FTX, the once beloved crypto exchange that went down in a ball of financial flames last November, appears to have spent very little effort protecting its customers’ vast reserves of digital assets. The company’s latest bankruptcy report reveals that, in addition to managing its finances like a Jim-Beam-swigging monkey, the disgraced crypto exchange also had some of the worst cybersecurity practices imaginable.
Of course, we’ve known that FTX sucked at cyber since at least last November when, less than 24 hours after the company declared Chapter 11 bankruptcy and its former CEO, Sam Bankman-Fried, aka SBF, stepped down, the company suffered a massive digital robbery. The robber, whoever they were, made off with $432 million in assets, a bundle of digital cash that is still unaccounted for—just like a whole lot more of FTX customers’ money.
At the time, the hacking incident seemed like just more bad news on top of an already epic shit sundae, but now we have a little more context for the episode.
Despite being a company tasked with protecting tens of billions of dollars in crypto assets, FTX had no dedicated cybersecurity staff. The company never bothered to hire a CISO (a chief information security officer) to manage the company’s risks for them. Instead, they relied on two of the company’s software developers who did not have formal training in security and whose jobs put them at odds with prioritizing security.
Another really dumb thing that FTX did was fail to keep its users’ crypto assets in cold storage—a standard security practice that most crypto exchanges claim to abide by.
In general, crypto assets can be stored in two separate ways: “hot wallets,” which are software-based accounts connected to the internet; and “cold storage,” which is an offline, hardware-based form of storage. Cold storage is considered secure, while “hot wallets” are riskier, because—being linked to the web—they can (and often do) get hacked.
Common wisdom suggests that companies keep just as much crypto in hot wallets as necessary to keep accounts liquid, while the rest of the crypto should be kept in cold storage. However, FTX didn’t do that; instead, the report says it kept “virtually all” of its customers’ assets in hot wallets.
“The FTX Group undoubtedly recognized how a prudent crypto exchange should operate, because when asked by third parties to describe the extent to which it used cold storage.
Another totally idiotic thing that the FTX peeps did is keep clients’ sensitive cryptographic keys and seed phrases stored in plaintext documents that were apparently accessible by staff.
In crypto, the key or seed phrase is the password that gets you inside a user’s individual wallet. Suffice it to say, industry standards compel crypto exchanges to keep that information encrypted and, thus, safe from prying eyes. Not so, with FTX—which apparently kept keys that could open wallets worth tens of millions of dollars unencrypted, in plaintext, just lying around in AWS.
According to the report, this was part and parcel of a generally disorganized approach to security, in which “private keys and seed phrases used by FTX.com, FTX.US, and Alameda were stored in various locations throughout the FTX Group’s computing environment in a disorganized fashion, using a variety of insecure methods and without any uniform or documented procedure.”
SBF and his merry band of hipsters also apparently “failed to effectively enforce the use” of multi-factor authentication (MFA)—a very basic form of web security that pretty much everybody who works in an office knows about.