A US grand jury has indicted three individuals for their alleged roles in a $400 million SIM-swapping heist that targeted cryptocurrency exchange FTX in November 2022. The indictment accuses Robert Powell, Emily Hernandez, and Carter Rohn of using social engineering tactics to persuade cellular providers to transfer phone numbers of several victims, including FTX employees, to devices they controlled. This allowed them to access and drain victims’ cryptocurrency accounts.
The elaborate scheme spanned 15 months (March 2021 – April 2023) and targeted not only FTX but also other crypto investors. Methods allegedly employed included password resets, bypassing two-factor authentication, and transferring funds to their control. They now face charges of conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.
The high-profile case highlights the growing threat of SIM-swapping attacks, which have become increasingly sophisticated in recent years. In a SIM-swapping attack, criminals dupe a victim’s cellular carrier into transferring their phone number to a device under the attacker’s control. This can then be used to intercept text messages and two-factor authentication codes, allowing the attacker to access the victim’s online accounts.
However, the case also underscores the need for greater vigilance on the part of cryptocurrency investors and exchanges. Investors should take steps to protect their accounts, such as using strong passwords, enabling two-factor authentication, and storing their assets in cold wallets. Exchanges, for their part, need to invest in robust security measures to safeguard their customers’ funds.