Case Study 34.1: How Nansen Identified the FTX/Alameda Connection Before the Collapse

The Setup

In early November 2022, the cryptocurrency exchange FTX was valued at $32 billion. Its founder, Sam Bankman-Fried (SBF), was on the cover of Forbes and Fortune, had spent $40 million on political donations, and was frequently cited by U.S. lawmakers as a model of responsible crypto leadership. FTX was the second-largest cryptocurrency exchange by volume, behind only Binance. Its affiliated trading firm, Alameda Research, was one of the largest market makers in crypto.

Within 10 days, FTX would file for bankruptcy in what prosecutors would later call "one of the biggest financial frauds in American history." Between $8 billion and $10 billion in customer funds were missing. The collapse wiped out not only FTX's customers but also dozens of companies that had deposited funds with the exchange. Bankman-Fried was eventually convicted on seven counts of fraud and money laundering.

What makes this case study relevant to on-chain analytics is that the warning signs were visible on the blockchain weeks before the collapse became public. On-chain analysts, particularly the team at Nansen, identified suspicious fund flows between FTX and Alameda Research well before mainstream financial reporters or regulators understood the extent of the problem. The FTX collapse is the single most important case study in on-chain forensics --- a demonstration that blockchain transparency can expose fraud even when traditional auditing and regulatory oversight fail.

The Key On-Chain Evidence

The CoinDesk Report and the Alameda Balance Sheet

On November 2, 2022, CoinDesk reporter Ian Allison published an article revealing that a large portion of Alameda Research's balance sheet consisted of FTT tokens --- the exchange token issued by FTX. This was alarming because FTT was not an independent asset; its value depended entirely on FTX's continued operation. If Alameda was using FTT as collateral for loans, and FTT's value depended on FTX, then the entire structure was circular: FTX's health depended on Alameda's solvency, and Alameda's solvency depended on FTT's price, which depended on FTX's health.

But the CoinDesk report was based on a leaked document --- a traditional, off-chain source. The on-chain analysts had been seeing signals for much longer.

Nansen's Wallet Labeling

Nansen, the blockchain analytics firm, had labeled approximately 250 million wallet addresses with entity tags --- linking blockchain addresses to known exchanges, DeFi protocols, venture capital firms, and individual whales. Their proprietary labeling database was the product of years of research combining controlled deposit tests (sending small amounts to exchanges and tracking which addresses received them), public information (addresses listed on exchange websites or in blockchain transactions), and pattern analysis.

For FTX and Alameda, Nansen had identified:

• FTX hot wallets: The operational addresses used for customer deposits and withdrawals
• FTX cold wallets: Long-term storage addresses holding exchange reserves
• Alameda Research wallets: Addresses associated with Alameda's trading operations
• FTT treasury addresses: Addresses holding the undistributed supply of FTT tokens

This labeling was the foundation for everything that followed. Without knowing which addresses belonged to which entity, the transaction data would have been a meaningless stream of anonymous transfers.

The Suspicious Fund Flows

In the weeks leading up to the collapse, Nansen analysts observed several anomalous patterns:

1. FTX-to-Alameda transfers that did not match normal business operations.

Normal exchange-to-trading-firm flows follow predictable patterns: market-making deposits and withdrawals, fee settlements, and liquidity provisioning. The flows between FTX and Alameda deviated from these patterns in both volume and timing. Large transfers occurred at irregular intervals, often during periods of market stress when one would expect a trading firm to be managing its own risk, not receiving new capital.

2. Alameda's growing FTT concentration.

On-chain token tracking showed that Alameda's addresses held an increasingly large fraction of the total FTT supply. This was visible to anyone who queried the FTT token contract for the balances of Alameda's known addresses. By early November 2022, Alameda and FTX together held a majority of all circulating FTT.

To illustrate what this analysis might look like in code:

# Simplified reconstruction of the FTT concentration analysis
# (Using the analytical framework from this chapter)

ftt_contract = "0x50D1c9771902476076eCFc8B2A83Ad6b9355a4c9"  # FTT on Ethereum

# Known FTX/Alameda addresses (as identified by Nansen)
ftx_alameda_addresses = [
    "0x2FAF487A4414Fe77e2327F0bf4AE2a264a776AD2",  # FTX
    "0xC098B2a3Aa256D2140208C3de6543aAEf5cd3A94",  # FTX
    "0x7eB8E37e0fC0a42249bD20122e03747c43CCA4De",  # Alameda
    # ... additional labeled addresses
]

# Query FTT balances for each address
# (This data was available to anyone who queried the FTT contract)
total_ftt_supply = 328_895_103  # Total FTT supply

ftx_alameda_balance = sum(
    get_token_balance(ftt_contract, addr) for addr in ftx_alameda_addresses
)

concentration = ftx_alameda_balance / total_ftt_supply * 100
# Result: FTX + Alameda controlled ~80% of circulating FTT

This concentration was a critical vulnerability. If FTT's price dropped significantly, Alameda's balance sheet would collapse, and if Alameda's balance sheet collapsed while it owed money to FTX (or, worse, if FTX had lent customer funds to Alameda), FTX itself would become insolvent.

3. The Binance FTT sell signal.

On November 6, 2022, Binance CEO Changpeng Zhao (CZ) tweeted that Binance would liquidate its remaining FTT holdings, worth approximately $530 million. On-chain analysts immediately tracked the resulting movement: large FTT transfers from Binance-labeled addresses to exchange sell-side liquidity. The on-chain data showed the sell pressure materializing in real time, hours before it was fully reflected in FTT's price.

4. FTX withdrawal outflows.

As panic spread, Nansen tracked the outflows from FTX's known addresses. On November 7 and 8, the data showed withdrawals accelerating --- a classic bank run visible on-chain. By comparing outflow rates to FTX's known reserve addresses, analysts estimated that FTX would run out of liquid reserves within days. On November 8, FTX paused withdrawals, confirming what the on-chain data had already suggested: the exchange did not have sufficient reserves to cover customer claims.

The Timeline, On-Chain vs. Public

The on-chain signals preceded public knowledge at every stage. Analysts with access to labeled addresses and the skills to interpret fund flows had material information days to weeks before the general public.

The Technical Methods

Wallet Labeling at Scale

Nansen's core advantage was its labeled address database. Building such a database requires:

1. Controlled deposits: Send a small, known amount from your own address to an exchange's deposit system. Track which address receives it. This reveals the exchange's deposit address infrastructure.

2. Public records: Some addresses are publicly known (e.g., Ethereum Foundation addresses, protocol treasury addresses, addresses listed in project documentation).

3. Heuristic clustering: Apply the clustering techniques from Section 34.7 to group addresses by entity. If address A and address B both receive funds from address C (a known exchange hot wallet), and both interact with the same DeFi protocols in similar patterns, they may belong to the same entity.

4. Social engineering and OSINT: Sometimes entities reveal their own addresses through social media, governance proposals, or on-chain messages.

The cumulative database --- built over years and constantly updated --- is what enabled real-time monitoring of FTX and Alameda's fund movements.

Flow Analysis

The core analytical technique was directional flow analysis:

For each time period:
  1. Identify all transactions from FTX-labeled addresses
  2. Identify all transactions to Alameda-labeled addresses
  3. Calculate net flow: FTX → Alameda minus Alameda → FTX
  4. Compare to historical baseline
  5. Flag deviations above N standard deviations

When the net flow from FTX to Alameda spiked significantly above historical norms, it indicated that FTX was sending unusual amounts of capital to Alameda. Combined with the knowledge that FTX held customer deposits, this pattern was a red flag.

Reserve Verification

On-chain analytics also enables a form of "proof of reserves" --- verifying that an exchange holds sufficient assets to cover customer deposits. By summing the balances of all known exchange addresses and comparing to reported customer deposits, analysts can estimate whether an exchange is fully backed.

For FTX, this analysis showed a growing gap between known reserves and reported customer numbers. The exchange's wallet balances were declining at a rate inconsistent with normal trading operations.

Lessons for On-Chain Analysts

1. Labeling is the foundation of everything

Without knowing which addresses belong to which entities, on-chain data is a stream of transactions between anonymous accounts. The analytical power comes from linking addresses to identities. This is why Nansen, Chainalysis, and Arkham Intelligence invest so heavily in their labeling databases.

Implication for your work: When analyzing any protocol or exchange, start by identifying and labeling the key addresses. Use Etherscan's public labels, check project documentation for official addresses, and apply clustering heuristics to identify related addresses.

2. Anomalies matter more than absolutes

The FTX/Alameda transfers were suspicious not because any single transaction was unusual in isolation, but because the pattern deviated from historical norms. A $50 million transfer between an exchange and its affiliated trading firm is normal. Ten $50 million transfers in a week when the trading firm's publicly known strategy should not require that much capital is abnormal.

Implication for your work: Always establish baselines before flagging anomalies. What is the normal flow between these addresses? What is the normal volume for this protocol? Deviations from baselines are more informative than absolute numbers.

3. On-chain analytics is necessary but not sufficient

The on-chain data showed suspicious flows, but it could not definitively prove fraud. The smoking gun --- evidence that FTX had lent customer deposits to Alameda --- required combining on-chain evidence with off-chain information (the leaked balance sheet, subsequent testimony, internal documents). On-chain analytics provided the first signal and the forensic trail, but the complete picture required traditional investigative methods.

Implication for your work: On-chain data is one input to analysis, not the complete story. Always ask what off-chain context might explain the patterns you observe.

4. Speed matters

Analysts who identified the FTX warning signs in real time had actionable information: they could withdraw their funds, close their positions, or alert their readers. Analysts who performed the same analysis after the collapse confirmed what had happened but could not prevent losses. In on-chain analytics, the value of information decays rapidly.

Implication for your work: Build monitoring tools that can flag anomalies in real time, not just retrospective analysis tools. The whale_tracker.py and alert-style tools from this chapter are building blocks for real-time monitoring systems.

5. The ethical dimensions are real

The Nansen analysis helped many people avoid losses by withdrawing funds before FTX collapsed. But the same techniques could be used to front-run withdrawals (profiting from others' panic), to harass individuals by linking their blockchain activity to their identity, or to conduct surveillance on political dissidents. The power of on-chain analytics comes with responsibility.

Discussion Questions

1. Should on-chain analytics firms be required to share their findings with regulators when they identify potential fraud? What are the arguments for and against mandatory reporting?

2. If on-chain analysts had published their FTX concerns earlier (before the CoinDesk article), could they have been liable for "market manipulation" by causing a panic? How should the law treat on-chain evidence of potential fraud?

3. Nansen's labeled address database is proprietary --- a competitive advantage that drives their business model. Should blockchain address labels be open-source public goods, or does the effort to build them justify proprietary ownership?

4. The FTX collapse was eventually detected and prosecuted. Does this validate the argument that blockchain transparency is a net positive for financial integrity, or does the fact that $8 billion was stolen despite full transparency suggest that transparency alone is insufficient?

5. How would the FTX investigation have differed if FTX had operated on a privacy-preserving blockchain (like Monero or Zcash with shielded transactions)? What does this imply for the debate over blockchain privacy features?

Further Exploration

• Primary source: Nansen's "FTX Situation Report" blog posts from November 2022 provide real-time analysis as the crisis unfolded.
• Legal analysis: The U.S. DOJ criminal complaint against SBF extensively cites blockchain evidence. The filing is publicly available and demonstrates how on-chain analysis is used in federal prosecution.
• Technical deep dive: Arkham Intelligence published detailed address labeling and flow analysis for the FTX/Alameda complex. Their dashboard is freely accessible.
• Broader context: The FTX collapse parallels traditional financial frauds (Enron, Madoff), but the on-chain transparency meant the fraud's mechanics were visible to outsiders in a way that traditional financial fraud is not. Compare the on-chain evidence timeline to the Enron investigation timeline.