Two top executives plead guilty to fraud in FTX case

Top FTX executives close to Sam Bankman-Fried, Caroline Ellison and Zixiao "Gary" Wang, have pleaded guilty to fraud and are cooperating with prosecutors. The pair were convicted "in connection with their roles in the fraud that contributed to FTX's collapse," said Damian Williams, the US Attorney for the Southern District of New York in a press conference.

Ellison, the former CEO of FTX sister company Alameda Research and ex-girlfriend of Bankman-Fried, pleaded guilty to seven counts and faces up to 110 years in prison. Former FTX co-founder Wang pleaded guilty to four counts and faces 50 years. Depending on the level of cooperation, however, they could receive lighter sentences. The pair also face civil fraud charges filed by the Securities and Exchange Commission (SEC) and Commodity Future Trading Commission (CFTC). Both were released on $250,000 bonds.

The announcement was made as Bankman-Fried was being extradited from the Bahamas to New York, and add to his mounting legal woes. Wang's lawyer Ilan Graff said that his client has "accepted responsibility for his actions and takes seriously his obligations as a cooperating witness," according to The Washington Post

Despite their cooperation, the SEC didn't mince words in laying out its case against Ellison and Wang. "Mr. Bankman-Fried, Ms. Ellison, and Mr. Wang were active participants in a scheme to conceal material information from FTX investors," said SEC deputy director of enforcement, Sanjay Wadhwa. "By surreptitiously siphoning FTX’s customer funds onto the books of Alameda, defendants hid the very real risks that FTX’s investors and customers faced."

Bankman-Fried, meanwhile, is accused of a long list of misdeeds by multiple agencies, including the SEC, Department of Justice and CFTC. Those include defrauding FTX investors and customers of more than $1.9 billion, multiple counts of wire fraud, conspiracy to defraud investors by sharing misleading information and "surreptitiously" siphoning customer funds. The CFTC also alleges that Bankman-Fried and his cohorts "took hundreds of millions of dollars in poorly-documented 'loans' from Alameda," which they then used to purchase real estate and make political donations.

FTX founder Sam Bankman-Fried agrees to extradition to the US

When the Bahamas Attorney General's office announced that it had arrested former FTX CEO Sam Bankman-Fried, it noted that the former FTX CEO was likely to be extradited at the request of the United States. Just over a week later, that prediction has come true: Bankman-Fried signed extradition papers on Tuesday afternoon.

According to an unsealed indictment, Bankman-Fried is facing 8 counts of conspiracy to commit wire fraud, commodities fraud, securities fraud, and more. Specifically, the SEC accuses the cryptocurrency founder of "orchestrating a massive, years-long fraud" for "his own personal benefit and to help grow his crypto empire." The Department of Justice has accused him of attempting commodities and securities fraud, conspiring to defraud investors and breaking federal election laws for donating more to political groups than is legally allowed.

Bankman-Fried originally planned to fight extradition, but indicated on Monday that he would reverse course. Now, he will be returning to the US to face those charges, a decision that might be easier on him in the short term. When the former CEO was first arrested in the Bahamas, he was denied bail and deemed a flight risk. In the United States, it's possible he could be released on bail.

Bankman-Fried has previously said that he "didn't ever try to commit fraud," and doesn't believe he's criminally liable for the fall of FTX. The New York Times reports that a defense lawyer representing Bankman-Fried in the Bahamas says that he's returning to the US because he "wishes to put the customers right, and that is what has driven his decision."

FTX founder Sam Bankman-Fried agrees to extradition to the US

When the Bahamas Attorney General's office announced that it had arrested former FTX CEO Sam Bankman-Fried, it noted that the former FTX CEO was likely to be extradited at the request of the United States. Just over a week later, that prediction has come true: Bankman-Fried signed extradition papers on Tuesday afternoon.

According to an unsealed indictment, Bankman-Fried is facing 8 counts of conspiracy to commit wire fraud, commodities fraud, securities fraud, and more. Specifically, the SEC accuses the cryptocurrency founder of "orchestrating a massive, years-long fraud" for "his own personal benefit and to help grow his crypto empire." The Department of Justice has accused him of attempting commodities and securities fraud, conspiring to defraud investors and breaking federal election laws for donating more to political groups than is legally allowed.

Bankman-Fried originally planned to fight extradition, but indicated on Monday that he would reverse course. Now, he will be returning to the US to face those charges, a decision that might be easier on him in the short term. When the former CEO was first arrested in the Bahamas, he was denied bail and deemed a flight risk. In the United States, it's possible he could be released on bail.

Bankman-Fried has previously said that he "didn't ever try to commit fraud," and doesn't believe he's criminally liable for the fall of FTX. The New York Times reports that a defense lawyer representing Bankman-Fried in the Bahamas says that he's returning to the US because he "wishes to put the customers right, and that is what has driven his decision."

SEC charges FTX co-founder Sam Bankman-Fried with ‘defrauding investors’

Following his arrest in the Bahamas, the US Securities and Exchange Commission (SEC) has charged FTX co-founder Sam Bankman-Fried with "defrauding investors," it announced. It alleges that Bankman-Fried "concealed his diversion of FTX customers' funds to [the] crypto trading firm Alameda Research while raising more than $1.8 billion from investors." 

"We allege that Sam Bankman-Fried built a house of cards on a foundation of deception while telling investors that it was one of the safest buildings in crypto," said SEC Chair Gary Gensler. "The alleged fraud committed by Mr. Bankman-Fried is a clarion call to crypto platforms that they need to come into compliance with our laws."

The SEC alleges that since at least May 2019, FTX raised $1.8 billion from equity investors, including $1.1 billion from 90 US investors alone. Bankman-Fried promoted the exchange as a safe trading platform with "sophisticated, automated measures to protect customer assets," it said. "In reality, though, Bankman-Fried orchestrated a fraud to conceal the diversion of customer funds to his privately-held crypto hedge fund, Alameda Research."

That fund was given special treatment, "including an unlimited 'line of credit' funded by the platform's customers and exempting Alameda from certain key FTX risk mitigation measures," the commissioner added. And finally, customers were exposed to undisclosed risk from FTX's exposure to Alameda holdings of "overvalued, illiquid assets such as FTX-affiliated tokens." It further alleges that Bankman-Fried used commingled FTX customer funds to make "undisclosed venture investments, lavish real estate purchases and large political donations." 

Bankman-Fried was set to be testifying today in Congress, but that isn't happening now. In a draft transcript of his testimony seen by Forbes, he would have led by saying "I fucked up." Later in the transcript, Bankman-Fried claims Alameda's position on the platform was twice as large as displayed on FTX's dashboards due to "a historical accounting quirk," as opposed to any malfeasance. He also planned to say that FTX's US business is fully solvent and could pay back customers immediately. Among other statements, he notes that he was pressured into filing for Chapter 11, and that ultimately the Chapter 11 documents were filed against his wishes.

The SEC is seeking injunctions including barring Bankman-Fried from future securities dealings, seizing alleged ill-gotten gains, a civil penalty and an officer and director bar. "FTX operated behind a veneer of legitimacy," said SEC enforcement director Surbir S. Grewal. "But as we allege in our complaint, that veneer wasn’t just thin, it was fraudulent."

At the same time, the US Attorney's Office of the Southern District of New York and the Commodity Futures Trading Commission (CFTC) also announced charges against Bankman-Fried in parallel actions. The unsealed indictment in United States of America v. Samuel Bankman-Fried has eight counts: Conspiracy to commit wire fraud on customers; wire fraud on customers; conspiracy to commit wire fraud on lenders; wire fraud on lenders; conspiracy to commit commodities fraud; conspiracy to commit securities fraud; conspiracy to commit money laundering and conspiracy to defraud the United States and violate the campaign finance laws. 

The CFTC's suit names Bankman-Fried alongside FTX and Alameda Research. Alongside similar allegations to the criminal and SEC cases, the CFTC claims that Bankman-Fried and other FTX executives took "hundreds of millions of dollars in poorly-documented 'loans' from Alameda that they used to purchase luxury real estate and property, make political donations, and for other unauthorized uses."

Update 12/13 11:30AM ET: This article was updated to include details on the criminal charges and CFTC suits.

SEC charges FTX co-founder Sam Bankman-Fried with ‘defrauding investors’

Following his arrest in the Bahamas, the US Securities and Exchange Commission (SEC) has charged FTX co-founder Sam Bankman-Fried with "defrauding investors," it announced. It alleges that Bankman-Fried "concealed his diversion of FTX customers' funds to [the] crypto trading firm Alameda Research while raising more than $1.8 billion from investors." 

"We allege that Sam Bankman-Fried built a house of cards on a foundation of deception while telling investors that it was one of the safest buildings in crypto," said SEC Chair Gary Gensler. "The alleged fraud committed by Mr. Bankman-Fried is a clarion call to crypto platforms that they need to come into compliance with our laws."

The SEC alleges that since at least May 2019, FTX raised $1.8 billion from equity investors, including $1.1 billion from 90 US investors alone. Bankman-Fried promoted the exchange as a safe trading platform with "sophisticated, automated measures to protect customer assets," it said. "In reality, though, Bankman-Fried orchestrated a fraud to conceal the diversion of customer funds to his privately-held crypto hedge fund, Alameda Research."

That fund was given special treatment, "including an unlimited 'line of credit' funded by the platform's customers and exempting Alameda from certain key FTX risk mitigation measures," the commissioner added. And finally, customers were exposed to undisclosed risk from FTX's exposure to Alameda holdings of "overvalued, illiquid assets such as FTX-affiliated tokens." It further alleges that Bankman-Fried used commingled FTX customer funds to make "undisclosed venture investments, lavish real estate purchases and large political donations." 

Bankman-Fried was set to be testifying today in Congress, but that isn't happening now. In a draft transcript of his testimony seen by Forbes, he would have led by saying "I fucked up." Later in the transcript, Bankman-Fried claims Alameda's position on the platform was twice as large as displayed on FTX's dashboards due to "a historical accounting quirk," as opposed to any malfeasance. He also planned to say that FTX's US business is fully solvent and could pay back customers immediately. Among other statements, he notes that he was pressured into filing for Chapter 11, and that ultimately the Chapter 11 documents were filed against his wishes.

The SEC is seeking injunctions including barring Bankman-Fried from future securities dealings, seizing alleged ill-gotten gains, a civil penalty and an officer and director bar. "FTX operated behind a veneer of legitimacy," said SEC enforcement director Surbir S. Grewal. "But as we allege in our complaint, that veneer wasn’t just thin, it was fraudulent."

At the same time, the US Attorney's Office of the Southern District of New York and the Commodity Futures Trading Commission (CFTC) also announced charges against Bankman-Fried in parallel actions. The unsealed indictment in United States of America v. Samuel Bankman-Fried has eight counts: Conspiracy to commit wire fraud on customers; wire fraud on customers; conspiracy to commit wire fraud on lenders; wire fraud on lenders; conspiracy to commit commodities fraud; conspiracy to commit securities fraud; conspiracy to commit money laundering and conspiracy to defraud the United States and violate the campaign finance laws. 

The CFTC's suit names Bankman-Fried alongside FTX and Alameda Research. Alongside similar allegations to the criminal and SEC cases, the CFTC claims that Bankman-Fried and other FTX executives took "hundreds of millions of dollars in poorly-documented 'loans' from Alameda that they used to purchase luxury real estate and property, make political donations, and for other unauthorized uses."

Update 12/13 11:30AM ET: This article was updated to include details on the criminal charges and CFTC suits.

LastPass reveals another security breach

LastPass CEO Karim Toubba has revealed that the password manager has been breached again. Toubba said the company detected an unusual activity within a third-party cloud storage service that it shares with its parent company GoTo, which was formerly known as LogMeIn. To investigate the incident, LastPass has teamed up with security firm Mandiant. Together, they've determined that the unauthorized party got into LastPass' cloud service by using information obtained from the security breach it suffered in August this year. Further, they've discovered that the bad actor was able to access "certain elements" of its customers' information.

If you'll recall, LastPass was hacked back in August, and Toubba admitted after an investigation that the unauthorized party had internal access to its systems for four days. The hacker was able to steal some of the password manager's source code and technical information, but LastPass said customers' data and encrypted password vaults remained untouched. Apparently, the hacker's access was limited to the service's development environment. While the unauthorized party was able to access some user information this time, LastPass said customers' passwords remain safely encrypted. 

In an announcement of its own, remote work and collaboration tools provider GoTo has admitted that bad actors gained entry into its development environment. Like LastPass, the company has assured customers that its products and services are fully functional despite the breach. The password manager and its parent company are still investigating the incident to understand its scope, so we'll likely hear more details in the coming months. 

T-Mobile will pay $350 million to settle lawsuits over massive data breach

If you were a T-Mobile customer in August 2021, you may get a few dollars from the carrier in the near future. It has agreed to settle a consolidated class action lawsuit filed against the company over a data breach that exposed the personal information of 76.6 million "current, former and prospective customers." Back when T-Mobile's CEO, Mike Sievert, admitted and apologized for the breach, the carrier said the individual who hacked its network used "specialized" tools and knowledge of its infrastructure in order to gain access to its testing environment. That individual then stole customer data from the network and sold them on hacker forums.

The type of information that the bad actor sold varies per person, but it could include the name, birth date and social security number for each individual. T-Mobile got in touch with people affected by the data leak shortly after it came to light and offered them two free years of access to McAfee’s ID Theft Protection Service. Now, they're also getting monetary compensation, though it will likely be a few dollars at most. While the $350 million settlement may sound substantial, a huge chunk of that amount will go towards paying off legal fees. The rest will be divided among tens of millions of affected customers. According to the SEC filing spotted by GeekWire, the company will also spend $150 million on data security technologies throughout this year and the next.

The settlement still has to be approved by the court. But if it does, it will "resolve substantially all of the claims brought by the company’s current, former and prospective customers who were impacted by the 2021 cyberattack." You can read the full proposed settlement here.

T-Mobile will pay $350 million to settle lawsuits over massive data breach

If you were a T-Mobile customer in August 2021, you may get a few dollars from the carrier in the near future. It has agreed to settle a consolidated class action lawsuit filed against the company over a data breach that exposed the personal information of 76.6 million "current, former and prospective customers." Back when T-Mobile's CEO, Mike Sievert, admitted and apologized for the breach, the carrier said the individual who hacked its network used "specialized" tools and knowledge of its infrastructure in order to gain access to its testing environment. That individual then stole customer data from the network and sold them on hacker forums.

The type of information that the bad actor sold varies per person, but it could include the name, birth date and social security number for each individual. T-Mobile got in touch with people affected by the data leak shortly after it came to light and offered them two free years of access to McAfee’s ID Theft Protection Service. Now, they're also getting monetary compensation, though it will likely be a few dollars at most. While the $350 million settlement may sound substantial, a huge chunk of that amount will go towards paying off legal fees. The rest will be divided among tens of millions of affected customers. According to the SEC filing spotted by GeekWire, the company will also spend $150 million on data security technologies throughout this year and the next.

The settlement still has to be approved by the court. But if it does, it will "resolve substantially all of the claims brought by the company’s current, former and prospective customers who were impacted by the 2021 cyberattack." You can read the full proposed settlement here.

OpenSea users’ email addresses leaked in data breach

NFT marketplace OpenSea shared today that it’s the victim of another data breach — though this time the target is one of its vendors. An employee of its email delivery vendor, Customer.io, allegedly downloaded and shared stored email addresses associated with OpenSea accounts and newsletter subscriptions with an unknown third party. Any OpenSea account holder or newsletter subscriber should assume their email address was among those impacted, according to a blog post by the company’s head of security Cory Hardman. At this time it does not appear any passwords or other personal information was stolen.

The company is working with Customer.io to investigate the matter. “Please stay vigilant about your email practices, and be alert for any attempt to impersonate OpenSea via email,” wrote Hardman.

Unlike a previous phishing attack on OpenSea in February that resulted in hundreds of NFTs being stolen, there appears to be no further reported damage beyond the leaked email addresses. Still, the number of people likely impacted by the breach is significant. Hackread noted that 1.8 million users made purchases through the Ethereum network on OpenSea, according to data from Dune Analytics.

Yesterday the company sent emails to OpenSea users who they suspected were involved, warning them to be on the lookout for phishing emails and other scams. Beyond standard advice such as not to download attachments or click on a link from an OpenSea email, users were also warned not to sign wallet transactions directly from an email or to share or confirm secret wallet phrases.

The identity of the third party who received the breached email addresses has not been revealed. A representative from Customer.io toldTechCrunch that the employee behind the breach had “role-specific” access to the OpenSea data that they abused. “We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”

OpenSea users’ email addresses leaked in data breach

NFT marketplace OpenSea shared today that it’s the victim of another data breach — though this time the target is one of its vendors. An employee of its email delivery vendor, Customer.io, allegedly downloaded and shared stored email addresses associated with OpenSea accounts and newsletter subscriptions with an unknown third party. Any OpenSea account holder or newsletter subscriber should assume their email address was among those impacted, according to a blog post by the company’s head of security Cory Hardman. At this time it does not appear any passwords or other personal information was stolen.

The company is working with Customer.io to investigate the matter. “Please stay vigilant about your email practices, and be alert for any attempt to impersonate OpenSea via email,” wrote Hardman.

Unlike a previous phishing attack on OpenSea in February that resulted in hundreds of NFTs being stolen, there appears to be no further reported damage beyond the leaked email addresses. Still, the number of people likely impacted by the breach is significant. Hackread noted that 1.8 million users made purchases through the Ethereum network on OpenSea, according to data from Dune Analytics.

Yesterday the company sent emails to OpenSea users who they suspected were involved, warning them to be on the lookout for phishing emails and other scams. Beyond standard advice such as not to download attachments or click on a link from an OpenSea email, users were also warned not to sign wallet transactions directly from an email or to share or confirm secret wallet phrases.

The identity of the third party who received the breached email addresses has not been revealed. A representative from Customer.io toldTechCrunch that the employee behind the breach had “role-specific” access to the OpenSea data that they abused. “We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”