Three individuals have been accused of committing a SIM-swapping attack in November 2022 that resulted in the theft of more than $400 million. The victim organization was not named by the U.S. government, but it is strongly believed that the money was stolen from the cryptocurrency exchange FTX, which had filed for bankruptcy on the same day as the attack.
On the 11th and 12th of November 2022, the perpetrators behind the heist managed to steal the $400 million in cryptocurrencies after conducting a SIM-swapping operation, where they transferred a victim’s phone number to a device under their control. This allowed them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.
The accused individuals include Robert Powell, known as “R,” “R$” and “ElSwapo1,” who was identified as the ringleader of the “Powell SIM Swapping Crew.” Emily Hernandez allegedly assisted the group in gaining access to victim devices, and Carter Rohn allegedly aided in compromising devices.
According to the indictment, the attackers SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID to steal the $400 million in November 2022. The victim in this case was only referred to as “Victim 1” in the indictment.
Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, stated that the stolen funds were laundered through exchanges with ties to criminal groups based in Russia. This led to suspicions that the U.S.-based SIM-swappers may have received assistance from organized cybercriminals in Russia.
Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, noted that the flow of stolen FTX funds resembled the activities of groups based in Eastern Europe and Russia rather than those typically associated with U.S.-based SIM-swappers.
Furthermore, a Florida man who was recently charged for involvement in a SIM-swapping conspiracy is believed to be a key member of Scattered Spider, a hacking group responsible for a series of cyber intrusions at major U.S. technology companies in the summer of 2022.
The ongoing FTX bankruptcy proceedings are being handled by Kroll, a financial and risk consulting giant. However, Kroll suffered its own breach in August 2023 after an employee was SIM-swapped, resulting in the theft of user information for multiple cryptocurrency platforms that rely on Kroll’s services for handling bankruptcy proceedings.
The attorneys for Mr. Powell claimed they did not have information regarding “Victim 1” as it had not been shared by the government. Powell’s next court appearance is scheduled for a detention hearing on February 2, 2024.
Efforts to obtain comments from Kroll, the FBI, prosecuting attorneys, and the law firm handling the FTX bankruptcy are pending. This story will be updated if any of them respond.