The FTX Hacker Incident: The Unsolved Mystery of SIM Card Cryptocurrency Theft
TechFlow Selected TechFlow Selected
The FTX Hacker Incident: The Unsolved Mystery of SIM Card Cryptocurrency Theft
Both onshore and offshore cryptocurrency companies are facing growing regulatory and economic concerns.
Navigating Web3 tides with focused insightsBy Andrew Adams, Coindesk
Translated by Wu Shuo Blockchain
This article discusses a recently unsealed indictment released by the U.S. Department of Justice regarding a SIM swap fraud case, arguing that defendants such as Powell were not the perpetrators behind the FTX hacking incident. It also examines the business risks associated with SIM swapping and potential regulatory pressures on the crypto industry. Previously, Wu Shuo published an article titled "Hard to Defend Against: Why Are So Many Crypto Twitter Accounts Hacked to Post Phishing Links? How to Prevent Them?" which explained the attack mechanism and preventive measures.
Recently, the U.S. Department of Justice quietly unsealed an indictment, which was quickly reported by major mainstream and crypto media outlets claiming it had “solved” a $400 million cryptocurrency theft mystery involving assets previously held by the now-defunct cryptocurrency exchange FTX.
However, this indictment does not serve as the key to resolving the mystery. Instead, it highlights a broader reality: both onshore and offshore cryptocurrency companies face growing regulatory and economic concerns. In particular, the November 2022 “SIM swap” fraud targeting FTX can be seen as one of the most basic forms of “hacking”—a method relying on identity theft and impersonation of financial account holders, primarily exploiting companies offering outdated two-factor (2FA) or multi-factor authentication (MFA) systems for user privacy protection.
U.S. federal regulators are increasingly focusing on the potential dangers posed by privacy protection systems vulnerable to SIM swap attacks. The Federal Communications Commission (FCC) is developing new rules, while recent cybersecurity regulations introduced by the Securities and Exchange Commission (SEC) may compel businesses to strengthen their defenses against this specific threat. Especially after the SEC itself recently fell victim to a SIM swap attack, it may now be even more determined to enforce stricter regulations in this area.
New Charges and the FTX Hack
On January 24, 2024, the U.S. Attorney’s Office for the District of Columbia unsealed an indictment titled United States v. Powell et al. According to the document, Robert Powell, Carter Rohn, and Emily Hernandez conspired to steal personally identifiable information (PII) from over 50 victims.
The trio allegedly used this stolen data to create fake identification documents, aiming to deceive telecom providers into transferring phone accounts belonging to identity theft victims onto devices controlled by the defendants or unnamed “co-conspirators.” The defendants then sold the stolen PII.
The scheme relied on reassigning victims’ phone numbers to physical phones under criminal control—a process requiring the transfer or porting of a victim’s number (essentially their identity) to a Subscriber Identity Module (or “SIM”) card stored within the criminals’ new device. This is known as a “SIM swap” scheme.
Through the SIM swap scheme described in United States v. Powell, the defendants and unnamed co-conspirators deceived wireless carriers into rerouting phone numbers from legitimate users’ SIM cards to SIM cards controlled by the defendants or other unnamed conspirators. This allowed Powell and others to access electronic accounts at various financial institutions and siphon funds from them.
The primary benefit of SIM swapping for the defendants was the ability to intercept messages sent from financial accounts to the new fraudulent device—messages intended to verify whether someone attempting to access an account was the legitimate holder. Normally, without fraud involved, such verification would trigger an SMS message or other notification sent to the legitimate user, who would then confirm access by entering a code provided in the message. However, in these cases, secret codes were delivered directly to the scammers, enabling them to impersonate account holders and withdraw funds.
Although the Powell indictment does not name FTX as a victim, the largest SIM swap fraud referenced in the indictment clearly refers to the so-called “hack” of FTX that occurred when the company publicly declared bankruptcy—the dates, timing, and amount align precisely with public reports of that hack. Investigative sources cited in media coverage have confirmed that FTX is the entity referred to as “Victim Company-1” in the Powell indictment. At the time of the FTX hack, speculation ran rampant about the culprits: Was it an insider job? Did government regulators secretly orchestrate it?
Many articles reporting on the Powell indictment have carried headlines declaring the mystery solved—that the three defendants carried out the FTX hack. But in fact, the contents of the indictment suggest the opposite. While it explicitly names the three defendants and details their alleged theft of personally identifiable information (PII), the transfer of phone numbers to fraudulently obtained SIM cards, and the sale of stolen FTX access codes, the indictment notably omits any mention of these three individuals when describing the actual act of stealing funds from FTX.
Instead, it states that “co-conspirators gained unauthorized access to FTX accounts” and that “co-conspirators transferred more than $400 million in cryptocurrency from FTX’s cryptocurrency wallets to cryptocurrency wallets controlled by the co-conspirators.” Standard legal drafting practice involves naming defendants when describing actions they took. Here, however, it is the unnamed “co-conspirators” who performed the final—and most critical—step. The question of who these “co-conspirators” might be remains unresolved and may persist until further charges are filed or a trial reveals additional facts.
Regulatory Scrutiny and Business Risks
The FTX case underscores prosecutors’ and regulators’ growing awareness of how simple and widespread SIM swap schemes are. Reading the Powell indictment feels no different than reviewing one of the hundreds of credit card theft indictments pursued annually by federal and state prosecutors. As far as fraud goes, SIM swapping is low-cost, technically unsophisticated, and formulaic. Yet, if you're a criminal, it works.
The effectiveness of SIM swapping largely stems from vulnerabilities in telecom anti-fraud and identity verification protocols, as well as the relatively weak anti-fraud and authentication procedures defaultedly used by many online service providers—including financial services firms. Recently, in December 2023, the FCC issued a report and order taking steps aimed at addressing SIM swap vulnerabilities among wireless service providers. These include requiring carriers to employ secure customer authentication methods before executing SIM replacements like those described in the Powell indictment, while still preserving the relative convenience customers expect when legitimately switching devices. As awareness grows about bad actors exploiting basic MFA and less secure 2FA—particularly via insecure SMS messaging channels—this balancing act will continue to challenge telecom companies and the service providers that rely on them, including crypto firms.
Crypto Security
Wireless service providers are not the only entities facing increased scrutiny related to the allegations in the Powell indictment. This case also holds lessons and warnings for the crypto industry.
Even if the defendants in the Powell case were not the ones who ultimately accessed and drained the FTX wallet, they allegedly provided the authentication codes that enabled such access—codes obtained through a relatively basic SIM swap operation. Within the context of the SEC’s emerging cybersecurity regime, this case highlights the need for exchanges operating in the U.S. to develop processes for assessing and managing cyber risks, including the type of “hacking” executed in the FTX incident. Given that the SEC itself recently became a victim of a SIM swap attack, its enforcement division is likely to pay even closer attention to SIM swap attacks targeting exchanges.
This could place offshore exchanges—which avoid oversight by the SEC or other regulators—at a disadvantage. The SEC’s requirements for regular public disclosure of information related to cybersecurity risk management, strategy, and governance, combined with external audits, ensure that customers and counterparties can understand the measures these companies take to mitigate risks similar to those seen in the FTX collapse. Offshore firms might adopt similarly transparent cybersecurity disclosure practices, but doing so would require a willingness to embrace transparency—a concept some offshore entities may resist, as demonstrated by FTX. Crypto companies and projects should anticipate greater pressure from both regulators and the market to adopt, disclose, demonstrate, and maintain cybersecurity standards significantly higher than those merely sufficient to deter basic fraudsters like the defendants described in the Powell case from walking away with millions of dollars.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
CoinDesk
