FTX’s November 2022 breach was not an isolated intrusion but the result of extreme cloud governance and security control failure across a high-value crypto platform, with management stating the environment had already been compromised and lacked the controls to detect or stop the theft of approximately $432 million in crypto assets.
The interim report from John J. Ray III shows a cloud architecture that concentrated catastrophic risk in one place: FTX and Alameda shared a single AWS account, private keys for billions in customer-related crypto assets were stored in AWS Secrets Manager, some key-encryption passwords were stored in plaintext in code repositories and wallet systems were not securely segregated from the broader environment. FTX also failed to enforce MFA on critical services including Google Workspace and 1Password and did not enable basic AWS detection and logging controls such as GuardDuty and full VPC flow logging. The result was a platform handling bank-like assets without bank-like control boundaries, detection or governance. For cloud security and diligence teams, the lesson is clear: poor account segregation, weak cryptographic custody design and missing baseline monitoring can turn a single compromise into existential loss.
| What Happened | Cause | Action |
|---|---|---|
| Separate legal entities shared a single AWS account holding critical assets | FTX and Alameda used one shared AWS account and FTX stored private keys within the same cloud environment that also contained over a thousand servers, related services and databases. The report states a compromise of that account exposed assets across all three entities. FTX.US had started migrating to its own AWS account but did not complete the work before the breach. | Validate whether legal entities, production environments and high-sensitivity asset systems are isolated into separate cloud accounts and organisational boundaries. SkySiege checks for environment and data classification tagging ensuring that mixed environments are clearly indicated and obvious. |
| Customer-value cryptographic keys were accessible through internal AWS IAM-controlled secret stores | Private keys to billions in crypto assets were stored in AWS Secrets Manager and the report notes that employees with access to Secrets Manager or the password vault could access certain keys and unilaterally transfer assets. This is a privilege design failure: internal operator access and customer asset custody were not meaningfully separated. | Validate whether customer asset keys or equivalent high-value signing material are stored in systems governed by internal cloud IAM instead of dedicated custody controls, HSM-backed isolation or tightly separated authorization paths. |
| Encryption controls did not meaningfully protect the wallet keys | In cases where private keys were encrypted, the decryption keys were also stored in AWS Secrets Manager rather than protected in an HSM or equivalent isolated control plane. The report states this dramatically reduced the value of encryption because an unauthorised actor could retrieve the decryption keys easily. | Validate whether encryption for highly sensitive secrets is independent from the system storing the ciphertext and whether decryption requires segregated hardware-backed controls and separate authorization. SkySiege checks for encryption settings and policies under AWS KMS assets to ensure base levels of protection. |
| Wallet protection secrets were mishandled and reused across systems | Passwords used to encrypt wallet-node private keys were stored in plaintext, committed to code repositories and reused across different wallet nodes. The report further states that compromising one node could allow compromise of every other node using the same password. | Validate whether repositories contain plaintext secrets, whether encryption passwords are reused across nodes or environments and whether source-control exposure could cascade into wallet compromise. |
| Sensitive wallet systems were not network-segregated from the rest of the environment | The report states wallet node servers were not securely segregated from connected servers, meaning compromise of the broader computing environment could lead directly to compromise of wallet nodes. This removed a key barrier against lateral movement. | Validate whether systems that hold or unlock customer-value assets are isolated by network segmentation, routing restrictions and dedicated trust zones. SkySiege assesses VPC design, subnet and security group isolation, lateral movement paths and whether crown-jewel systems are reachable from less sensitive workloads. |
| Critical identity systems lacked MFA enforcement | FTX did not enforce MFA for Google Workspace and 1Password, two of its most critical services for email, collaboration and password management. This reflects a basic identity control gap affecting administrative and operational security. | Validate MFA enforcement across workforce identity, password vaults, cloud administration and all privileged access paths. SkySiege checks for MFA coverage for privileged identities, root-level access exposure, identity provider hardening and gaps in administrative authentication policy. |
| FTX had no effective detection for key access, root usage or suspicious cloud activity | The report states FTX had no mechanism to promptly identify access to private keys, lacked alerting for AWS root logins and had not fully enabled basic AWS threat detection and response features. GuardDuty was not enabled on FTX.com and VPC flow logs were only capturing rejected traffic in some networks, not permitted traffic. | Validate whether logging and alerting cover secret access, root account activity, anomalous transfers and east-west traffic in sensitive networks. SkySiege checks for basic monitoring expected in corporate environments and alerts when this standard is not met. |
| The breach was discovered through public chatter, not internal controls | FTX reportedly learned of the breach only after the restructuring advisor observed suspicious wallet transfers through Twitter and other public sources. This demonstrates operational detection failure at the most basic level. | Validate whether security operations can detect unauthorised movement of critical assets before outside parties do. |
FTX’s failure was fundamentally architectural and operational, not just procedural. The report describes a platform controlling billions in crypto assets while collapsing account boundaries, key custody, operator access and runtime infrastructure into the same trust domain. In practice, that means one compromised AWS account, one overprivileged internal identity or one lateral movement path could translate directly into customer asset theft.
The detection gap is especially serious. FTX lacked prompt visibility into private key access, root login activity and network traffic that would have supported investigation. GuardDuty was not enabled on at least part of the estate and VPC flow logs did not capture permitted traffic. That left incident responders without the telemetry needed to detect or reconstruct attacker activity in a timely manner. As in SkySiege’s assessments, baseline cloud detections including root-account monitoring are not optional controls.
The governance weakness is equally important. Separate entities sharing one AWS account is a clear control failure, especially where different data sensitivity levels and customer-value assets coexist. That design magnifies blast radius, frustrates least privilege and creates avoidable legal, compliance and operational exposure. In a due-diligence context, this signals poor leadership oversight, weak engineering discipline and elevated deal risk.
The business impact extends beyond the immediate theft. Most of the funds remain unrecovered, forensic analysis is ongoing and the report suggests billions more could have been at risk. For any enterprise operating a financial, custodial or regulated platform, these conditions create direct financial loss, reputational damage, customer trust erosion and likely scrutiny over whether minimum duty-of-care controls were ever in place.