FTX Attacker Shifts Tactics Amid THORSwap’s Transition to Maintenance Mode

Picture Source: BeInCrypto

In the ongoing saga surrounding the FTX attacker, recent developments have seen a shift in tactics as the individual behind the attack attempts to convert stolen Ethereum holdings into Bitcoin. This strategic move comes in response to THORSwap’s decision to transition into maintenance mode, signaling a new chapter in the ongoing battle to address the aftermath of the security breach.

FTX Attacker’s Changing Tactics:

As of October 6, on-chain analyst Lookonchain reported that the FTX attacker had altered their approach to moving the stolen funds, no longer utilizing THORChain-based THORSwap for this purpose. Instead, the attacker has turned to the Threshold network for swapping the ill-gotten Ethereum holdings.

The reported transaction revealed that the attacker swapped over 3,000 ETH for tBTC via the Threshold Network Chain. tBTC, as described on its official website, serves as a decentralized bridge connecting Bitcoin and Ethereum. It enables users to convert their assets into an ERC-20 token that is pegged to BTC at a 1:1 ratio.

This innovative bridge eliminates the need for centralized intermediaries by employing a randomly selected cohort of node operators within the Threshold Network, thereby enhancing the security of users’ assets.

FTX Attacker’s Activity and Remaining Holdings:

In the previous week, it was reported that the FTX attacker had moved approximately $10 million worth of Ethereum for the first time in nearly a year. Since then, the attacker has successfully swapped a total of 75,636 ETH, equivalent to $124 million, into Bitcoin. However, the attacker’s wallet still holds a substantial 109,485 ETH, valued at approximately $180 million at the time of writing.

Speculations Regarding Insider Involvement:

The timing of these fund movements coincides with the trial of ex-FTX founder Sam Bankman-Fried in New York. This has led to speculations within the cryptocurrency community that an insider connected to FTX may have been involved in the security breach.

THORSwap’s Transition to Maintenance Mode:

THORSwap, a previously preferred privacy tool of the FTX attacker, recently made the decision to transition into “maintenance mode.” This move, as explained in an October 6 announcement, was prompted by consultations with advisors, legal counsel, and law enforcement agencies, and aims to prevent the facilitation of the movement of illicit funds.

Read More: Bitcoin’s Price Rally Fueled by Positive US Labor Market Report and Institutional Interest

During this maintenance period, THORSwap has restricted all coin-swapping features on its platform, but users can still engage in borrowing and staking assets via the protocol.

Importantly, THORChain, the underlying network of THORSwap, clarified that THORSwap’s decision would not impact its operations. The THORChain network remains fully operational and capable of supporting various interfaces.


The ongoing developments surrounding the FTX attacker, THORSwap’s transition to maintenance mode, and the shifting tactics of the attacker highlight the dynamic nature of the cryptocurrency space and the continuous efforts to address security breaches and illicit activities. As the situation unfolds, vigilance within the crypto community and ongoing investigations will play crucial roles in determining the ultimate resolution of this complex issue.

Leave a Reply

Your email address will not be published. Required fields are marked *