Three Americans have been charged this week with stealing greater than $400 million in a November 2022 SIM-swapping assault. The U.S. authorities didn’t title the sufferer group, however there’s each indication that the cash was stolen from the now-defunct cryptocurrency change FTX, which had simply filed for chapter on that very same day.
A graphic illustrating the movement of greater than $400 million in cryptocurrencies stolen from FTX on Nov. 11-12, 2022. Image: Elliptic.co.
An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.okay.a. “R,” “R$” and “ElSwapo1,” was the ringleader of a SIM-swapping group known as the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernandez allegedly helped the group acquire entry to sufferer gadgets in service of SIM-swapping assaults between March 2021 and April 2023. Indiana resident Carter Rohn, a.okay.a. “Carti,” and “Punslayer,” allegedly assisted in compromising gadgets.
In a SIM-swapping assault, the crooks switch the goal’s cellphone quantity to a tool they management, permitting them to intercept any textual content messages or cellphone calls despatched to the sufferer, together with one-time passcodes for authentication or password reset hyperlinks despatched through SMS.
The indictment states that the perpetrators on this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T buyer by impersonating them at a retail retailer utilizing a faux ID. However, the doc refers back to the sufferer on this case solely by the title “Victim 1.”
Wired’s Andy Greenberg just lately wrote about FTX’s all-night race to cease a $1 billion crypto heist that occurred on the night of November 11:
“FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.”
“FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.”
The indictment says the $400 million was stolen over a number of hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence agency Elliptic, stated the attackers within the FTX heist started to empty FTX wallets on the night of Nov. 11, 2022 native time, and persevering with till the twelfth of November.
Robinson stated Elliptic shouldn’t be conscious of some other crypto heists of that magnitude occurring on that date.
“We put the value of the cryptoassets stolen at $477 million,” Robinson stated. “The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million – the discrepancy is probably going because of subsequent seizure and return of among the stolen property. Either means, it’s definitely over $400 million, and we’re not conscious of some other thefts from crypto exchanges on this scale, on this date.”
The SIM-swappers allegedly answerable for the $400 million crypto theft are all U.S. residents. But there are some indications they’d assist from organized cybercriminals based mostly in Russia. In October 2023, Elliptic launched a report that discovered the cash stolen from FTX had been laundered by exchanges with ties to legal teams based mostly in Russia.
“A Russia-linked actor seems a stronger possibility,” Elliptic wrote. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”
Nick Bax, director of analytics on the cryptocurrency pockets restoration agency Unciphered, stated the movement of stolen FTX funds appears to be like extra like what his group has seen from teams based mostly in Eastern Europe and Russian than something they’ve witnessed from US-based SIM-swappers.
“I was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that “Scattered Spider” has labored with [ransomware] teams like ALPHV/BlackCat,” Bax stated.
CISA’s alert on Scattered Spider says they’re a cybercriminal group that targets giant corporations and their contracted data expertise (IT) assist desks.
“Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,” CISA stated, referring to the group’s signature “Tactics, Techniques an Procedures.”
Nick Bax, posting on Twitter/X in Nov 2022 about his analysis on the $400 million FTX heist.
Earlier this week, KrebsOnSecurity revealed a narrative noting {that a} Florida man just lately charged with being a part of a SIM-swapping conspiracy is regarded as a key member of Scattered Spider, a hacking group also referred to as 0ktapus. That group has been blamed for a string of cyber intrusions at main U.S. expertise corporations throughout the summer season of 2022.
Financial claims involving FTX’s chapter proceedings are being dealt with by the monetary and threat consulting large Kroll. In August 2023, Kroll suffered its personal breach after a Kroll worker was SIM-swapped. According to Kroll, the thieves stole consumer data for a number of cryptocurrency platforms that depend on Kroll providers to deal with chapter proceedings.
KrebsOnSecurity sought remark for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the regulation agency dealing with the FTX chapter. This story might be up to date within the occasion any of them reply.
Attorneys for Mr. Powell stated they have no idea who Victim 1 is within the indictment, as the federal government hasn’t shared that data but. Powell’s subsequent court docket date is a detention listening to on Feb. 2, 2024.