FTX, the once beloved crypto exchange that imploded in a maelstrom of financial misconduct last year, appears to have spent minimal effort protecting its customers’ digital assets. In fact, the company’s latest bankruptcy report reveals that, in addition to managing its finances like a debauched Roman emperor, the disgraced crypto exchange also had some of the worst cybersecurity practices imaginable.
Of course, we’ve known that FTX sucked at digital security since at least last November when, less than 24 hours after the company declared Chapter 11 and its former CEO, Sam Bankman-Fried, stepped down, the company suffered a massive cyberattack. During that cyberattack, someone made off with $432 million in assets, a bundle of digital cash that is still unaccounted for—just like a whole lot more of FTX customers’ money.
At the time, the hacking incident seemed like just more bad news on top of an already epic shit sundae, but now we have a little more context for the episode. Monday’s report, which extensively reviews the company’s total failure to institute quite basic digital protections, is a comic masterpiece that will make you wonder how the company didn’t get hacked earlier.
“The FTX Group failed to implement basic, widely accepted security controls to protect crypto assets. Each failure was egregious in the context of a business entrusted with customer transactions,” the filing states. Here are some of the takeaways about those failures.
FTX Didn’t Have a Cybersecurity Staff
Despite being a company tasked with protecting tens of billions of dollars in crypto assets, FTX had no dedicated cybersecurity staff. None. Indeed, Monday’s filing shows the company never bothered to hire a CISO (a chief information security officer) to manage its risks for them. Instead, they relied on two of the company’s software developers who, the report notes, did not have formal training in security and whose jobs put them at odds with actually prioritizing security. The report states:
The FTX Group had no independent Chief Information Security Officer, no employee with appropriate training or experience tasked with fulfilling the responsibilities of such a role, and no established processes for assessing cyber risk, implementing security controls, or responding to cyber incidents in real time...as with critical controls in other areas, the FTX Group grossly deprioritized and ignored cybersecurity controls, a remarkable fact given that, in essence, the FTX Group’s entire business—its assets, infrastructure, and intellectual property—consisted of computer code and technology.
Granted, lots of tech companies suffer from staffing shortages when it comes to cybersecurity but that’s really only excusable if you’re a startup and don’t have the manpower or capital to hire competent people. In the days before its implosion, FTX was reported to be worth as much as $32 billion. Suffice it to say, I think they could’ve hired a guy.
FTX Pretty Much Never Used Cold Storage, the Industry Standard
Another really dumb thing that FTX did was fail to keep its users’ crypto assets in cold storage—a standard security practice that most crypto exchanges claim to abide by.
In general, crypto assets can be stored in two separate ways: “hot wallets,” which are software-based accounts connected to the internet; and “cold storage,” which is an offline, hardware-based form of storage. Cold storage is considered secure, while “hot wallets” are riskier, because—being linked to the web—they can (and often do) get hacked.
Common wisdom suggests that companies keep just as much crypto in hot wallets as necessary to keep accounts liquid, while the rest of the crypto should be kept in cold storage. However, FTX didn’t do that; instead, the report says it kept “virtually all” of its customers’ assets in hot wallets.
Did FTX not know that cold storage was more secure or something? Nope, worse than being too stupid to implement proper controls, the exchange’s leadership appears to have just not given much of a shit.
“The FTX Group undoubtedly recognized how a prudent crypto exchange should operate, because when asked by third parties to describe the extent to which it used cold storage, it lied,” the report states, listing off a number of examples in which FTX executives—including SBF—claimed that they kept users’ assets in cold storage. In one instance, the company told investors that, in keeping with industry best practices, it kept a small amount of crypto in hot wallets, while the rest was “stored offline in air gapped encrypted laptops, which are geographically distributed.” But this was, according to the report, just bullshit.
Instead, as the report notes, “the FTX Group made little use of cold storage” except in Japan, “where [it was] required by regulation to use” it.
Private Cryptographic Keys Were Left Unencrypted
Another totally idiotic thing that the FTX peeps did is keep clients’ sensitive cryptographic keys and seed phrases stored in plaintext documents that were apparently accessible by staff.
In crypto, the key or seed phrase is the password that gets you inside a user’s individual wallet. Suffice it to say, industry standards compel crypto exchanges to keep that information encrypted and, thus, safe from prying eyes. Not so, with FTX—which apparently kept keys that could open wallets worth tens of millions of dollars unencrypted, in plaintext, just lying around in AWS.
According to the report, this was part and parcel of a generally disorganized approach to security, in which “private keys and seed phrases used by FTX.com, FTX.US, and Alameda were stored in various locations throughout the FTX Group’s computing environment in a disorganized fashion, using a variety of insecure methods and without any uniform or documented procedure.”
The FTX Gang Didn’t Really Use Multi-Factor Authentication
SBF and his merry band of hipsters also apparently “failed to effectively enforce the use” of multi-factor authentication (MFA)—a very basic form of web security that pretty much everybody who works in an office knows about. The recently released report states that the crypto exchange’s leadership “failed to implement in an appropriate fashion even the most widely accepted controls relating to Identity and Access Management (“IAM”).” This included a failure to use MFA as well as single-sign on services—also widely considered to be an industry best practice.
And much, much more!
There are a lot of other hilarious jewels of security negligence that FTX appears to have committed, so I’d suggest reading the full report if you want your jaw to drop to the floor.