FTX&3commas API theft on-chain traceability AND Bittrex attack warning
October 24th, 2022

This article is jointly published by X-explore and WuBlockchain.

X-explore found that the attackers in the FTX&3commas API theft also attacked Binance US and Bittrex exchanges, stealing 1053ETH and 301ETH respectively. At present, the attack on Bittrex is still in progress, and it is suspected of using the NXT/BTC trading pair to attack.

1. Background

In order to help users and marketmakers to conduct high-frequency & quantitative transactions, exchanges provide API interfaces for transaction, asset query and withdraw. Also, the DEX platforms such as DYDX also provide API interface.

Therefore, many trading robot services can conduct quantitative trading, grid trading and historical data simulation test via API interfaces in the market. The well-known platforms are: 3Commas, Cryptohopper, Quadency. Meanwhile, these APIs can implement tax calculation functions and generate annual tax reports for users. The well-known platforms are: TokenTax and CoinTracker.

On October 21st, a Twitter user claimed that his FTX account was stolen on October 19, and he lost $160W through API interface in the DMG/USD trading pair.

On October 24th, FTX founder SBF tweeted that FTX will provide about $6 million in compensation to account holders affected by the phishing incident and posted 3 attacker addresses.

a) 0x6D3e6Ba1b510287141b27F763A86E04c72a001D1
b) 0xaB8bd0D4Eda57cd9EE5A058e498A791dF13dFA65
c) 0x87c828593984381E50D55F755B8462e074047Cf7

X-explore do an in-depth analysis on chain.

2. On-chain traceability analysis


The attacker used multiple addresses and interacted with multiple exchanges, which we describe one by one:


In SBF twitter, the attacker gains 600W. In fact, the 3 addresses provided by SBF have a total of about 2000 ETH. Through on-chain mining, we added 2 related attackaddresses which withdraw ETH from FTX.

0x6D3e6Ba1b510287141b27F763A86E04c72a001D1 (890 ETH)
0xaB8bd0D4Eda57cd9EE5A058e498A791dF13dFA65 (824 ETH)
0x87c828593984381E50D55F755B8462e074047Cf7 (1112 ETH)
0xeEc49F195096389E725ade6aAb49Db779EF3b881 (972 ETH)
0xcA92077aCD49b523045754C1fE3Ccc1D7710b119 (170 ETH)

The attacker uses many addresses to transfer ETH. We provide some of them.



Attacker deposits ETH to CEX. We provide CEX deposit addresses. All deposits to FTX are a small amount of ETH, which is used as the starting capital for the attack. All deposits to BINANCE and FIXFLOAT is a method for attackers to use CEX for money laundering.

0x133824f213778Ac5193a2bC8b2e987E9dDd739B1 (FTX Deposit 19.9 ETH)
0xcE7aB58A1CDBA37c17E7d8C4569ec6803b8126eF (FTX Deposit 20.09 ETH)
0xC3Bb6dA4182175f9316f3a705D22Ee382Fb825bB (FTX Deposit 66.41 ETH)
0x2B390759EE8b5222AE59BBAa92d2c904ec09FdB2 (FTX Deposit 20 ETH)
0x0Ee325A15FC9257166089335C98d344E8dBfa5fc (BINANCE Deposit 500 ETH)
0x6108c4D519CEAF61022DC57512Df5c9D1059bB44 (FixedFloat Deposit 45 ETH)
0x44a4718064E383ad30b56349fC5F1845C721D056 (FixedFloat Deposit 45 ETH)
(Other FixedFloat 40+ Addresses with Deposit 45 ETH Each)

2.2 Other CEX attack analysis

2.2.1 Binance US

Based on the second address (0xaeECB7860Eb6D7929Be5Bb34Ce94F21Befc6ead3) published by twitter, we found an API theft attack against Binance US. The attack occurred between October 13th and October 17th, and a total of 1053 ETH was stolen. Associated attacker address 0xaeECB7860Eb6D7929Be5Bb34Ce94F21Befc6ead3. According to the flow of funds, we can see that most of the stolen funds are collected to various exchanges through one or more transfer jumps.

Furthermore, we found that the attackers were suspected of using SYS/USD trading pair for asset transfers. It generates a large number of transactions in a short period of time, and the attacker's on-chain withdrawal time all occurs within a short period of time after the transaction ends.

2.2.2 Bittrex

Based on the first address (0x6D3e6Ba1b510287141b27F763A86E04c72a001D1) published by twitter, we found an API theft attack against Bittrex. The attack occurred between October 23 and October 24, and a total of 301ETH were stolen. The associated attacker addresses are as follows.


In the spot trading volume ranking currently displayed on BITTREX, NXT Token ranks second. This currency is only listed on BITTREX and Poloniex, and there is basically little trading volume before October 23. It is very likely that the attacker use the NXT/BTC trading pair to attack.

3. X-explore Comment

This incident revealed a new way of theft, in which attackers complete the transfer of assets between different accounts by controlling transactions. It can bring a lot of reflection to the exchange.

  1. Basic security: From a security perspective, the least credible is human nature. Therefore, exchanges need to design more secure product logic to ensure that users are not damaged by phishing attacks without affecting the user experience.

  2. Spot token security: In order to provide users with more trading options, the top exchanges have launched a large number of tokens. After the market popularity of some tokens passed, the trading volume dropped sharply, but the exchanges did not delist them. According to CoinMarketCap data, Gateio exchange and MEXC exchange both support 1000+ trading spot pairs.

  3. Transaction security: Based on FTX's DMG/USD trading pair transaction volume line, when the attack occurs, the transaction volume increases by a thousand times, and the currency price fluctuates by 2-3 times, which is a significant abnormal transaction event.

For more info, please subscribe:
Mirror: https://mirror.xyz/x-explore.eth
Twitter: https://twitter.com/x_explore_eth

View collectors
This entry has been permanently stored on-chain and signed by its creator.