More than $400 million of crypto was inexplicably withdrawn from the vaults of what was previously the largest cryptocurrency exchange in the world, FTX, on the exact day it announced bankruptcy in November 2022. Many initially believed internal parties at the company were to blame, including perhaps the then CEO Sam Bankman-Fried, now a convicted fraudster. However, evidence found on blockchains over the last year implied that external criminals had taken advantage of FTX’s crisis to conduct a massive robbery.
Now, fresh evidence disclosed in an indictment from the US Department of Justice suggests an even more unexpected twist: Some of the accused thieves seem to have been located in the United States and have now been apprehended.
An indictment submitted last week lays out charges against three individuals—Robert Powell, Carter Rohn, and Emily Hernandez—who stand accused of operating a vast cybercrime theft ring. The gang, referred to by authorities as the “Powell SIM Swapping Crew,” reportedly used SIM swaps—deceiving mobile phone companies into transferring a user’s mobile phone registration to a SIM card owned by the criminals, enabling them to intercept authentication codes sent to the victim’s phone—to steal hundreds of millions of dollars from victims’ accounts.
Notably, the accused gang is alleged to have drained $400 million in virtual currency from the accounts of a firm—referred to only as Victim Company-1 in the indictment—on the night of November 11, 2022, extending into November 12. As initially detected by cybersecurity reporter Brian Krebs, this is also exactly when FTX’s theft occurred, which the company itself gauged at somewhere between $415 million and $432 million in stolen crypto.
The blockchain analysis firm Elliptic supported Krebs’ supposition that the $400 million theft outlined in the report is nearly certainly the FTX heist. “We are not cognizant of any other thefts from crypto businesses of this magnitude, on these dates,” Elliptic stated in a blog post. “As such, it appears likely that FTX is the ‘Victim Company-1’ referred to in the indictment.”
FTX did not immediately respond to a request for comment from WIRED regarding whether it’s the SIM-swapping victim detailed in the indictment.
If the indictment does indeed describe the FTX theft—and given the relative infrequency of nine-figure crypto thefts and the precise timing of this particular one—then the charging document discloses vital specifics about how the FTX heist was executed. It depicts how Powell allegedly directed Hernandez to target a specific phone number for SIM-swapping. Prosecutors claim that Hernandez then acquired a forged ID bearing her picture but the name of her victim—potentially an FTX employee—and exhibited it at an AT&T store in Texas as proof of identity when she asked for the staffer’s account to be transferred to her own phone.
That allowed the group to hijack messages intended for the victim, including authentication codes for his or her account, according to the indictment. Given that those codes usually represent a second-factor authentication mechanism required after a user enters their username and password, it’s not clear how those other credentials might have been stolen, though cybercriminals typically obtain them through phishing, credential-stealing malware, or trying credentials leaked in other database dumps and potentially reused across accounts.
Written by: Amanda Hoover
Contributor: Andy Greenberg
Edited by: Michael Calore
Matt Reynolds
The possibility that the FTX thieves have been identified as Americans, within reach of US law enforcement, comes as a surprise following Elliptic’s discovery in October of last year that the crypto stolen from FTX had moved across blockchains and through cryptocurrency swapping services in a way that suggested Russia-linked money launderers. Portions of the funds, for instance, moved through mixing services—which take in users’ funds and return others to muddy the trail of any blockchain tracing—that are popular with Russian cybercriminals, such as ChipMixer and Sinbad.
Both mixers, in fact, have been sanctioned by the US Treasury Department for their illicit use, including by Russian ransomware gangs. “It’s looking increasingly likely that the perpetrator has links to Russia,” Elliptic’s chief scientist and cofounder Tom Robison told WIRED in October. “We can’t attribute this to a Russian actor, but it’s an indication it might be.”
If the money is FTX’s, those blockchain footprints suggest that the $400 million that the hackers allegedly stole is long gone, moved into the hands of international money launderers. “It is therefore not clear whether any of the stolen assets are under their control, and might be recovered,” Elliptic wrote in its blog post today. Nonetheless, if the alleged hackers were paid a portion of that sum in exchange for their work to steal it, that money might still be seized and repaid as restitution to FTX’s many creditors.
Either way, it suggests that another mystery in the story of FTX’s implosion and the billions of dollars in missing funds that disappeared with it may be at least partially solved. If so, it would seem this FTX-related crime, at least, can’t be blamed on Sam Bankman-Fried.