When more than $400 million worth of crypto was mysteriously pulled out of the coffers of what was once the world’s biggest cryptocurrency exchange, FTX, on the very day that it declared bankruptcy in November of 2022, many initially suspected insiders at the company—including, potentially, then CEO Sam Bankman-Fried, now convicted of fraud. But clues left across blockchains over the past year suggested instead that external thieves had chosen a particularly inconvenient moment during FTX’s meltdown to pull off an enormous heist.
Now, new clues revealed in a US Department of Justice indictment suggest something even more surprising: Some of those suspected thieves appear to have been in the United States and have now been arrested.
An indictment filed last week details charges against three people—Robert Powell, Carter Rohn, and Emily Hernandez—who are accused of running a massive cybercriminal theft ring. The group, which authorities say was known as the “Powell SIM Swapping Crew,” allegedly used SIM swaps—tricking phone companies into switching a user’s mobile phone registration to the thieves’ SIM card so that they can gain access to authentication codes sent to the victim’s phone—to steal hundreds of millions of dollars from victims’ accounts.
Most notably, the gang is accused of siphoning $400 million in virtual currency from the accounts of a company—named in the indictment only as Victim Company-1—on the night of November 11, 2022, continuing into November 12. As first spotted by cybersecurity journalist Brian Krebs, that is also the exact timing of FTX’s theft, which the company itself has pegged at between $415 million and $432 million in stolen crypto.
The blockchain analysis firm Elliptic corroborated Krebs’ inference that the $400 million theft described in the report is almost certainly the FTX heist. “We are not aware of any other thefts from crypto businesses on this scale, on these dates,” Elliptic wrote in a blog post. “It therefore appears likely that FTX is the ‘Victim Company-1’ named in the indictment.”
FTX didn’t immediately respond to WIRED’s request for comment on whether it is the SIM-swapping victim described in the indictment.
If the indictment does, in fact, describe the FTX theft—and given the relative rarity of nine-figure crypto thefts and the exact timing of this one—then the charging document reveals key details about how the FTX heist was pulled off. It describes how Powell allegedly asked Hernandez to target a specific phone number for SIM-swapping. According to prosecutors, Hernandez then obtained a fake ID with her photo but the name of her victim—potentially an FTX staffer—and presented it at an AT&T retail store in Texas to prove her identity as she requested that the staffer’s account be transferred to her own phone.
That allowed the group to hijack messages intended for the victim, including authentication codes for his or her account, according to the indictment. Given that those codes usually represent a second-factor authentication mechanism required after a user enters their username and password, it’s not clear how those other credentials might have been stolen, though cybercriminals typically obtain them through phishing, credential-stealing malware, or trying credentials leaked in other database dumps and potentially reused across accounts.