Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Arkham Profile picture
@arkham
Nov 14, 2022 10 tweets 4 min read Read on X
Scrolly
We are now 3 days deep into the attack on FTX.

So far, Paxos has blacklisted 4 addresses, and the attacker has repeatedly bridged to and from multiple different networks.

What will the FTX attacker do next?

An update on their current token balances and actions so far 👇 Image
The original address that tokens were sent to, 0x59, received and dumped a multitude of FTX's remaining token holdings.

The attacker appeared to be panicking, and lost a large amount of their token holdings to slippage.
They also tried using different DEX aggregators including 1inch, Cowswap and DODO exchange.

In order to prevent slippage, the attacker was forced to sell PAXG, LINK and MATIC in batches. Image
The attacker also sent funds to different wallets, distributing a total of just under 3000 PAXG to 3 separate wallets that were all subsequently blacklisted.

The attacker did not manage to get rid of all of their token holdings before their funds were frozen by Paxos. Image
The attacker has been consolidating a balance of DAI and ETH, tokens that cannot be blacklisted or frozen on the ETH mainnet.

Currently, these are their current token balances on ETH mainnet.

FYI: the attacker also holds ~$55 million over BSC, Polygon and Avalanche networks. Image
This address, 0x2cb, then bridged USDC back to Ethereum through Multichain/Anyswap, and now holds its balance entirely in Ether. Image
A total of almost $20 million in PAXG was frozen across the attacker's 4 addresses that hold PAXG.

The attacker also attempted to obfuscate fund transfers on BSC by 'swapping' tokens with the recipient address set to a separate address, 0x2cb. Image
The attacker used the same strategy to send almost $5 million worth of BUSD to a different wallet, 0x525, as USDC.

Here on line 3, "address, to" is not set to 0x59, despite 0x59 sending the transaction.

0x525 then bridged funds back to Ethereum, holding around $16m of Ether. Image
The attacker also withdrew funds on Polygon, the majority of which they sent to the 0x2cb address featured above.

Around $3.8 million of MATIC was withdrawn from Polygon over the Matic bridge, but the attacker needs to wait 7 days before accessing funds on Ethereum. Image
At the moment the hacker holds:

~$215m of Ether
~$48m DAI
~$41m of BNB on BSC
~$20m of frozen PAXG
~$7m DAI on BSC
~$4m USDT on Avalanche
~$3.8m of MATIC in the Matic Bridge

Arkham will provide further updates as the situation develops.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Arkham

Arkham Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @arkham

Arkham Profile picture
Dec 4, 2025
Did the Founder of Curve Finance Finally Solve Impermanent Loss Forever?

Impermanent Loss is one of the biggest problems for DeFi LPs. It is the temporary value drop for DeFi liquidity providers due to price volatility and causes many LPs to miss out on upside.

Yield Basis is Curve Founder Michael Egorov’s prospective solution to impermanent loss in DeFi. Here’s how it works:Image
Image
Image
Image
When prices move in DeFi, LPs (Liquidity Providers) incur unrealized losses relative to just holding the underlying assets. This is Impermanent Loss.

LPs typically need to provide two tokens to be paired against each other - e.g. (wrapped) BTC and USDC.
Understanding Impermanent Loss:

Liquidity Providers (LPs) in DeFi get yield by providing 2 assets to be paired against each other - e.g. (wrapped) BTC and USDC. In return they get liquidity tokens or LP tokens.

The LP tokens do not exactly track the prices of the underlying. Prices move in DeFi because of traders buying and selling the tokens. LPs incur unrealized losses relative to just holding the underlying assets when this happens, because a trader has just exchanged one token for another which is worth slightly more.
Read 7 tweets
Arkham Profile picture
Aug 2, 2025
BREAKING: ARKHAM UNCOVERS $3.5B HEIST - THE LARGEST EVER

LuBian was a Chinese mining pool with facilities in China & Iran. Based on analysis of on-chain data, it appears that 127,426 BTC was stolen from LuBian in December 2020, worth $3.5 billion at the time and now worth approximately $14.5 billion.

Neither LuBian nor the hacker have publicly acknowledged the hack. Arkham is the first to report it. Details below:Image
Image
Image
Image
LuBian was one of the world’s largest mining pools in 2020, controlling almost 6% of the Bitcoin network’s total hash-rate as of May 2020.

They appear to have been first hacked on December 28th, 2020 for over 90% of their BTC. Subsequently, on December 29th, around $6M of additional BTC & USDT was stolen from a Lubian address active on Bitcoin Omni layer.

On the 31st, LuBian rotated their remaining funds to recovery wallets.Image
Image
Image
Image
Each hacker address received the OP_RETURN message, shown in the screenshots, in which LuBian asks the hacker to return their funds.

LuBian spent 1.4 BTC across 1516 different transactions to send these messages, which suggests that this is not a spoof from another hacker who has brute-forced the private keys.

intel.arkm.com/explorer/tx/a7…
intel.arkm.com/explorer/tx/2a…Image
Image
Image
Image
Read 7 tweets
Arkham Profile picture
Jul 23, 2025
DID THE US GOVERNMENT JUST SELL 170,000 BTC ($20 BILLION)?

No. This Freedom of Information Request response from the US Marshals Service (USMS) cites them as holding 28,988 BTC ($3.4B), but other departments of the US Government also seize and hold Bitcoin, including the FBI, DOJ, DEA, and US Attorney’s Offices.

The US Government currently holds at least 198,000 BTC ($23.5B) across multiple addresses held by different government arms - none of this has moved for 4 months.Image
Image
Image
Image
$13.65B of US Government BTC was seized from the Bitfinex Hackers.

Of the USG’s current holdings, 94,000 BTC were seized from Ilya Lichtenstein and Heather ‘Razzlekhan’ Morgan in 2022, 6 years after they were stolen. Subsequent seizures brought this total up to 114,599 BTC (currently $13.65B) from the case.

The Bitcoin was originally stolen from Bitfinex customers, and may eventually be returned through legal process.

Most of the BTC is held in this address: bc1qazcm763858nkj2dj986etajv6wquslv8uxwcztImage
$8.26B of US Government BTC was seized from ‘Individual X’ in the Silk Road case (understood to be someone who had hacked Silk Road) in 2020.

The BTC is held in this address: bc1qa5wkgaew2dkv56kfvj49j0av5nml45x9ek9hz6 Image
Read 9 tweets
Arkham Profile picture
May 28, 2025
SAYLOR SAID HE WOULD NEVER REVEAL HIS ADDRESSES ... SO WE DID

We have identified an additional 70,816 BTC belonging to Strategy, bringing our total identified MSTR BTC holdings to $54.5 Billion. We are the first to publicly identify these holdings.

This represents 87.5% of total MSTR holdings (including assets in Fidelity Digital’s omnibus custody).Image
Previously, we tagged:

- 107K BTC sent to MSTR Fidelity deposits (Fidelity does not segregate custody, so these BTC do not appear in the MSTR entity)
- Over 327K BTC held in segregated custody including Coinbase Prime, in our MSTR entity. Image
Image
Image
Image
Track Strategy on Arkham:

intel.arkm.com/explorer/entit…
Read 4 tweets
Arkham Profile picture
Feb 17, 2025
CHINESE MAN BURNS $1.3M ETH CLAIMING ATTACK BY BRAIN-COMPUTER WEAPONS

This morning, an address sent $1.3M of ETH to the burn address, accusing some Chinese investors of using “brain-computer weapons”. It is now completely unrecoverable.

Did the brain-computer weapons make him do this?

Address: 0x1a19c370EA73d67a0a91085811A1E89e89B36813Image
Image
Image
Image
He enclosed a message in Chinese: “The CEOs of Kuande Investment: Feng Xin and Xu Yuzhi used brain-computer weapons to persecute all company employees and former employees, and even they themselves were controlled.”

The address appears to be controlled by “Hu Lezhi” who claims to be an “ordinary programmer and entrepreneur”Image
In total the address has sent $4.95M to the burn address, Wikileaks, and the Ethereum Foundation this week.

It has also transferred $825K ETH to a Coinbase Deposit and $273K ETH to a fresh address 0x2a6. Image
Read 4 tweets
Arkham Profile picture
Feb 15, 2025
LIBRA-CONNECTED ADDRESSES EXTRACT >$100M

Last night the President of Argentina, @JMilei posted a contract address of a Solana memecoin “LIBRA”

LIBRA hit a max valuation of over $4 BILLION before falling over 95% in less than 6 hours, and the tweet was later deleted.

Breakdown below:Image
Image
Image
Image
70% of the supply is held in 2 addresses, while 15% of supply was directly deposited into Meteora LP by the Developer address.

The developer address has claimed over $20M in trading fees from these deposits.

Additionally, 7 different addresses received a total of 60M LIBRA tokens from the deployer - each of these addresses deposited LIBRA into liquidity pools and later extracted SOL/USDC.Image
Image
Addresses connected to the LIBRA coin launch currently hold over $100M of USDC and SOL extracted from liquidity over the past 18 hours, mostly moved to separate holding addresses.

LIBRA-associated accounts currently hold $57.6M USDC and $48.6M SOL. Image
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(