The Mystery of the $400 Million FTX Heist May Have Been Solved

When more than $400 million worth of crypto was mysteriously pulled out of the coffers of what was once the world's biggest cryptocurrency exchange, FTX, on the very day that it declared bankruptcy in November of 2022, many initially suspected insiders at the company—including, potentially, then CEO Sam Bankman-Fried, now convicted of fraud. But clues left across blockchains over the past year suggested instead that external thieves had chosen a particularly inconvenient moment during FTX's meltdown to pull off an enormous heist.

Now, new clues revealed in a US Department of Justice indictment suggest something even more surprising: Some of those suspected thieves appear to have been in the United States and have now been arrested.

An indictment filed last week details charges against three people—Robert Powell, Carter Rohn, and Emily Hernandez—who are accused of running a massive cybercriminal theft ring. The group, which authorities say was known as the “Powell SIM Swapping Crew,” allegedly used SIM swaps—tricking phone companies into switching a user's mobile phone registration to the thieves' SIM card so that they can gain access to authentication codes sent to the victim's phone—to steal hundreds of millions of dollars from victims' accounts.

Most notably, the gang is accused of siphoning $400 million in virtual currency from the accounts of a company—named in the indictment only as Victim Company-1—on the night of November 11, 2022, continuing into November 12. As first spotted by cybersecurity journalist Brian Krebs, that is also the exact timing of FTX's theft, which the company itself has pegged at between $415 million and $432 million in stolen crypto.

The blockchain analysis firm Elliptic corroborated Krebs' inference that the $400 million theft described in the report is almost certainly the FTX heist. “We are not aware of any other thefts from crypto businesses on this scale, on these dates,” Elliptic wrote in a blog post. “It therefore appears likely that FTX is the ‘Victim Company-1’ named in the indictment.”

FTX didn't immediately respond to WIRED's request for comment on whether it is the SIM-swapping victim described in the indictment.

If the indictment does, in fact, describe the FTX theft—and given the relative rarity of nine-figure crypto thefts and the exact timing of this one—then the charging document reveals key details about how the FTX heist was pulled off. It describes how Powell allegedly asked Hernandez to target a specific phone number for SIM-swapping. According to prosecutors, Hernandez then obtained a fake ID with her photo but the name of her victim—potentially an FTX staffer—and presented it at an AT&T retail store in Texas to prove her identity as she requested that the staffer's account be transferred to her own phone.

That allowed the group to hijack messages intended for the victim, including authentication codes for his or her account, according to the indictment. Given that those codes usually represent a second-factor authentication mechanism required after a user enters their username and password, it’s not clear how those other credentials might have been stolen, though cybercriminals typically obtain them through phishing, credential-stealing malware, or trying credentials leaked in other database dumps and potentially reused across accounts.

The possibility that the FTX thieves have been identified as Americans, within reach of US law enforcement, comes as a surprise following Elliptic’s discovery in October of last year that the crypto stolen from FTX had moved across blockchains and through cryptocurrency swapping services in a way that suggested Russia-linked money launderers. Portions of the funds, for instance, moved through mixing services—which take in users’ funds and return others to muddy the trail of any blockchain tracing—that are popular with Russian cybercriminals, such as ChipMixer and Sinbad.

Both mixers, in fact, have been sanctioned by the US Treasury Department for their illicit use, including by Russian ransomware gangs. “It’s looking increasingly likely that the perpetrator has links to Russia,” Elliptic’s chief scientist and cofounder Tom Robison told WIRED in October. “We can’t attribute this to a Russian actor, but it’s an indication it might be.”

If the money is FTX's, those blockchain footprints suggest that the $400 million that the hackers allegedly stole is long gone, moved into the hands of international money launderers. “It is therefore not clear whether any of the stolen assets are under their control, and might be recovered,” Elliptic wrote in its blog post today. Nonetheless, if the alleged hackers were paid a portion of that sum in exchange for their work to steal it, that money might still be seized and repaid as restitution to FTX’s many creditors.

Either way, it suggests that another mystery in the story of FTX’s implosion and the billions of dollars in missing funds that disappeared with it may be at least partially solved. If so, it would seem this FTX-related crime, at least, can’t be blamed on Sam Bankman-Fried.