By the evening of November 11 of last year, FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world's top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company's CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.

FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company's cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.

“Holy shit,” one former FTX staffer, who asked not to be named because they weren't authorized to speak about internal company matters, remembers thinking. “After all this, we’re being hacked?”

According to its own accounting, FTX would ultimately lose between $415 million and $432 million worth of its cryptocurrency holdings to those unidentified thieves, numbers it has publicly confirmed as part of its bankruptcy process. What FTX hasn't previously revealed is how close it may have come to losing vastly more—how its staff and outside consultants raced to move more than $1 billion worth of crypto to more secure storage before it could be stolen by the malevolent presence on its network—even, at one point, scrambling to send close to half a billion dollars to a physical USB drive in one consultant's office in an effort to keep it out of the thieves' hands.

As the trial of FTX's disgraced founder Sam Bankman-Fried enters its second week, many in the cryptocurrency community are closely watching courtroom events for any hint of how the exchange was so catastrophically looted, just hours after it left his control. The question of who carried out that theft—and whether the thieves were FTX insiders or external hackers—looms largest of all. That mystery remains unsolved, and neither Bankman-Fried nor other top FTX executives have been charged with that theft.

But now, WIRED can reveal the events of FTX’s panicky night working to limit the damage from that theft—and to prevent what might otherwise have been a 10-figure heist. The new FTX leadership under Ray, its new CEO, declined to be interviewed about the incident. But WIRED learned the hour-by-hour details of the crisis response from a detailed invoice submitted by the restructuring firm Alvarez & Marsall for its work on FTX's bankruptcy case, interviews with individuals who participated in the immediate response to the theft, and blockchain analysis provided by the cryptocurrency tracing firm Elliptic.

That response started around 10 pm on the evening of November 11, when Zach Dexter, the chief executive of FTX subsidiary LedgerX, sent a Google Meet invite to a group of more than 20 of FTX’s remaining staff, bankruptcy lawyers, advisers, and consultants. The invitation’s one-word subject line: “urgent.”

A handful of staffers quickly joined that Google Meet video call, which would eventually grow to dozens of participants over the next 12 hours. They could all see FTX wallets being drained in real time on Etherscan. But almost no one on the call had any idea where exactly FTX stored its cryptocurrency or how it managed the secret keys that controlled those wallets. That knowledge was held only by a small group of FTX elite—Bankman-Fried and his inner circle. Bankman-Fried never appeared in the meeting, according to sources who were present, but Gary Wang, the FTX cofounder and CTO, did join the call.

By this point Wang was distrusted by many people close to Ray, sources say. In the midst of FTX’s meltdown, Wang had initially sided with Bankman-Fried and had only distanced himself from the former CEO after days of persuasion from others within the company.

Wang didn't win over any of his critics in the emergency meeting when he initially suggested the ongoing theft could be halted by simply changing the secret keys that protected the wallets that were being emptied. That seemed pointless, the former FTX staffer remembers thinking, given that whoever had gained access to the network could simply grab the new keys and continue their heist. “The fox is in the hen house, and you’re going to change the keys to the hen house?” the former staffer remembers thinking. Wang, who has since pleaded guilty to the same criminal charges Bankman-Fried now faces, did not respond to a request for comment sent to his attorney

Just as the Google Meet call started, however, LedgerX’s Dexter had started exploring a different approach to protecting FTX’s funds. The week before the theft, digital asset trust company BitGo had been negotiating with Sullivan & Cromwell, the law firm overseeing FTX’s bankruptcy process, to take custody of the firm’s remaining cryptocurrency holdings. So Dexter now called BitGo to try to circumvent the long legal contract process Sullivan & Cromwell had begun with the company. Instead, Dexter asked BitGo to immediately create “cold storage” wallets—wallets that would be kept securely offline—that FTX could move all its remaining funds into as a safe haven. Dexter did not respond to a request for comment.

BitGo said it could have the wallets ready in around half an hour. FTX staffers worried that this would still be too slow. The thieves could potentially take hundreds of millions of dollars more worth of crypto out of the company’s wallets by then.

Someone on the Google Meet call asked if anyone had a hardware wallet of their own where the money could be stored until BitGo was ready. Kumanan Ramanathan, an adviser to FTX from Alvarez & Marsall calling in from his house in the suburbs of New York, volunteered. He had a Ledger Nano—a USB drive hardware wallet—in his home office that he offered to set up as a temporary refuge for the vulnerable money.

Ramanathan set up a new wallet on his Ledger Nano at around 10:30 pm ET on November 11. The former FTX staffer remembers watching him check and double-check the password that he'd created for that wallet. Wang began sending FTX’s funds to it, and soon Ramanathan was holding between $400 and $500 million in the company’s crypto assets on a USB drive in his Westchester County home.

Minutes later, BitGo told the FTX staffers that its wallets were ready, and they began transferring hundreds of millions more in crypto to BitGo’s cold storage instead of Ramanathan's Ledger device. For the rest of that sleepless night, the staffers hunted for every wallet where FTX’s money was stored and transferred every coin they could find to BitGo. “They were scrubbing various systems trying to find where various private keys were, where assets were held,” says another person involved in the response, granted anonymity because they weren’t authorized to speak about it publicly. “It was just chaos.”

As FTX's staff focused on getting executives to sign off on those transfers of potentially vulnerable funds, Ramanathan was left holding the crypto that Wang had initially transferred to his Ledger wallet. That created the bizarre situation of an individual physically possessing around half a billion dollars worth of FTX's money, which presented its own unique legal and security risks. That night, Ryne Miller, the general counsel for FTX, rushed to Ramanathan's home to help safeguard it. Ryne Miller declined to comment for this story, and Ramanathan didn’t respond to a request for comment.

At 10:59 pm Ramanathan called the police to report a theft in progress and explain that he was holding a very large amount of the victim's money, requesting that officers come to his house to help protect it. After all, no one knew then—or now—who had stolen the other funds, and if they might try to physically take the stash that Ramanathan held too. A police report from the New Rochelle Police Department obtained by WIRED shows that Ramanathan told the 911 dispatcher that “there is a huge crypto hit currently going on and that there is a large amount of money being sent to this address” and that he “fears the house is going to become a target.”

Even after the police arrived, Miller, FTX's general counsel, stayed at the house for most of the night. Ramanathan's record of billable hours shows that he and Miller spent nearly three and half hours in his home, from around 2 am to 5 am, on November 12.

No physical threat to Ramanathan or his home materialized. In fact, the siphoning of funds from FTX had stopped when the money was moved to Ramanathan's Ledger wallet. “He took a huge fucking risk using his personal Ledger,” says the former FTX staffer. “He’s a total boss. It’s my pretty strong feeling that if we hadn’t pulled this Ledger stunt, we would have lost significantly more money.” The money in Ramanathan's home office was finally transferred to BitGo by around 5 am on Saturday, November 12. The company would ultimately hold $1.1 billion of the remaining FTX funds.

Later on Saturday, Bankman-Fried and Wang transferred another $400 million plus to accounts under the control of the Bahamas government for safeguarding, as reported by Forbes and recorded in a court filing. At some points, that movement of funds to the Bahamas appears to have been confused with the theft itself. A week after the theft, some media outlets incorrectly reported that the stolen funds had actually been seized by the Bahamian government. As evidence to the contrary, cryptocurrency tracing firms like Elliptic and Chainalysis have observed portions of the actual stolen funds being sent to “mixing” services often used to launder stolen crypto funds such as Railgun and the cross-blockchain coin swap service THORChain, behavior typical of thieves who pull off large-scale crypto heists.

In the months since the desperate rescue effort of November 11, FTX’s new regime, which is handling the company’s bankruptcy process, has publicly alleged glaring security failings that made the theft possible.

An April report released as part of FTX’s bankruptcy proceedings listed examples of that alleged neglect: The previous FTX regime had no independent chief information security officer or actual dedicated security team; it kept virtually all its cryptocurrency in hot wallets—wallets on computers connected to the internet—despite employees being instructed to publicly claim that it stored as little as 10 percent in hot wallets; it left keys to those wallets unencrypted or failed to properly set up security systems where multiple keys are needed to unlock funds; and it lacked the logging systems to even know who was moving funds and when, along with many other issues.

The same report describes the impossible situation that the new FTX regime faced on November 11, when, in its first day in charge, it discovered it had inherited a deeply compromised network. “Due to the FTX Group’s deficient controls to secure crypto assets, the Debtors faced the threat that billions of dollars of additional assets could be lost at any moment,” the report reads, using the term “debtors” to describe the new FTX administration led by Ray. “As the Debtors worked to identify and access crypto assets with no ‘map’ to guide them, the Debtors had to engineer technological pathways to transfer many types of assets they identified to cold storage.”

Given that apparently shambolic security and disorganization, it’s perhaps not a surprise that FTX became the target of one of the costliest crypto heists in history. But if not for a few quick decisions in the midst of that chaos, it now appears that it could have been far worse.

“It was a very, very crazy night,” the former FTX staffer says. “We worked on it, we got it done, and we saved a massive amount of customers’ money.”

Updated at 10:35 am ET, October 10, 2023, to clarify THORChain's functionality.

Updated at 3:50 pm ET, October 10, 2023, to add details from a New Rochelle Police Department report detailing Ramanathan's 911 call. We also clarified that Ramanathan and Miller were at Ramanathan's home when the 911 call took place and while they awaited the transfer to BitGo.