In the hours after crypto exchange FTX filed for Chapter 11 bankruptcy protection on Nov. 11, 2022, a still unidentified attacker drained $415 million to $432 million from wallets connected to the company.

A new Wired magazine report details how FTX staffers raced to save more than $1 billion in assets that night.

“It was a very, very crazy night. We worked on it, we got it done, and we saved a massive amount of customers’ money,” a former FTX staffer told Wired.

Observers of the ongoing trial of co-founder and former CEO Sam Bankman-Fried will be looking for some explanation of how the breach occurred and who was behind it. Bankman-Fried, who faces seven charges, and others have not been implicated in the theft, which happened shortly after he had been replaced as CEO.

FTX responded to the outflows by first hosting a Google Meet call led by Zach Dexter, CEO of FTX subsidiary LedgerX, that included more than 20 FTX staff and lawyers. Most on the call didn’t know where FTX stored its digital assets or how the secret keys needed for the wallets were managed.

Dexter ended up reaching out to crypto custodian BitGo to create cold storage wallets, which keep assets locked in an offline location that’s usually a hardware device. But BitGo said at the time that its wallets would not be ready for about 30 minutes, worrying staffers on the call that the hacker would have time to drain more funds.

As an emergency measure, FTX adviser Kumanan Ramanathan set up a temporary wallet on his own Ledger Nano hardware device to protect the assets. FTX staff later transferred hundreds of millions in crypto to the BitGo cold storage. Ramanathan had around half a billion dollars worth of crypto on his device and called the police in an attempt to protect the assets from physical theft.

“He’s a total boss,” the former FTX staffer told Wired. “It’s my pretty strong feeling that if we hadn’t pulled this Ledger stunt, we would have lost significantly more money.”

The new leaders of FTX blamed the exploit on security failures, including a lack of security staff and unencrypted keys. The exploiter is still active, with on-chain data showing the movement of $17 million ether (ETH) to five different addresses since Sept. 30.

The exploiter moved some funds onto the decentralized exchange THORSwap, which then went into “maintenance mode” and paused swaps due to the potential illicit trading.