New Bankruptcy Report Shows FTX Sucked at Cybersecurity



Image for article titled FTX's Cybersecurity Was Hilariously Bad

Photo: Joe Raedle (Getty Images)

FTX, the once beloved crypto exchange that went down in a ball of financially malfeasant flames last November, appears to have not given much of a shit about protecting its customers’ digital assets.

Indeed, the company’s latest bankruptcy report reveals that, in addition to managing its finances like a cross between a Jim-Beam-swigging monkey and a debauched Roman emperor, the disgraced crypto exchange also apparently had some of the worst cybersecurity practices imaginable.

Yep, this company was just asking to get hacked. And, of course, it did.

Last November, less than 24 hours after the company declared Chapter 11 bankruptcy and not long after its former leader, Sam Bankman-Fried (or, SBF) stepped down as CEO, the company suffered a massive digital robbery in which some still unidentified fiend made off with $432 million in assets, a bundle of digital cash that is still unaccounted for—just like a whole lot more of FTX customers’ money.

At the time, the hacking incident seemed like just more bad news on top of an already epic shit sundae, but now we have a little more context for the episode. Indeed, Monday’s report, which extensively reviews the company’s total failure to institute quite basic digital protections, is a comic masterpiece that will make you wonder how the company didn’t get hacked earlier.

“The FTX Group failed to implement basic, widely accepted security controls to protect crypto assets. Each failure was egregious in the context of a business entrusted with customer transactions,” the report states. Here are some of the takeaways about those failures.

FTX Didn’t Have a Security Staff

Despite being a company tasked with protecting tens of billions of dollars in crypto assets, FTX had no dedicated cybersecurity staff. None. Indeed, the company never bothered to hire a CISO (a chief information security officer) to manage the company’s risks for them. Instead, they relied on two of the company’s software developers who, the report notes, did not have formal training in the arena of security and whose jobs put them at odds with prioritizing security. The report states:

The FTX Group had no independent Chief Information Security Officer, no employee with appropriate training or experience tasked with fulfilling the responsibilities of such a role, and no established processes for assessing cyber risk, implementing security controls, or responding to cyber incidents in real time…as with critical controls in other areas, the FTX Group grossly deprioritized and ignored cybersecurity controls, a remarkable fact given that, in essence, the FTX Group’s entire business—its assets, infrastructure, and intellectual property—consisted of computer code and technology.

Granted, lots of tech companies suffer from staffing shortages when it comes to cybersecurity but that’s really only excusable if you’re a unicorn or a startup and don’t have the manpower or capital to hire competent people. In the days before its implosion, FTX was reported to be worth as much as $32 billion. Suffice it to say, I think they could’ve hired a guy.

FTX Pretty Much Never Used Cold Storage

Another really dumb thing that FTX did was fail to keep its users’ crypto assets in cold storage—a standard security practice that most crypto exchanges claim to abide by.

In general, crypto assets can be stored in two separate ways: “hot wallets,” which are software-based accounts connected to the internet; and “cold storage,” which is an offline, hardware-based form of storage. Cold storage is considered secure, while “hot wallets” are riskier, because—being linked to the web—they can (and often do) get hacked.

Common wisdom suggests that companies keep just as much crypto in hot wallets as necessary to keep accounts liquid, while the rest of the crypto should be kept in cold storage. However, FTX didn’t do that; instead, the report says it kept “virtually all” of its customers’ assets in hot wallets.

Did FTX not know that cold storage was more secure or something? Nope, worse than being too stupid to implement proper controls, the exchange’s leadership appears to have just not given much of a shit.

“The FTX Group undoubtedly recognized how a prudent crypto exchange should operate, because when asked by third parties to describe the extent to which it used cold storage, it lied,” the report states, listing off a number of examples in which FTX executives—including SBF—claimed that they kept users’ assets in cold storage. In one instance, the company told investors that, in keeping with industry best practices, it kept a small amount of crypto in hot wallets, while the rest was “stored offline in air gapped encrypted laptops, which are geographically distributed.” But this was, according to the report, just bullshit.

Instead, as the report notes, “the FTX Group made little use of cold storage” except in Japan, “where [it was] required by regulation to use” it.

Private Keys Were Left Unencrypted

Another totally idiotic thing that the FTX peeps did is keep clients’ sensitive cryptographic keys and seed phrases stored in plaintext documents that were apparently accessible by staff.

In crypto, the key or seed phrase is the password that gets you inside a user’s individual wallet. Suffice it to say, industry standards compel crypto exchanges to keep that information encrypted and, thus, safe from prying eyes. Not so, with FTX—which apparently kept keys that could open wallets worth tens of millions of dollars unencrypted, in plaintext, just lying around in AWS.

According to the report, this was part and parcel of a generally disorganized approach to security, in which “private keys and seed phrases used by, FTX.US, and Alameda were stored in various locations throughout the FTX Group’s computing environment in a disorganized fashion, using a variety of insecure methods and without any uniform or documented procedure.”

The FTX Gang Didn’t Really Use MFA

SBF and his merry band of hipsters also apparently “failed to effectively enforce the use” of multi-factor authentication—a very basic form of web security that pretty much everybody who works in an office knows about. The recently released report states that the crypto exchange’s leadership “failed to implement in an appropriate fashion even the most widely accepted controls relating to Identity and Access Management (“IAM”).” This included a failure to use MFA as well as single-sign on services—also widely considered to be an industry best practice.

And much, much more!

Suffice it to say, there are a lot of other hilarious jewels of security negligence that FTX appears to have committed, so I’d suggest reading the full report if you want your jaw to drop to the floor.

#Bankruptcy #Report #Shows #FTX #Sucked #Cybersecurity


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *