Conversation

Replying to

5) We have a huge number of controls in place to attempt to prevent fake FTX sites from being able to drain users' accounts. And generally they work: it was a lot of work but it's mostly successful.

SBF

@SBF_FTX

Oct 23

6) To be clear, phishing is almost always a case where the user voluntarily (but unknowingly) gives their account credentials to a scammer by going to a bad site or something like that--but despite that, we take our duty to protect customers seriously, even from themselves.

SBF

@SBF_FTX

Oct 23

7) (This was actually one of the first lessons we learned--way back in 2019, a few users got phished, and our initial reaction was 'that sucks please use 2FA'. Upon reflection--and reaction from users--we *mandated* 2FA, which helped a lot.)

109

SBF

@SBF_FTX

Oct 23

8) Anyway, recently a frustrating thing happened. We’ve mostly stamped out sites that try to phish users by masquerading as FTX. But we can’t fix fake sites impersonating *other* services. A few users accidentally registered at fake other sites, including 3 Commas.

115

SBF

@SBF_FTX

Oct 23

9) They provided their FTX api keys to use the sites' trading tools. Others users were probably phished through other methods. But one way or another, these users were exploited by third party attackers.

SBF

@SBF_FTX

Oct 23

10) In general, there's very little we can do about this: other sites can fail to squash phishing attempts on them, and users can ask to let those sites control their FTX API keys. (This happened to accounts on other exchanges 3C was connected to as well, e.g. Binance.)

SBF

@SBF_FTX

Oct 23

11) Mostly this sucks, and is something we should be fighting as an industry. Right now each company has to separately deal with phishing and it sucks. FTX has, but others need to as well.

SBF

@SBF_FTX

Oct 23

12) Anyway--not only was this not FTX getting phished, it wasn't even an FTX site. And in general we can't compensate for users getting phished by fake versions of other companies in the space! It isn't FTX and we have basically no control over it.

Replying to

>It isn't FTX and we have basically no control over it. what was the mechanism by which they drained the accounts? it was by trading on illiquid mkts, not actual withdrawl right? if so, then its too dangerous to try and detect abnormal activity and halt the key but these...

Replying to

and

abnormal market movements can be automatically detected, and you can block the exits on the accounts that are on other side of the trades before they can pull the money off, successfully altering the EV calc for scammers such that they may stop bothering

SBF

@SBF_FTX

Replying to

@austerity_sucks

yea we try but it's whack-a-mole

10:16 PM · Oct 23, 2022Twitter Web App

Replying to

to get real money out though requires KYC'd accounts which probably have an weird account history (i'm of course just guessing), where if they suddenly withdraw millions it should probably flag for review rather than permit as it would for traders who regularly move funds around

Replying to

and

Sam will you ever tackle the part FTX played in the Mango drama? +EV for you