How Inadequate Security Controls Played a Major role in the FTX Crypto Collapse

FTX’s fallout late last year shined a spotlight on the risks of lacking security controls.

Image by Mohamed Hassan from Pixabay

A Timeline of Irony

October 28th, 2021 – A “wise” man, named Matt Damon uttered the phrase, “Fortune Favors the Brave” while ACTING in a commercial for the then rapidly rising cryptocurrency exchange known as FTX. Other well-known celebrities like pig-skin-flinging Tom Brady and business magnate Kevin O’Leary also heeded this call to invest with FTX.

November 11th, 2022 – FTX, one of the world’s largest cryptocurrency exchanges, filed for bankruptcy. This news sent shockwaves through the cryptocurrency community and raised concerns about the stability and security of the industry.

December 13th, 2022 – FTX’s newly appointed CEO, John Ray, testifies in front of the House Financial Services Committee, and he did not mince his words. Ray described the company as having committed “classic embezzlement”. This consisted of unsatisfactory software usage, margin calls (Using other people’s money to purchase risky investments), and most important of all for us, LACKING SECURITY CONTROLS.

From Brave to Broke

While this situation is currently under investigation and more details will surely be released in the coming months, I wanted to highlight the comments made by John Ray in last month’s hearing as they were very interesting for people in the Information Security world. The entire testimony was almost 4 hours, so here are the biggest takeaways:

  • Little to no record-keeping or auditing of systems. FTX, a company with tens of billions of dollars in assets under management utilized QuickBooks and Slack to “track” where money was going.
  • Disturbingly, Ray explained that part of his fix would be to implement controls and basic corporate standards such as “accounting, audit, cash management, cybersecurity, human resources, risk management, data protection and other systems that did not exist, or did not exist to an appropriate degree, before my appointment.”
  • Lacking encryption keys and wallets: Sam Bankman-Fried (Former CEO of FTX) and FTX “management practices included the use of an unsecured group email account as the root user to access confidential private keys and critically sensitive data for the FTX Group companies around the world, the absence of daily reconciliation of positions on the blockchain, the use of software to conceal the misuse of customer funds.”
  • FTX and their partner company, Alameda Research were mostly unaudited and controlled by the former CEO of FTX, Mr. Bankman-Fried.

For IT control leaders and professionals around the United States, John Ray’s testimony brings up several key areas of improvement FTX could have made. And potentially a reminder for those professionals to evaluate their internal IT controls.

This is Not Just a Crypto Issue

FTX found a way around this and was caught red-handed, leaving all their investors with nothing more than a cheap bag of airplane peanuts. While there is still a lack of regulation around cryptocurrencies, the same cannot be said for the rest of the business world. All companies must follow the rules laid out specific to their industry. If you are an IT leader in your organization and feel your internal IT security controls could use some work, QoS is happy to assist you. In the past we have helped clients prepare for Service Organization Controls (SOC) audits, Cybersecurity Maturity Model Certification (CMMC 2.0) just to name a couple, as well as assist with ad-hoc audit tasks to help make your process easier.

For more information speak with a QoS consultant today, at, or reach out through our contact form on our website,