CoinDesk: The Unsolved SIM Card Theft Mystery of the FTX Hacking Incident

Author | Andrew Adams, Coindesk

Compiled by | Wu Says Blockchain

This article discusses a recent indictment released by the U.S. Department of Justice regarding a SIM card hijacking case, asserting that the defendants, including Powell, are not the attackers involved in the FTX hacking incident. The article also covers the business risks associated with SIM card hijacking and the potential regulatory pressures it may bring to the cryptocurrency industry.

Recently, the U.S. Department of Justice quietly unsealed an indictment, which was quickly reported by mainstream and crypto media, describing it as "solving" a $400 million cryptocurrency theft mystery, with the stolen cryptocurrencies previously held by the now-defunct cryptocurrency exchange FTX.

However, this indictment is not the key to unraveling the mystery. It reveals a fact: both onshore and offshore cryptocurrency companies are facing increasing regulatory and economic concerns. In particular, the "SIM card hijacking" fraud incident that occurred in November 2022 against FTX can almost be seen as the most basic "hacker" method—this method relies on identity theft and impersonating financial account holders, primarily targeting companies that provide increasingly outdated dual or multi-factor authentication (i.e., "2FA" and "MFA") privacy protections for customers and account holders.

U.S. federal regulators are increasingly focusing on the potential dangers of privacy protection systems that rely on easily susceptible SIM card hijacking attacks. The Federal Communications Commission is developing new rules, while the recent cybersecurity regulations introduced by the U.S. Securities and Exchange Commission (SEC) are likely to force companies to enhance their privacy protections against this specific threat. Especially after the SEC itself recently experienced a SIM card hijacking incident, it may be even more determined to strengthen regulations in this area.

New Charges and FTX Hack

On January 24, 2024, the U.S. Attorney's Office for the District of Columbia publicly released an indictment titled United States v. Powell et al. It is alleged that Robert Powell, Carter Rohn, and Emily Hernandez collaborated to steal the personal identifying information (PII) of over 50 victims.

The three then used this stolen information to create fake identification documents with the aim of deceiving telecommunications providers into transferring the phone accounts of identity theft victims to new devices held by the defendants or unnamed "co-conspirators." The three defendants sold the stolen PII.

The scheme relied on reallocating victims' phone numbers to physical phones controlled by criminals, which required transferring or porting the victims' numbers (essentially their identities) to a user identity module (or "SIM"), with the card physically stored in the criminals' new devices. This is referred to as a "SIM card hijacking" scheme.

Through the SIM card hijacking scheme described in United States v. Powell, the defendants and unnamed co-conspirators deceived wireless telecommunications providers into reallocating phone numbers from legitimate users' SIM cards to SIM cards controlled by the defendants or those unnamed co-conspirators. The SIM card hijacking then allowed Powell and others to access victims' electronic accounts at various financial institutions and steal funds from those accounts.

The main benefit of SIM card hijacking for the defendants was the ability to intercept messages from those financial accounts on new, fraudulent devices. These messages are intended to verify whether the person accessing the account is the legitimate account holder. Typically, if there is no fraud involved, this authentication would result in SMS texts or other messages being sent to the legitimate user, who would then verify their attempt to access the account by providing the code contained in the text or message. However, in this case, the secret codes were sent directly to the scammers, who used the codes to impersonate the account holders and withdraw funds.

Although Powell's indictment does not name FTX as a victim, the allegations of the largest SIM card hijacking fraud described in the indictment clearly refer to the "hacker" incident that occurred when the company publicly announced its bankruptcy—the dates, times, and amounts match those reported in the publicized hacking incident, and media reports have included confirmations from insiders that FTX is indeed the "victim company-1" mentioned in Powell's case. When the FTX hacking incident occurred, there was much speculation about the perpetrators: insiders, government regulators operating in the shadows?

Many articles reporting on Powell's indictment claimed that the mystery had been solved: the three defendants carried out the FTX hacking attack. But in reality, the content of the indictment suggests the opposite. While the indictment precisely lists the names of the three defendants and details their alleged theft of personal identifying information (PII), the transfer of phone numbers to fraudulently obtained SIM cards, and the sale of stolen FTX access codes, it notably does not mention these three defendants in describing the actual process of stealing funds from FTX.

Instead, it mentions that "co-conspirators accessed FTX accounts without authorization" and that "co-conspirators transferred over $400 million in virtual currency from FTX's virtual currency wallet to a virtual currency wallet controlled by the co-conspirators." The drafting conventions of the indictment typically mention the defendants' names in the actions they undertook. Here, it is the unnamed "co-conspirators" who took the final and most critical steps. The mystery of who these "co-conspirators" might be remains, and it may persist until new charges arise or a trial reveals more facts.

Regulators and Business Risks

The FTX case highlights the growing awareness among prosecutors and regulators regarding the simplicity and prevalence of SIM card hijacking schemes. Reading Powell's indictment is not much different from reading one of the hundreds of credit card theft charges pursued annually by federal and state prosecutors. In terms of fraud, SIM card hijacking is low-cost, low-tech, and formalized. However, if you are a criminal, this method is effective.

The effectiveness of SIM card hijacking largely results from vulnerabilities in telecommunications anti-fraud and authentication protocols, as well as the relatively weak anti-fraud and authentication procedures that many online service providers (including financial services companies) default to using. Recently, in December 2023, the Federal Communications Commission released a report and order aimed at addressing the vulnerabilities of SIM card hijacking among wireless service providers. The report and order include requirements for wireless providers to use secure customer authentication methods before executing SIM swaps as described in Powell's indictment, while attempting to maintain the relative convenience that customers enjoy when legitimately swapping devices with their phone numbers. Faced with the increasing recognition of the convenience that SIM card hijackers exploit through basic multi-factor authentication (MFA) and less secure two-factor authentication (2FA), especially via insecure SMS message channels, this balancing act will continue to challenge telecommunications companies and service providers that rely on them (including crypto companies).

Crypto Security

Wireless service providers are not the only groups facing increasing scrutiny related to the allegations in Powell's indictment. This case carries lessons and warnings for the cryptocurrency industry as well.

Even if the defendants in Powell's case are not the ones who actually accessed and drained the FTX wallets, they are alleged to have provided the authentication codes necessary to do so, which were obtained through a relatively basic SIM card hijacking scheme. In the context of the SEC's emerging cybersecurity regulations, this case underscores the need for exchanges operating in the U.S. to develop processes for assessing and managing cybersecurity risks, including the "hacker" actions implemented in the FTX case. Given that the SEC itself has recently become a victim of a SIM card hijacking attack, we can expect its enforcement division to pay closer attention to SIM card hijacking attacks targeting exchanges.

This may put offshore exchanges that seek to avoid SEC or other regulatory oversight at a disadvantage. The SEC's requirements for regular public disclosures regarding cybersecurity risk management, strategies, and governance, along with external audits, ensure that customers and counterparties can understand the measures these companies are taking to mitigate risks similar to the FTX incident. Offshore companies may adopt similar transparent cybersecurity disclosure practices, but this requires these companies to be willing to be transparent, and they may be somewhat resistant to the concept of transparency—as demonstrated by FTX. Cryptocurrency companies and projects can expect to face greater pressure from regulators and the market to adopt, disclose, showcase, and maintain cybersecurity practices that far exceed the level merely capable of preventing basic fraudsters (like the defendants described in the Powell case) from making off with millions of dollars.