The perpetrator of one of the largest exploits in crypto history is swapping hundreds of millions in ether for bitcoin. Why?

The crypto exchange FTX and Alameda Research faced its downfall in November 2022. Amid the chaos of the collapse, an unknown attacker managed to steal upwards of $500 million in digital assets. At the time of the attack, the funds were spread between over a dozen ancillary addresses. There, they remained largely dormant until last week. 

The attacker began moving sums of ether (ETH) to new addresses starting on Sept. 30. The majority of these funds have since been used on the cross-blockchain liquidity protocol ThorSwap to exchange native ETH for native bitcoin (BTC).

ThorSwap announced Friday morning that it had “transitioned the interface into maintenance mode” until a “more permanent and robust solution can be implemented.” In response, the FTX attacker began leveraging Threshold Network to continue to transfer funds between ETH and BTC. A total of $125 million had been swapped as of Friday, per analyst Lookonchain. The swaps appear to be ongoing. 

The behavior is somewhat unusual for an attacker. Traditionally, one of the first moves is to transfer funds in a manner that obfuscates the on-chain trail. Methods often include using mixers like Tornado Cash or cross-chain bridges like the now-defunct Ren, which inadvertently act as mixers.

ThorSwap, by contrast, is fully public, and even armchair analysts can track the funds swapped between the chains. This has left some question as to why the attacker would bother with the swaps. 

Motive?

However, according to a number of security experts that Blockworks spoke with, swapping between chains could provide the attacker with a number of benefits. 

The first? Liquidity.

“There’s a lot more liquidity in mixers on the BTC chain than on Ethereum these days,” Five I’s founder Nick Bax told Blockworks. 

Since being added to the OFAC Specially Designated Nationals list, the once-popular Tornado Cash mixer has seen a decline in activity. As of June, it is processing just $6 million in deposits and withdrawals per day, according to a Dune Analytics dashboard. While there are still other privacy tools on Ethereum, such as Railgun, they simply lack the necessary liquidity to obfuscate the huge sums the attacker stole. 

“When you send a lot of liquidity into a mixer, the mixer starts to give you back your own liquidity — if the mixer doesn’t have liquidity, it will just give you back dirty money right away,” explained Igor Data, CEO of BLIN.Agency. 

Aside from opening up new avenues for cleaning dirty funds, swapping of chains creates headaches for investigators, says BLIN’s Data. 

While probabilistic algorithms, statistical analysis, and AI can help investigators track funds through mixers, there’s a high deal of manual work involved and switching between chains adds complexity, even when there’s relative transparency.

Ultimately, it creates disproportionate work between the hunter and the hunted. 

“The chasing party has to put much more effort than the mixing party. In two years or five years it may be tracked anyway, but the purpose of the perpetrator is to win time,” Data concluded.

Don’t miss the next big story – join our free daily newsletter.

Follow Sam Bankman-Fried’s trial with the latest news from the courtroom.