FTX Poor Security Practices Leave Crypto Assets At Risk

FTX fell from being the world’s largest cryptocurrency exchange to being the worst choice for crypto investors when the news of a massive FTX hack spread throughout the internet last year.

The report filed by FTX’s debtors in bankruptcy court revealed several “control failures” in the management of FTX’s exchanges.

By looking at FTX’s disastrously chaotic security measures, we are pretty surprised that they weren’t hacked earlier.

According to the report, someone stole a whopping $432 million in assets, including a significant amount of FTX customers’ funds that remain missing.

FTX’s debtors stated that “The loss occurred completely due to FTX’s negligence and disregard for their cybersecurity protocols.”

FTX Failures In Security Measures

In the words of the filing made by FTX’s creditors,

The FTX Group did not put in place fundamental and universally recognized security measures to safeguard crypto assets. Each failure is outrageous in light of the company’s responsibility for customer transactions.

No Cybersecurity Staff

It turns out that FTX, a corporation entrusted with protecting billions in crypto assets, lacked a basic security team.

Yes, zero security staff.

The company’s Monday filing revealed FTX never ever bothered to hire a Chief Information Security Officer (CISO) to look into their security measures.

Instead, they relied on two of their software developers, who, as it turns out, had no formal training in security and whose job roles didn’t even give them any time to prioritize security.

Yeah, cybersecurity staffing shortages are indeed a reality, but still, it’s less excusable for a company valued at up to $32 billion in its prime.

FTX certainly had the resources to hire a capable CISO, and the fact that they didn’t is a gross failure.

Crypto Assets In Hot Wallets

Most exchanges use cold storage to protect the majority of their customers’ assets while keeping only enough in hot wallets to maintain liquidity.

This is a widely accepted standard security practice for crypto exchanges.

However, the report filed in bankruptcy court states that FTX kept “virtually all” of its customers’ assets in hot wallets, leaving them at risk of being hacked.

They only made use of cold storage in Japan, where it was required by law.

It’s not like FTX didn’t know about cold storage; rather, they deliberately didn’t use it, proven by the fact that they were caught lying to third parties about their use of cold storage, falsely claiming to follow industry best practices.

Unencrypted Cryptographic keys

Another huge failure in maintaining security for their customers was by storing clients’ confidential cryptographic keys and seed phrases in plaintext documents that were readily accessible to staff.

You know what the keys are worth, right?

The key or seed phrase is equivalent to a password that grants access to a user’s individual wallet. Thus, it is an industry standard to keep such sensitive information encrypted and protected from unauthorized access.

However, FTX did not do so, and as a result, keys worth millions of dollars were left unencrypted in plaintext, available to anyone who could access AWS.

Such Negligence is Shocking

FTX’s security negligence is not only shocking but also unacceptable, considering the high stakes involved in securing digital assets.

The fact that FTX failed to implement basic security controls, ignored industry standards, and lied to third parties about their security practices is deeply concerning.

The consequence of such negligence displayed itself in the November hack, in which hackers made off with millions of dollars worth of cryptocurrency.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Meduza Stealer: A New Cybercrime Targeting Passwords and Crypto Wallets

Over 60% of AWS Environments Exposed to Zenbleed Attacks

Incidents Of Technology Leaks Announced By U.S. Department Of Justice

FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com