Cryptocurrency has always offered a strange mix of temptations and challenges for anyone trying to steal it. As digital cash, held in multibillion-dollar sums on hackable, internet-connected networks, it presents a lucrative target. But once it’s stolen, the blockchains that almost every cryptocurrency is built on make it possible to follow that money’s every movement and, very often, to identify the thieves.

So, after a massive heist pulled nearly half a billion dollars’ worth of funds out of the already collapsing FTX cryptocurrency exchange yesterday, the world’s crypto tracers are now closely tracking where that loot ends up – and looking for any clues that reveal the thief to be an FTX insider or just an opportunistic hacker.

On Friday, hours after the major cryptocurrency exchange FTX had filed for bankruptcy in the wake of its epic, 10-figure collapse, FTX’s remaining funds were drained of more than $663 million worth of cryptocurrency, much of which appears to have been stolen.

“FTX has been hacked,” wrote an administrator in FTX’s Telegram channel. “FTX apps are malware. Delete them.” Exactly how FTX might have been breached – and whether its apps are, in fact, compromised – is far from clear and FTX hasn’t officially announced any theft. But the company’s US general counsel wrote in a tweet that “unauthorised access to certain assets has occurred.”

FTX did not respond to Wired’s request for comment.

Soon, the crypto-tracing and blockchain analysis firm Elliptic revealed that the $663 million outflow seemed to be a combination of FTX’s movement of coins into its own storage wallets and a mysterious theft. According to Elliptic, fully $477 million of the funds appear to have been stolen, though another crypto-tracing firm, TRM Labs, puts the number at $338 million.

Twenty-four hours after the theft, most of that money had moved into just a handful of cryptocurrency addresses, where the entire crypto-tracing industry, a vast community of amateur crypto sleuths and no doubt law enforcement agencies around the globe are now all watching it with an unblinking gaze.

That observability, for the FTX funds and for other stashes of stolen crypto, presents a serious challenge for any thief trying to cash out their haul into traditional currency.

In this case, where regulators and an army of aggrieved creditors are looking for any sign that FTX’s staff or owners may themselves be the culprits, it could ultimately help confirm that insiders were responsible for the theft – or instead show that external hackers took advantage of the chaos at FTX to pull off a burglary.

“We’re definitely watching the movements of these funds,” says Chris Janczewski, the head of investigations at TRM Labs and a former special agent at the IRS’s criminal investigations division. “This potential thief has hundreds of millions of dollars. But it’s like they went into a bank, took as much cash as they could carry and then the dye packs went off. They’ve got all this money, but now everyone knows it’s connected to this bank robbery. What can you actually do with it?”

According to Elliptic’s analysis, at least $220 million of funds stolen in the form of a variety of cryptocurrencies were quickly traded through decentralised exchanges – trading platforms that allow users to swap coins without giving identifying information – to convert them into the cryptocurrencies ether and dai. But cashing out those coins and the rest of the stolen loot will likely require trading it on a centralised exchange, which almost always requires users to hand over identifying information.

The thieves may try to put the money through a “mixing” service that launders the coins by blending them with those of other users. But crypto-tracing blockchain analysts have proven they can often defeat those mixers – particularly when users are feeding very large sums into them. And some mixers, like the Tornado Cash service that was sanctioned by the US Treasury in August, render cryptocurrency untouchable for many exchanges or vulnerable to seizure.

That means it will be very difficult for the thieves to abscond with their profits in a spendable form without being identified, says Michelle Lai, a cryptocurrency privacy advocate, investor and consultant who says she’s been tracking the movements of the stolen FTX funds with “morbid fascination.”

But the real question, Lai says, is whether identifying the thieves will offer any recourse: After all, many of the most prolific cryptocurrency thieves are Russians or North Koreans operating in non-extradition countries, beyond the reach of Western law enforcement.

“It’s not a question of whether they’ll know who did it. It’s whether it will be actionable,” says Lai. “Whether they’re onshore.”

In the meantime, Lai and many other crypto-watchers have been closely eyeing one Ethereum address that is currently holding around $192 million worth of the funds.

The account has been sending small sums of Ethereum-based tokens – some of which appear to have little to no value – to a variety of exchange accounts, as well as Ethereum inventor Vitalik Buterin and Ukrainian cryptocurrency fundraiser accounts. But Lai guesses that these transactions are likely meant to simply complicate the picture for law enforcement or other observers before any real attempt to launder or cash out the money.

More tellingly, Tobias Silver, founder of crypto service Just.Money, pointed out on Twitter that one of the thieves’ transactions appeared to have been paid for with transaction fees funded from an account on the Kraken cryptocurrency exchange, which is likely required to possess identifying information for that account under “know-your-customer” laws.

Kraken’s chief security officer, Nicholas Percoco, later tweeted, “We know the identity of the user.” When Wired reached out to Percoco for comment, a Kraken spokesperson responded in a statement that “we have actively monitored recent developments with the FTX estate, are in contact with law enforcement and have frozen Kraken account access to certain funds we suspect to be associated with ‘fraud, negligence or misconduct’ related to FTX (as set forth in our Terms of Service).”

The looting of FTX – whether the theft totals $338 million or $477 million – hardly represents an unprecedented haul in the world of cryptocurrency crime. In the late-March hack of the Ronin bridge, a gaming cryptocurrency exchange, North Korean thieves took $540 million. And earlier this year, cryptocurrency tracing led to the bust of a New York couple accused of laundering $4.5 billion in crypto.

But in the case of the high-profile FTX theft and the exchange’s overall collapse, tracing the errant funds might help put to rest—or confirm—swirling suspicions that someone within FTX was responsible for the theft. The company’s Bahamas-based CEO, Sam Bankman-Fried, who resigned Friday, lost virtually his entire $16 billion fortune in the collapse. According to an unconfirmed report from CoinTelegraph, he and two other FTX executives are “under supervision” in the Bahamas, preventing them from leaving the country.

Reuters also reported late last week that Bankman-Fried possessed a “back door” that was built into FTX’s compliance system, allowing him to withdraw funds without alerting others at the company.

Despite those suspicions, TRM Labs’ Janczewski points out that the chaos of FTX’s meltdown might have provided an opportunity for hackers to exploit panicked employees and trick them into, say, clicking on a phishing email.

Or, as Michelle Lai notes, bankrupted insider employees might have collaborated with hackers as a means to recover some of their own lost assets.

As the questions mount over whether – or to what degree – FTX’s own management might be responsible for the theft, the case has begun to resemble, more than any recent crypto heist, a very old one: the theft of a half billion dollars’ worth of bitcoins, discovered in 2014, from Mt Gox, the first cryptocurrency exchange.

In that case, blockchain analysis carried out by cryptocurrency tracing firm Chainalysis, along with law enforcement, helped to pin the theft on external hackers rather than Mt Gox’s own staff. Eventually, Alexander Vinnik, a Russian man, was arrested in Greece in 2017 and later convicted of laundering the stolen Mt Gox funds, exonerating Mt Gox’s embattled executives.

Whether history will repeat itself, and cryptocurrency tracing will prove the innocence of FTX’s staff, remains far from clear. But as more eyes than ever scour the cryptocurrency economy’s blockchains, it’s a sure bet that the whodunit behind the FTX theft will, sooner or later, produce an answer.

• A Wired report