This week, three Americans were indicted on charges of stealing more than $400 million in a SIM swapping attack in November 2022. The U.S. government did not reveal the name of the victim organization, but there is evidence that money was stolen from a now-defunct cryptocurrency exchange. FTXIt was a company that had just filed for bankruptcy on the same day.
Graphic showing the flow of over $400 million worth of cryptocurrency stolen from FTX on November 11-12, 2022. Image: Elliptic.co.
The indictment, made public this week and first reported by Ars Technica, alleges the Chicago man: robert powell, aka “R”, “R$”, and “ElSwapo1”, were the leaders of a SIM swapping group called the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernández They reportedly helped the group gain access to victim devices for SIM swap attacks between March 2021 and April 2023. Indiana resident carter loanAKA “Carti” and “Punslayer” are said to have helped compromise the device.
In a SIM swapping attack, a fraudster transfers the target’s phone number to a device they control and intercepts every text message or phone call sent to the victim, including a one-time password for authentication or a password reset link sent via SMS. You can kick it.
According to the indictment, the perpetrators of this robbery used fake IDs to impersonate AT&T customers at retail stores to steal $400 million in cryptocurrency on November 11, 2022, after swapping SIMs. However, the document only refers to the victim in this case as ‘Victim 1’.
wired Andy Greenberg We recently wrote about FTX’s all-night race to stop a $1 billion cryptocurrency heist that occurred on the evening of November 11th.
“FTX’s employees have already endured some of the worst days in the company’s short life. The exchange, which just 10 months ago was one of the world’s leading cryptocurrency exchanges, valued at $32 billion, has just declared bankruptcy. After a long struggle, management persuaded the company’s CEO, Sam Bankman-Fried, to hand over control to John Ray III. John Ray III is now the new CEO tasked with navigating a nightmarish debt pile. “I don’t have the means to pay.”
“FTX appears to have hit bottom. Until the thief or the yet-to-be-identified thief chooses a certain moment to make the situation even worse. That Friday evening, exhausted FTX employees began noticing mysterious leaks of the company’s cryptocurrency, publicly captured on the Etherscan website, which tracks the Ethereum blockchain. This means hundreds of millions of dollars worth of cryptocurrency were stolen in real time.”
According to the indictment, $400 million was stolen over a period of hours between November 11 and 12, 2022. tom robinsonAttackers in the FTX raid began stealing FTX wallets on the evening of November 11, 2022 local time, and continued until November 12, said Elliptic, co-founder of blockchain intelligence company Elliptic.
Robinson said Elliptic is not aware of any other cryptocurrency heists of this magnitude occurring on those dates.
“We estimated the value of the stolen cryptocurrency at $477 million,” Robinson said. “FTX administrators reported an overall loss of $413 million due to “unauthorized third party transfers.” This discrepancy may be due to the subsequent seizure and return of some of the stolen assets. Either way, it’s clearly over $400 million and we are currently not aware of any other thefts from cryptocurrency exchanges of this scale.”
The SIM swappers allegedly responsible for the $400 million cryptocurrency theft are all US residents. However, there are some signs that they may have received help from organized cybercriminals based in Russia. In October 2023, Elliptic published a report stating that money stolen from FTX was laundered through ties to a Russian-based criminal group.
“It seems more likely that there will be a Russian-linked actor,” Elliptic wrote. “Many of the stolen assets traceable through ChipMixer are combined with funds from Russian-linked criminal groups, including ransomware gangs and darknet markets, and are sent to exchanges. “This means there is a broker or other intermediary involved in the nexus in Russia.”
nick backsUnciphered, head of analytics at cryptocurrency wallet recovery company Unciphered, said the flow of stolen FTX funds was more similar to what his team had seen from groups based in Eastern Europe and Russia than what he had seen from US-based SIM swappers.
“We are a little surprised by this development, but it seems consistent with CISA’s report. [the Cybersecurity and Infrastructure Security Agency] And other people “Scattered Spider” has worked with: [ransomware] Groups like ALPHV/BlackCat,” Bax said.
According to CISA’s warning about Scattered Spiders, these are cybercrime groups that target large corporations and the information technology (IT) help desks they contract with.
“According to trusted third parties, Scattered Spider threat actors are commonly known to steal data for extortion and utilize BlackCat/ALPHV ransomware in conjunction with common TTPs,” CISA said, adding that the group’s signature “tactics; “Techniques and Procedures.” .”
Nick Bax posts research on $400 million FTX heist on Twitter/X, November 2022.
Earlier this week, KrebsOnSecurity published a story alleging that a Florida man recently indicted for his alleged involvement in a SIM swapping conspiracy is thought to be a key member of the hacking group Scattered Spider, also known as Scattered Spider. 0th floor. The group has been accused of carrying out a series of cyber intrusions into major U.S. technology companies during the summer of 2022.
Financial claims related to FTX’s bankruptcy proceedings are being handled by the financial and risk consulting giant. crawl. In August 2023, Kroll also suffered its own breach after a Kroll employee swapped SIMs. According to Kroll, thieves stole user information for several cryptocurrency platforms that use Kroll’s services to handle bankruptcy proceedings.
KrebsOnSecurity sought comment from Kroll for this story. FBIprosecution lawyers, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated if any of them respond.
Mr. Powell’s lawyers said they did not know who the accused Victim 1 was because the government had not yet shared that information. Powell’s next court date is a detention hearing on February 2, 2024.
