and games
At the time, the hacking incident seemed like just more bad news on top of an already epic shit sundae, but now we have a little more context for the episode. In fact, Monday’s report, which thoroughly examines the company’s total failure to implement even the most basic digital protections, is a comic masterpiece that will make you wonder how the company wasn’t hacked sooner.
“FTX Group failed to implement basic, widely accepted security controls to protect crypto assets. Each failure was serious in the context of a business entrusted with customer transactions,” the report said. Here are some of the tips about those failures.
FTX did not have security personnel
Despite being a company tasked with protecting tens of billions of dollars in crypto assets, FTX had no dedicated cybersecurity staff. No. In fact, the company never bothered to hire one CISO (a chief information security officer) to manage the company’s risk for them, and they didn’t even have part-time contractors. Instead, they relied on the company’s two other software developers who, the report notes, had no formal training in the security arena and whose jobs put them at odds with prioritizing security. Admittedly, many tech companies are suffering lack of staffing when it comes to cybersecurity, but that’s really only excusable if you’re a unicorn or a startup and don’t have the manpower or capital to hire competent people. In the days before the implosion, FTX was reported to be worth as much as $32 billion. Suffice it to say, I think they could have hired a guy.
FTX mostly never used cold storage
Another really stupid thing that FTX did was to fail to keep users’ crypto assets in cold storage – a standard security practice that most crypto exchanges claim to follow.
In general, cryptoassets can be stored in two separate ways: “hot wallets“, which are software-based accounts connected to the Internet; and “cold storage“, which is an offline, hardware-based form of storage. Cold storage is considered safe, while “hot wallets” are more risky, because they can (and often do) because they are connected to the network. get hacked.
Conventional wisdom suggests that companies keep as much crypto in hot wallets as necessary to keep their accounts afloat, while the rest of the crypto should be kept in cold storage. However, FTX did not; instead, the report says it kept “almost all” of its customers’ assets in hot wallets.
Didn’t FTX know cold storage was safer or something? No, worse than being too stupid to implement proper controls, the exchange’s management doesn’t seem to have given much of a shit.
“The FTX Group undoubtedly recognized how a proper crypto exchange should operate, because when asked by third parties to describe the extent to which they used cold storage, it lied,” the report said, listing a number of examples where FTX executives— including SBF – claimed they kept users’ assets in cold storage. In one case, the company told investors that, in line with industry best practices, it kept a small amount of crypto in hot wallets, while the rest was “stored offline in encrypted laptops, which are geographically distributed.” But this, according to the report, was just nonsense.
Instead, as the report notes, the FTX group “made little use of cold storage” except in Japan, “where [it was] required by law to use it.
Private keys were left unencrypted
Another completely idiotic thing the FTX peeps did is keep their clients’ sensitive cryptographic keys and seed phrases stored in plaintext documents that were apparently accessible to staff.
In crypto, the key or seed phrase is the password that gets you into a user’s individual wallet. Suffice it to say that industry standards force crypto exchanges to keep this information encrypted and thus safe from prying eyes. Not so, with FTX – which apparently held keys that could open tens of millions of dollars worth of wallets unencrypted, in clear text, just sitting in AWS.
According to the report, this was part of a generally disorganized approach to security, where “private keys and seed phrases used by FTX.com, FTX.US and Alameda were stored in various locations within the FTX Group’s computing environment in a disorganized manner, using a series of unsafe methods and without any uniform or documented procedure.”
The FTX gang didn’t really Use MFA
SBF and his merry gang of hipsters will apparently also “failed to effectively enforce the use of multi-factor authentication – a very basic form of online security that pretty much everyone who works in an office knows about. The newly released report states that the crypto exchange’s management “failed to implement appropriately even the most widely accepted controls related to Identity and Access Management (“IAM”). This included a failure to use MFA as well as single-sign on- services – also considered to be an industry specific practice.
And much, much more!
Suffice it to say, there are plenty of other hilarious gems of security negligence that FTX seems to have committed, so I’d suggest reading full report if you want your jaw to drop to the floor.