CoinDesk: The unsolved mystery of the FTX hack: SIM card theft

This article introduces the indictment of a SIM card hijacking case recently released by the U.S. Department of Justice, and believes that the defendants Powell and others in the case are not the attackers of the FTX hacking incident. At the same time, the article also introduces the business risks of SIM card hijacking and the regulatory pressure that may be brought to the crypto industry. Previously, Wu said that he had published a related article on SIM card hijacking, "Why are a large number of crypto Twitter accounts stolen and phishing links posted? How to prevent it?", which introduced its attack principles and prevention measures.

Read the full article:

https://www.wu-talk.com/index.php?m=content&c=index&a=show&catid=46&id=17606

Original link:

https://www.coindesk.com/consensus-magazine/2024/02/12/the-ftx-hack-the-unsolved-sim-swap-mystery/?utm_medium=referral&utm_source=rss&utm_campaign=headlines

The U.S. Department of Justice quietly unsealed an indictment recently, and some mainstream and crypto media outlets quickly reported on it as “solving” the mystery of a $400 million theft of cryptocurrency previously held by the now-defunct cryptocurrency exchange FTX.

However, this indictment is not the key to ending the mystery. It reveals the fact that cryptocurrency companies, both onshore and offshore, are facing increasing regulatory and economic concerns. In particular, the "SIM hijacking" fraud incident against FTX in November 2022 can almost be regarded as the most basic "hacking" method - this method relies on identity theft and impersonation of financial account holders, mainly attacking companies that provide customers and account holders with increasingly outdated two-factor or multi-factor authentication (ie "2FA" and "MFA") privacy protection.

Federal regulators in the United States are increasingly concerned about the potential harm to systems that rely on privacy protection programs that are vulnerable to SIM hijacking. The Federal Communications Commission is developing new rules, and recent cybersecurity regulations from the Securities and Exchange Commission (SEC) are likely to force companies to improve privacy protections against this particular threat. The SEC may be more determined to strengthen regulations in this area, especially after its own recent experience with SIM hijacking.

New allegations and the FTX hack

On January 24, 2024, the United States Attorney’s Office for the District of Columbia unsealed an indictment titled United States v. Powell et al. It is alleged that Robert Powell, Carter Rohn, and Emily Hernandez collaborated to steal the personally identifiable information (PII) of over 50 victims.

The trio then used the stolen information to create fake identification documents designed to deceive telecommunications providers into transferring the identity theft victims’ cell phone accounts to new devices owned by the defendants or unnamed “co-conspirators,” to whom the three defendants sold the stolen PII.

The scheme relies on reassigning a victim's phone number to a physical phone controlled by the criminals, which requires transferring or porting the victim's number (essentially, identity) to a Subscriber Identity Module (or "SIM")," a card that is physically stored in the criminal's new device. This is known as a "SIM hijacking" scheme.

Through the SIM hijacking scheme described in United States v. Powell, the defendants and unnamed co-conspirators deceived wireless telecommunications providers into reassigning cell phone numbers from legitimate users’ SIM cards to SIM cards controlled by the defendants or those unnamed co-conspirators. SIM hijacking then allowed the Powell trio and others to access victims’ electronic accounts at various financial institutions and steal funds from those accounts.

The main benefit of SIM hijacking to the defendants is the ability to intercept messages from those financial accounts on new, fraudulent devices that are intended to verify that the person accessing the account is the legitimate account holder. Typically, if no fraud is involved, this authentication would result in an SMS or other message being sent to the legitimate user, who would then verify the attempted access to the account by providing a code contained in the SMS or message. In this case, however, the secret code was sent directly to the scammers, who used it to impersonate the account holder and withdraw funds.

Although Powell’s indictment does not name FTX as a victim, the allegations of the largest SIM hijacking fraud described in the indictment clearly refer to the FTX “hack” that occurred when the company publicly announced bankruptcy—the date, time, and amount match the publicly reported hack, and media reports have included confirmation from investigative insiders that FTX is “Victim-1” described by Powell. When the FTX hack occurred, there was much speculation about the perpetrators: an insider, a government regulator operating in secret?

Many headlines covering the Powell indictment proclaimed that the mystery had been solved: three defendants had perpetrated the FTX hack. In reality, the contents of the indictment suggested otherwise. While the indictment specifically named the three defendants and detailed their alleged theft of personally identifiable information (PII), transfer of phone numbers to fraudulently obtained SIM cards, and sale of stolen FTX access codes, the indictment was notably silent on the three defendants when describing the actual theft of FTX funds.

Instead, it mentions that “the conspirators gained unauthorized access to FTX accounts” and that “the conspirators transferred more than $400 million in virtual currency from FTX’s virtual currency wallets to virtual currency wallets controlled by the conspirators.” It is customary in indictment drafting to name the defendants in the context of the acts they performed. Here, it was the unnamed “conspirators” who took the final and most important steps. The mystery of who these “conspirators” may be remains, and will likely remain so until new charges emerge or a trial reveals more facts.

Regulators and business risks

The FTX case highlights the growing awareness among prosecutors and regulators of the simplicity and prevalence of SIM hijacking schemes. Reading the Powell indictment is no different than reading one of the hundreds of credit card theft charges that federal and state prosecutors pursue each year. As far as fraud goes, SIM hijacking is low-cost, low-tech, and formal. But if you’re a criminal, it works.

The effectiveness of SIM hijacking is largely the result of vulnerabilities in telecommunications anti-fraud and authentication protocols and the relatively weak anti-fraud and authentication programs that many online service providers, including financial services companies, use by default. Most recently, in December 2023, the Federal Communications Commission issued a report and order taking steps designed to address wireless service providers’ SIM hijacking vulnerabilities. The report and order include requiring wireless providers to use secure customer authentication methods before performing the SIM swaps described in the Powell Indictment, while attempting to maintain the relative convenience that customers enjoy when they legally change their device’s phone number. This balancing act will continue to present challenges for telecommunications companies and the service providers that rely on them, including encryption companies, in the face of growing awareness of the convenience of SIM hijacking actors exploiting basic multi-factor authentication (MFA) and less secure two-factor authentication (2FA), particularly through insecure SMS messaging channels.

Encryption security

Wireless service providers aren’t the only group facing growing scrutiny related to the allegations in Powell’s indictment. The case also has lessons and warnings for the encryption industry.

Even though the defendants in Powell were not the ones who actually accessed and drained FTX wallets, they were allegedly provided with authentication codes to do so, which were obtained through a relatively basic SIM hijacking scheme. In the context of the SEC’s emerging cybersecurity regime, this case highlights the need for exchanges operating in the United States to develop processes for assessing and managing cybersecurity risks, including “hacking” as perpetrated in the FTX case. Given that the SEC itself recently fell victim to a SIM hijacking attack, we can expect its enforcement division to pay more attention to SIM hijacking attacks against exchanges.

This could put offshore exchanges that avoid SEC or other regulatory oversight at a disadvantage. SEC requirements for regular public disclosure of information about cybersecurity risk management, policies, and governance, combined with external audits, ensure that customers and counterparties understand the steps these firms take to mitigate risks like the FTX incident. Offshore firms may adopt a similarly transparent approach to cybersecurity disclosure, but this requires a willingness to be transparent from these firms, which may be somewhat resistant to the concept of transparency — as FTX has demonstrated. Crypto companies and projects can expect to face increased pressure from regulators and the market to adopt, disclose, demonstrate, and maintain a level of cybersecurity practices that goes far beyond simply preventing basic fraudsters (such as the defendants described in the Powell case) from running away with millions of dollars.