The FTX Hack: The Unsolved SIM Swap Mystery
The Justice Department recently, quietly unsealed an indictment that some mainstream and crypto media platforms quickly picked up and reported as charges that “solved” the mystery of a $400 million theft of cryptocurrency previously held by the collapsed crypto-exchange FTX.
The indictment was not that. But it does reflect a growing regulatory and economic concern facing both on- and off-shore cryptocurrency companies. The “SIM swap” fraud that allegedly targeted FTX, in November 2022, is almost a rudimentary “hacking” tool – one based on identity theft and false impersonation of a financial account holder – that largely targets companies that provide increasingly antiquated two- or multi-factor identification (“2FA” and “MFA,” respectively) privacy protections for their clients and account holders.
Federal regulators in the U.S. are increasingly attuned to the dangers posed by systems that rely on privacy protection procedures that are vulnerable to SIM swaps. The Federal Communications Commission is pursuing new rules while the SEC’s recent cybersecurity regulations will likely require companies to up their privacy game in the face of this specific threat. Indeed, the SEC is all the more motivated now, perhaps, given its own recent SIM swap fiasco.
New charges and the FTX hackers
On January 24, 2024, the United States Attorney’s Office for the District of Columbia unsealed an indictment, captioned United States v. Powell, et al., following the arrest of certain of the defendants named in that case. As alleged, Robert Powell, Carter Rohn, and Emily Hernandez worked together to obtain stolen personal identifying information (“PII”) of more than 50 victims.
The trio subsequently used that stolen information to create false identification documents for the purpose of duping telecom providers into swapping the identity theft victim’s cellular telephone account onto a new device held by the defendants or by unnamed “co-conspirators” to whom the trio of defendants sold stolen PII.
The scheme relies on the reassignment of the victims’ phone number to a physical phone controlled by a criminal actor, which entails the transfer or porting of the victims’ number (and, in essence, identity) to the Subscriber Identity Module, or “SIM,” card physically held in the criminal actor’s new device. This is referred to as a “SIM swap” scheme.
Through the SIM swap scheme alleged in United States v. Powell, the defendants and unnamed co-conspirators fraudulently induced wireless telecom providers to reassign cell phone numbers from the legitimate user’s SIM card to that controlled by the defendants or those unnamed co-conspirators. The SIM swap then allowed the Powell trio and others to access victims’ electronic accounts at various financial institutions to steal funds from those accounts.
The key benefit to the defendants of the SIM swap was the ability to intercept on the new, fraudulent devices messages from those financial accounts seeking to authenticate that the person accessing the account was the legitimate account holder. Normally, where no fraud is involved, that authentication would result in a SMS text or other message sent to the legitimate user, who would then authenticate the attempted access of the account by providing a code included in the text or message. In this case, though, that secret code went directly to the fraudsters, who used the code to impersonate the account holder and withdraw funds.
Although the Powell indictment does not name FTX as a victim, the allegations surrounding the largest incident of SIM swap fraud described in the indictment clearly refer to the FTX “hack” that occurred at the time of that company’s public bankruptcy announcement – the dates, times, and amounts line up with public reporting of that hack, and media reports have included confirmation provided by investigation insiders that FTX is, in fact, “Victim Company-1” as described in Powell. At the time of the FTX hack, there was a lot of speculation as to the perpetrators: inside job, shadowy government regulators?
Many of the headlines from articles that have picked up the Powell indictment proclaim that the mystery is solved: the three defendants committed the FTX hack. But the indictment actually suggests the opposite. While the indictment describes the three defendants specifically and by name in the allegations regarding the theft of PII, the porting of cell numbers to a fraudulently obtained SIM, and the sale of purloined FTX access codes, the indictment notably omits any reference to the three defendants when describing the actual theft of FTX funds.
Instead it relates that “co-conspirators gained unauthorized access to [FTX] accounts” and “co-conspirators transferred over $400 million in virtual currency from [FTX’s] virtual currency wallets to virtual currency wallets controlled by the co-conspirators.” Convention in drafting indictments is to name the defendants in actions committed by the defendants. Here, it is the unnamed “co-conspirators” who took the final and most significant steps. The mystery of who those “co-conspirators” may be remains alive, and may continue unless and until new charges drop or a trial reveals more facts.
SIM swaps, regulators and business risk
The FTX case highlights a growing awareness among prosecutors and regulators of the ease and prevalence of SIM swap schemes. Reading the Powell indictment is not unlike reading one of the hundreds of credit card theft indictments that federal and state prosecutors pursue each year. As far as frauds go, SIM swapping is low-cost, unsophisticated, and rote. But, if you’re a criminal, it works.
SIM swapping works largely as the result of vulnerabilities in the telecom’s anti-fraud and identification protocols, and as the result of relatively weak anti-fraud and identification verification procedures used as the default for all too many online service providers, including financial services firms. Recently, in December of 2023, the Federal Communications Commission issued a Report and Order adopting measures designed to address wireless’ providers’ SIM swap vulnerabilities. The Report and Order includes a requirement that wireless providers use secure methods of authenticating customers prior to performing SIM changes of the kind described in the Powell indictment, while seeking to maintain the relative ease that customers enjoy when legitimately porting a phone number to a new device. In the face of a growing awareness of the ease with which SIM swap perpetrators exploit basic MFA and less secure 2FA, particularly over unsecure SMS messaging rails, that balancing act will continue to pose challenges to both telecoms and to the service providers – including crypto companies – that rely on them.
Crypto security
Wireless providers are not alone in facing increasing scrutiny relevant to the Powell indictment’s allegations. The case also holds lessons and warnings for the crypto industry.
Even if the defendants in Powell were not the people who actually accessed and depleted FTX wallets, they allegedly provided the authentication codes for doing so, which they obtained through a fairly basic (as alleged) SIM swap scheme. Against the backdrop of the SEC’s nascent cybersecurity regime, the case highlights the need for exchanges operating in the U.S. to develop processes for assessing and managing cybersecurity risks, including “hacks” of the sort perpetrated in the FTX case. Given the SEC’s own experience as the victim of a recent SIM swap attack, we can expect the Enforcement Division to pay greater attention to SIM swap attacks against exchanges.
That could put offshore exchanges that avoid SEC or other regulatory oversight at a disadvantage. The SEC’s requirements regarding the regular disclosure of information regarding cybersecurity risk management, strategy, and governance – coupled with outside auditing of the same – ensures that customers and counterparties can understand the steps that such firms take to mitigate the risks of a FTX-like event. Offshore firms may adopt similarly transparent approaches to cybersecurity disclosures, but this would assume an inclination for transparency from firms that may be somewhat allergic to that notion – as was FTX. Crypto firms and projects can anticipate increased pressure – from regulators and from the market – to adopt, disclose, demonstrate, and maintain cybersecurity practices at a level well above those that allow for rudimentary fraudsters, as the defendants in Powell are described, to abscond with millions.
Edited by Benjamin Schiller.