SIM Swappers Charged Over $400 Million FTX Hack Amid Bankcuptcy Filing

In a court case that happened recently – and whose transcripts were made available today – the identities of those behind the $400 million FTX exploit that took place shortly after the bankruptcy was declared were uncovered.

However, FTX was not the sole victim of the hacks. According to the court documents , a total of 50 victims were exploited by the SIM-swapping trio consisting of Robert Powell, Carter Rohn, and Emily Hernandez.

Russian Hypothesis Disproven

Although FTX is only referred to in the proceedings as “Victim Company-1,” two confidential sources have come forward and stated that the company in question is indeed the failed exchange, according to Bloomberg.

This information is further supported by security reports from Elliptic and Brian Krebs . Previously, Elliptic believed that the attack had been carried out by cybercriminal groups linked to Russia due to the specific way that the funds were moved. However, it turned out that that was not the case.

The trio, also known by their noms-de-guerre “R$/ElSwapo1, Em, and Punslayer/Carti, allegedly gained access to the FTX wallets by obtaining the personal information of an employee, including his identification documents.

Poor Security at Fault

Using a doctored document bearing all the original information but with Hernandez’s photograph, the defendant was able to convince an AT&T employee in Texas to conduct the SIM swap.

The FTX employees’ personal number was apparently enough to penetrate FTX’s notoriously Byzantine and/or lax security, as the authentication codes sent to this number allowed for direct access to the exchange’s hot wallets.

“On or about November 11, 2022 (…), co-conspirators sent to Powell the various authentication codes needed to access Victim Company 1’s online accounts. (…) The co-conspirators gained unauthorized access to online accounts owned by the company. On November 11, and continuing into November 12, co-conspirators transferred over $400 million in virtual currency to wallets controlled by the co-conspirators.”

At the time, Kraken’s head of cybersecurity claimed to know the identity of the user behind the hack due to attempts to cash the money out via the exchange he works for.

We know the identity of the user.

— Nick Percoco (@c7five) November 12, 2022

It’s unclear whether this contributed to the eventual indictment of the SIM swappers, who committed a series of SIM swaps between March 2021 and April 2023, give or take.

The defendants were indicted by a Washington court of conspiracy to commit wire fraud, aggravated identity theft, and access device fraud.

An arrest warrant has been submitted in Powell’s name, and all proceeds of the crimes are subject to forfeiture once recovered.