Three individuals have been charged for being involved in the $400 million hack that supposedly victimised cryptocurrency exchange FTX just hours after it declared bankruptcy.
Initially suspected as an inside job, recent developments have shifted the narrative dramatically.
On 24 January 2024, US federal prosecutors in a Washington, DC district court charged Robert Powell, Carter Rohn, and Emily Hernandez with orchestrating sophisticated phone hacking schemes that led to the multiple thefts.
This trio, embroiled in a yearslong conspiracy, executed SIM-swap attacks to hijack the identities of 50 individuals from March 2021 to April 2023.
They managed to do this manipulating telecom providers into transferring the victims’ phone numbers to devices under their control.
Their most significant heist occurred on 11 November 2022, targeting an unnamed “Victim Company-1”. Through a series of deceptive manoeuvres, including Hernandez impersonating an employee, they gained access to the company’s AT&T account. This facilitated the illicit transfer of over $400 million in virtual currency from the company’s crypto wallets.
Insiders and a subsequent analysis by blockchain security firm Elliptic have strongly suggested that “Victim Company-1” is the now-defunct cryptocurrency exchange FTX.
This is supported by the timing of unauthorised transactions from FTX’s wallets immediately following its bankruptcy announcement.
Efforts to launder the stolen funds were tracked across various exchanges and blockchains, with some of the cryptocurrency ending up on Kraken.
Current FTX CEO and restructuring chief, John J. Ray III, had also voiced his frustrations over the exchange’s inadequate security measures and systemic deficiencies.
Upon assuming control in the aftermath of the bankruptcy, Ray described the situation as “pure hell,” citing the disarray of the exchange’s security protocols. This chaotic environment may have inadvertently made FTX a prime target for the trio’s criminal activities.
In light of these revelations, Robert Powell, Carter Rohn, and Emily Hernandez have now been indicted on charges of wire fraud conspiracy and identity theft.
SIM-swapping: A growing concern
The method at the heart of this heist, SIM-swapping, is a tactic that allows criminals to intercept multi-factor authentication codes, a security measure widely used for account logins.
The attack has become increasingly prevalent, targeting high-profile individuals and entities within the crypto sphere.
The SEC’s experience highlighted vulnerabilities, including the removal of multifactor authentication, which facilitated the attack.
Experts argue that relying on mobile numbers for two-factor authentication presents a significant security risk. Blockchain investigator ZachXBT has been vocal about the dangers of the same.
In a post, he highlighted that in the four months preceding August 2023, hackers had managed to steal more than $13.3 million from 54 high-profile figures through this method.
His research indicated a troubling trend of increasing attacks on individuals and projects in the crypto space, with telecom giants Verizon, T-Mobile and ATT frequently targeted.
Locking one’s phone number with their service provider also does not work, said ZachXBT. The best way to avoid a potential SIM-swap attack is to ensure that any two-factor authentication is not linked to a mobile number.
He then recommended the use of authenticator apps like Google Authenticator to mitigate risks.