The Mystery of the $400 Million FTX Heist May Have Been Solved

When more than $400 million worth of crypto was mysteriously pulled out of the coffers of what was once the world's biggest cryptocurrency exchange, FTX, on the very day that it declared bankruptcy in November of 2022, many initially suspected insiders at the company-including, potentially, then CEO Sam Bankman-Fried, now convicted of fraud.
Clues left across blockchains over the past year suggested instead that external thieves had chosen a particularly inconvenient moment during FTX's meltdown to pull off an enormous heist.
Now, new clues revealed in a US Department of Justice indictment suggest something even more surprising: Some of those suspected thieves appear to have been in the United States and have now been arrested.
An indictment filed last week details charges against three people-Robert Powell, Carter Rohn, and Emily Hernandez-who are accused of running a massive cybercriminal theft ring.
Most notably, the gang is accused of siphoning $400 million in virtual currency from the accounts of a company-named in the indictment only as Victim Company-1-on the night of November 11, 2022, continuing into November 12.
As first spotted by cybersecurity journalist Brian Krebs, that is also the exact timing of FTX's theft, which the company itself has pegged at between $415 million and $432 million in stolen crypto.
The blockchain analysis firm Elliptic corroborated Krebs' inference that the $400 million theft described in the report is almost certainly the FTX heist.
FTX didn't immediately respond to WIRED's request for comment on whether it is the SIM-swapping victim described in the indictment.
If the indictment does describe the FTX theft-and given the relative rarity of nine-figure crypto thefts and the exact timing of this one-then the charging document reveals key details about how the FTX heist was pulled off.
It describes how Powell allegedly asked Hernandez to target a specific phone number for SIM-swapping.
According to prosecutors, Hernandez then obtained a fake ID with her photo but the name of her victim-potentially an FTX staffer-and presented it at an AT&T retail store in Texas to prove her identity as she requested that the staffer's account be transferred to her own phone.
That allowed the group to hijack messages intended for the victim, including authentication codes for his or her account, according to the indictment.
Given that those codes usually represent a second-factor authentication mechanism required after a user enters their username and password, it's not clear how those other credentials might have been stolen, though cybercriminals typically obtain them through phishing, credential-stealing malware, or trying credentials leaked in other database dumps and potentially reused across accounts.


This Cyber News was published on www.wired.com. Publication date: Thu, 01 Feb 2024 22:13:04 +0000


Cyber News related to The Mystery of the $400 Million FTX Heist May Have Been Solved

The Mystery of the $400 Million FTX Heist May Have Been Solved - When more than $400 million worth of crypto was mysteriously pulled out of the coffers of what was once the world's biggest cryptocurrency exchange, FTX, on the very day that it declared bankruptcy in November of 2022, many initially suspected ...
9 months ago Wired.com
Arrests in $400M SIM-Swap Tied to Heist at FTX? - Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct ...
9 months ago Krebsonsecurity.com
CVE-2018-16557 - A vulnerability has been identified in SIMATIC S7-400 CPU 412-1 DP V7 (All versions), SIMATIC S7-400 CPU 412-2 DP V7 (All versions), SIMATIC S7-400 CPU 414-2 DP V7 (All versions), SIMATIC S7-400 CPU 414-3 DP V7 (All versions), SIMATIC S7-400 CPU ...
1 year ago
CVE-2018-16556 - A vulnerability has been identified in SIMATIC S7-400 CPU 412-1 DP V7 (All versions), SIMATIC S7-400 CPU 412-2 DP V7 (All versions), SIMATIC S7-400 CPU 414-2 DP V7 (All versions), SIMATIC S7-400 CPU 414-3 DP V7 (All versions), SIMATIC S7-400 CPU ...
1 year ago
Former FTX executive Salame sentenced to over 7 years in prison - Another former executive of FTX has been jailed over his part in the cryptocurrency giant's implosion in late 2022. Ryan Salame, who was the co-CEO of FTX's Bahamian subsidiary, was sentenced to 90 months in prison, US federal prosecutors said. ...
5 months ago Packetstormsecurity.com
CVE-2021-40368 - A vulnerability has been identified in SIMATIC S7-400 CPU 412-1 DP V7 (All versions), SIMATIC S7-400 CPU 412-2 DP V7 (All versions), SIMATIC S7-400 CPU 412-2 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 414-2 DP V7 (All versions), ...
1 year ago
Kroll reveals FTX customer info exposed in August data breach - Risk and financial advisory company Kroll has released additional details regarding the August data breach, which exposed the personal information of FTX bankruptcy claimants. Kroll said the exposed data included coin holdings and balances, which ...
10 months ago Bleepingcomputer.com
China's Hackers Keep Targeting US Water and Electricity Supplies - An indictment from the US Department of Justice may have solved the mystery of how disgraced cryptocurrency exchange FTX lost over $400 million in crypto. The indictment, filed last week, alleges that three individuals used a SIM-swapping attack to ...
9 months ago Wired.com
It was other crims what did it: SBF off hook for FTX hack The Register - Infosec In Brief The recent indictment of a massive SIM-swapping ring may mean convicted crypto conman Sam Bankman-Fried is innocent of at least one allegation still hanging over his head: The theft of more than $400 million in crypto hacked from ...
9 months ago Go.theregister.com
Misconfigured Firebase Instances Expose 125 Million User Records - Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn. It all started with the hacking of Chattr, the AI hiring system that serves multiple ...
8 months ago Securityweek.com
CVE-2019-10936 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7, SIMATIC S7-400 CPU 414F-3 PN/DP V7, SIMATIC S7-400 CPU 416-3 PN/DP V7, SIMATIC S7-400 CPU 416F-3 PN/DP V7, Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ...
1 year ago
CVE-2018-4843 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 416-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU ...
1 year ago
T-Mobile pays $31.5 million FCC settlement over 4 data breaches - "With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to ...
1 month ago Bleepingcomputer.com
Chainalysis observes decrease in cryptocurrency crime in 2023 - While the ransomware market is rising and cybercriminals continue to rack up bitcoin payments, illicit cryptocurrency activity is declining, according to new research from Chainalysis. Funds sent to illicit cryptocurrency addresses dropped from $39.6 ...
10 months ago Techtarget.com
CVE-2019-10923 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7, SIMATIC S7-400 CPU 414F-3 PN/DP V7, SIMATIC S7-400 CPU 416-3 PN/DP V7, SIMATIC S7-400 CPU 416F-3 PN/DP V7, Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ...
1 year ago
CVE-2022-25622 - A vulnerability has been identified in SIMATIC CFU DIQ, SIMATIC CFU PA, SIMATIC ET 200pro IM154-8 PN/DP CPU, SIMATIC ET 200pro IM154-8F PN/DP CPU, SIMATIC ET 200pro IM154-8FX PN/DP CPU, SIMATIC ET 200S IM151-8 PN/DP CPU, SIMATIC ET 200S IM151-8F ...
1 year ago
NFT Company Obtains Restraining Order to Freeze Hacker's Online Wallet - A British investment company, NFT Investments, announced Tuesday that it had obtained a restraining order against an online wallet holding assets a hacker stole from it earlier this year. NFT Investments, which works with small companies developing ...
1 year ago Therecord.media
Brothers Indicted for Stealing $25 Million of Ethereum in 12 Seconds - It took two brothers who went to MIT months to plan how they were going to steal, launder and hide millions of dollars in cryptocurrency - and only 12 seconds to actually pull off the heist. The brothers, Anton Peraire-Bueno and James Pepaire-Bueno, ...
6 months ago Securityboulevard.com
BlackBerry Provides Update on Progress in Separation of Divisions and Path to Profitability - PRESS RELEASE. WATERLOO, Ontario, Feb. 12, 2024 /PRNewswire/ - BlackBerry Limited today provided an update on the previously announced process to separate its IoT and Cybersecurity businesses as standalone divisions, and drive the Company towards ...
9 months ago Darkreading.com
China's MIIT Proposes Color-coded Contingency Plan for Security Incidents - On Friday, China proposed a four-tier classification system, in an effort to address data security incidents, underscoring concerns of Beijing in regards to the widespread data leaks and hacking incidents in the country. This emergency plan comes ...
11 months ago Cysecurity.news
Biden's budget proposal boosts CISA's funding to $3b The Register - US President Joe Biden has asked Congress to approve an extra $103 million in funding for the Cybersecurity and Infrastructure Security Agency, bringing CISA's total budget to $3 billion. Biden proposed his $7.3 trillion spending plan for fiscal year ...
8 months ago Go.theregister.com
CVE-2022-47375 - A vulnerability has been identified in SIMATIC PC-Station Plus (All versions), SIMATIC S7-400 CPU 412-2 PN V7 (All versions), SIMATIC S7-400 CPU 414-3 PN/DP V7 (All versions), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (All versions), SIMATIC S7-400 CPU ...
11 months ago Tenable.com
CVE-2022-47374 - A vulnerability has been identified in SIMATIC PC-Station Plus (All versions), SIMATIC S7-400 CPU 412-2 PN V7 (All versions), SIMATIC S7-400 CPU 414-3 PN/DP V7 (All versions), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (All versions), SIMATIC S7-400 CPU ...
11 months ago Tenable.com
EasyPark discloses data breach that may impact millions of users - Parking app developer EasyPark has published a notice on its website warning of a data breach it discovered on December 10, 2023, which impacts an unknown number of its millions of users. EasyPark is a Swedish company that creates mobile and web apps ...
10 months ago Bleepingcomputer.com
LastPass breach linked to theft of $4.4 million in crypto - Hackers have stolen $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents. The news comes ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)