The United States Department of Justice (DOJ) charged three US nationals for stealing over $400 million from bankrupt cryptocurrency exchange FTX through a SIM-swapping attack.
FTX’s $400M Hack
Hours into FTX’s Chapter 11 bankruptcy filing in November 2022, hackers stole hundreds of millions of dollars worth of cryptocurrencies from the exchange and, subsequently, laundered it through decentralized exchanges (DEXs), cross-chain bridges, and mixers.
While repeatedly denying involvement with the attack, FTX founder Sam Bankman-Fried (SBF) mentioned it could be an inside job, which it turned out not to be.
A SIM Swap Attack
In an indictment filed in the US District Court for the Northern District of Illinois, prosecutors alleged that around November 11, 2022, the three suspects — Robert Powell, Emily Hernandez, and Carter Rohn — gained control of an FTX employee’s AT&T account by using fake IDs to unlock FTX’s online accounts and steal $400 million worth of crypto assets from the exchange.
Notably, the indictment did not name FTX, but a report from Bloomberg that cited two people familiar with the matter confirmed it was “victim company-1” labeled as FTX.
Specifically, the DOJ mentioned that Hernandez used a fake ID with an FTX employee’s details to convince AT&T to transfer the mobile phone account to a separate SIM card he controlled. Powell, the group’s ringleader, then used the SIM to generate authentication codes that allowed them to gain access to FTX’s crypto wallets.
While most hacks require sophisticated hacking skills, SIM-swapping uses psychological manipulation. In a SIM swap attack, hackers impersonate a victim and convince their mobile service provider to transfer their mobile number to another SIM card. To do this, they usually claim that the original SIM card has either been stolen, lost, or damaged, and they provide a fake ID with their victim’s details as proof of identity. The primary aim of the hacker in SIM-swapping is to exploit two-factor authentication to gain access to the victim’s online accounts.
According to the DOJ, Hernandez, Powell, and Rohn have orchestrated multiple SIM-swapping attacks targeting around 50 victims between March 2021 and April 2023.
The trio has been charged with fraud and identity theft.
