FTX bankruptcy filing highlights security failures
Debtors claim that defunct cryptocurrency exchange FTX lacked any dedicated security personnel and failed to implement critical access controls for billions of dollars in assets.
A new report filed by debtors for defunct cryptocurrency exchange and hedge fund FTX Trading Ltd. highlighted numerous security failures at the company.
FTX quickly rose to prominence after its founding in 2019, gaining billions of dollars in cryptocurrency assets in the process. Despite this, the company filed for bankruptcy in November following a potential acquisition from Binance that fell apart a day after it was announced. Soon after, the exchange was accused of defrauding its customers and mishandling investor funds. FTX co-founder Sam Bankman-Fried was arrested and charged with fraud in December.
Debtors for FTX on Sunday filed a first interim report in bankruptcy court detailing various "control failures" involving the management of FTX's exchanges. A portion of the report dealt with cybersecurity failures, including those related to cryptocurrency storage, personnel, endpoint security and more. It also covered the November 2022 data breach that apparently occurred one day after the company declared bankruptcy.
An unknown threat actor used the breach to steal approximately $432 million through a series of unauthorized transactions, though it's still unclear how the breach occurred and who executed the transactions. FTX's debtors claim the $432 million loss was a direct result of FTX's "grossly deprioritized and ignored cybersecurity controls."
Notable security failures
According to the report, FTX employed no dedicated cybersecurity personnel and lacked many of the processes typically considered critical to safeguarding an organization.
"The FTX Group had no independent Chief Information Security Officer, no employee with appropriate training or experience tasked with fulfilling the responsibilities of such a role, and no established processes for assessing cyber risk, implementing security controls, or responding to cyber incidents in real time," the report read.
Security was allegedly run by FTX senior executives Gary Wang and Nishad Singh. However, the report said neither had necessary training and both had "responsibilities for the speed, efficiency, and continuing development of the FTX Group's technology, which are business needs that generally run counter to those of security and thus are not appropriately managed by the same personnel."
The debtors claimed in the report that FTX lacked "even the most widely accepted controls relating to identity and access management," including a failure to implement both least privilege principles as well as multifactor authentication in critical corporate spaces such as its 1Password password manager.
"Over a dozen people had direct or indirect access to the FTX.com and FTX.US central omnibus wallets, which held billions of dollars in crypto assets, and dozens of other users were granted access to other types of FTX exchange and Alameda wallets," the report read. "Only a small number of these individuals needed access to these wallets to perform their duties."
The report claimed that FTX also lacked any significant endpoint protection, sufficient cloud and infrastructure controls, and properly patched software. In one case, the report mentioned critical internet traffic management software that was four years out of date, "leaving the server exposed to known vulnerabilities that had been addressed in updated versions of the software."
Perhaps the most alarming claims in the filing pertained to how FTX stored cryptocurrency funds. The debtors alleged that FTX stored the private keys for billions of dollars in cryptocurrency assets in its AWS cloud computing environment. While FTX stored the keys in AWS Secrets Manager, a service designed to safeguard sensitive data such as passwords and API keys, the filing said it's inadequate for cryptocurrency key storage and far too many FTX employees had access to the service.
"Any of the many FTX Group employees who had access to AWS Secrets Manager or the password vault could access certain of the keys and unilaterally transfer the corresponding assets," the debtors claimed.
In some cases, the debtors found that cryptocurrency keys weren't protected at all. The court filing claimed that the company stored the private keys and seeds to the cryptocurrency wallets of Alameda Research, FTX's hedge fund arm, in unencrypted files that numerous employees could access. In addition, other sensitive data such as passwords for wallet nodes and email account credentials were found in "widely accessible" source code repositories.
Moreover, many cryptocurrency assets were supposedly stored in "hot" cryptocurrency wallets, meaning assets were held in an internet-facing environment.
"First, the FTX Group kept virtually all crypto assets in hot wallets, which are far more susceptible to hacking, theft, misappropriation, and inadvertent loss than cold wallets because hot wallets are internet-connected," debtors said. "Prudently-operated crypto exchanges keep the vast majority of crypto assets in cold wallets, which are not connected to the internet, and maintain in hot wallets only the limited amount necessary for daily operation, trading, and anticipated customer withdrawals."
In addition, debtors said the company made false public statements multiple times, claiming that FTX used a conventional hot/cold wallet setup. "The FTX Group undoubtedly recognized how a prudent crypto exchange should operate," the report said, "because when asked by third parties to describe the extent to which it used cold storage, it lied."
A list of FTX debtors is available on the company's page on corporate restructuring firm Kroll's website. Legal representatives for the debtors did not respond to TechTarget Editorial's request for comment.
Alexander Culafi is a writer, journalist and podcaster based in Boston.