A newly-released explosive report on FTX Group’s previous management team reveals a house of cards built on control failures and mismanagement.
On April 9, crypto researcher Molly White summarized the first report by FTX Trading Ltd. (d.b.a. FTX.com) and its affiliated debtors about the FTX Group’s control failures, which discusses control failures by FTX Group’s previous management team in areas like management, governance, finance, accounting, digital asset management, information security, and cybersecurity.
White, a full-time Fellow at the Library Innovation Lab at Harvard University, is a Molly White is a researcher, writer, software engineer, and prominent critic of the cryptocurrency industry. She founded and maintains the popular website “Web3 is Going Just Great.”
In a series of tweets, White highlights the following key points:
- FTX Group’s lack of recordkeeping and controls made identifying and safeguarding assets difficult.
- The group had a pervasive lack of records, evidence, and proper handling of fiat currency and digital assets.
- Executives stifled dissent, misused funds, and lied about their business practices.
- Debtors relied on limited information from QuickBooks and Slack records to piece together financial records.
- Laptops from key insiders, held by Bahamian Joint Provisional Liquidators, limited debtors’ access to crucial information.
- Singh, Wang, and Ellison pled guilty, cooperating with the DOJ, making it hard for debtors to interview them for bankruptcy purposes.
- FTX had a culture of unchecked power, with little oversight or control in areas like finance, accounting, HR, and cybersecurity.
- Board oversight was virtually non-existent, and FTX had no internal audit function.
- The resignation of Brett Harrison in September 2022 followed a protracted disagreement and a reduction of his bonus.
- Employees who raised concerns about corporate controls and risk management were terminated.
- FTX Group had no complete list of employees at the time of bankruptcy filing.
- Policies and procedures for accounting, financial reporting, treasury management, and risk management were either non-existent, incomplete, or inadequate.
- FTX Group’s small accounting firm lacked specialized knowledge in cryptocurrencies and international financial markets.
- Many FTX entities did not produce financial statements, and thousands of transactions were left unprocessed in QuickBooks accounts.
- Transfers of millions of dollars were approved through Slack emojis or discussed in disappearing Signal or Telegram chats.
- Accounts were opened using pseudonymous email addresses, shell companies, or individuals without direct connection to FTX.
- Alameda transferred funds to insiders for personal investments, political contributions, and other expenditures, with some papered as personal loans.
- The group had no cybersecurity staff and stored private keys to crypto wallets in AWS.
- FTX generally kept crypto assets in hot wallets and lied about the extent of cold storage use.
- FTX did not enforce multi-factor authentication for Google Workspace or 1Password, and failed to perform basic cybersecurity practices.
- The group did not learn about the November 2022 breach until a restructuring advisor alerted employees.
- FTX failed to use endpoint protection, patch software, and enforce proper cybersecurity practices.