The $400 Million FTX SIM Swap Heist: How Three Hackers Struck in Chaos
How a SIM swap attack drained $400 million from FTX on bankruptcy day in 2022. The shocking story of the trio behind the hack and what investors can learn.
November 11, 2022 marked one of the darkest days in cryptocurrency history. While FTX filed for Chapter 11 bankruptcy protection , something even worse was happening behind the scenes. As Sam Bankman-Fried’s crypto empire crumbled, $477 million was stolen from FTX by an unidentified hacker in what would become one of the largest crypto heists ever recorded.
For over a year, the identity of the hackers remained a mystery. Industry experts speculated about inside jobs, disgruntled employees, or sophisticated nation-state actors. The truth, revealed in early 2024, was both simpler and more alarming than anyone imagined.
What Happened: A Perfect Storm of Timing and Opportunity
The timeline tells a chilling story of opportunistic criminals striking at the worst possible moment.
On November 11, 2022, the same day that FTX filed for bankruptcy protection, hackers executed a SIM swap attack targeting an FTX employee . This wasn’t random timing. The perpetrators knew the exchange was in chaos, with employees desperately trying to secure remaining funds.
Emily Hernandez walked into a Texas AT&T store and used a fake ID showing her picture but the name of an FTX employee to take over the employee’s phone account . This simple but effective social engineering attack gave the hackers access to the employee’s phone number.
After gaining access to the AT&T account of the FTX employee, co-conspirators sent Powell authentication codes that were needed to access the crypto company’s online accounts . Within hours, co-conspirators transferred over $400 million in virtual currency from FTX’s virtual currency wallets to wallets controlled by the conspirators .
The theft continued into November 12, with various Ethereum tokens as well as Solana and Binance Smart Chain tokens exiting FTX’s official wallets and moving to decentralized exchanges like 1inch . Both FTX and FTX US appear to be affected .
How It Happened: The Anatomy of a SIM Swap Attack
Understanding how this attack worked reveals critical vulnerabilities that exist across the entire crypto industry.
A SIM swap attack refers to the process of fraudulently inducing a carrier to reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor . The process is deceptively simple:
Research Phase: Hackers gather personal information about their target through social media, data breaches, or other sources.
Identity Creation: They create fake identification documents using the victim’s personal information but their own photograph.
Social Engineering: The attacker visits a mobile phone store or calls customer service, claiming to need a replacement SIM card due to loss or damage.
Number Transfer: Once the carrier transfers the phone number to the attacker’s SIM card, they receive all calls and texts intended for the victim.
Account Takeover: With control of the phone number, attackers can bypass two-factor authentication that relies on SMS codes.
In FTX’s case, the company had implemented several weak security measures, including SMS-based two-factor authentication (2FA) and limited cloud platform controls . This made them vulnerable to exactly this type of attack.
The attack exploited FTX’s operational chaos during bankruptcy. FTX staffers allegedly spent the night of Nov. 11 tracking wallets containing FTX crypto to transfer everything they could find to BitGo’s cold wallets . In this scramble to secure funds, normal security protocols may have been bypassed or overlooked.
The Aftermath: A Trail of Digital Breadcrumbs
The hackers’ attempts to launder their stolen cryptocurrency created a complex trail that investigators followed for years.
Initially, the stolen money was converted into different digital coins, with the bulk of it—more than $280 million—changed into the cryptocurrency ether . The hackers then converted the ether into a crypto product called RenBTC, which was then converted into bitcoin via a bridge .
Ironically, Alameda, a trading firm and sister company to FTX, had acquired RenBridge in 2021 , meaning the hackers used FTX’s own infrastructure to launder the stolen funds.
The 180,000 ETH that was not converted to Bitcoin through RenBridge remained dormant until September 30, 2023—by which time it was worth $300 million . When the hackers finally moved these funds, they turned to another cross-chain bridge: THORSwap after RenBridge shut down.
The investigation got its first major break when Kraken’s chief security officer said on Twitter that the firm knew “the identity” of a user who paid transaction fees associated with moving the stolen money through their Kraken account .
In January 2024, the pieces finally came together when three people were indicted for an identity theft conspiracy: Robert Powell, the alleged ringleader, Carter Rohn from Indianapolis, and Emily Hernandez from Colorado .
The Perpetrators: A Cross-Country Criminal Ring
The three individuals behind the attack operated a sophisticated SIM swapping operation that went far beyond the FTX hack.
Prosecutors accused Robert Powell, Carter Rohn and Emily Hernandez with conspiracy to commit wire fraud and identity theft in their operation of a SIM swapping ring that targeted fifty victims between March 2021 and April 2023 . Powell was known by his online handles “R$” and “ElSwapo1” .
Rohn was ordered held without bond after his arrest, while Hernandez was released on a $10,000 bond . The relatively low bond for Hernandez suggests prosecutors may view her role as less central to the operation.
The Justice Department has kept the case under seal, suggesting they may be trying to build a bigger case that points to people ultimately responsible for the hack . This raises questions about whether additional conspirators remain unidentified.
Lessons for Regular Investors
The FTX SIM swap attack reveals several harsh realities about cryptocurrency security that every investor should understand:
SMS-Based Security Is Dangerously Weak: FTX’s reliance on SMS for two-factor authentication made them vulnerable to this attack. If a major exchange can fall victim to SIM swapping, individual investors are even more at risk.
Timing Matters to Criminals: The hackers struck during maximum chaos, when normal security protocols were disrupted. Criminal opportunists target moments of vulnerability, whether it’s a company in crisis or an individual dealing with personal emergencies.
Your Personal Information Is Weaponized: The attack succeeded because the criminals gathered enough personal information about an FTX employee to create convincing fake identification. Every piece of personal data you share online can potentially be used against you.
Insider Access Isn’t Always Required: Initial speculation focused on insider threats, but this was an external attack that exploited human psychology and weak security practices. Sometimes the most sophisticated attacks use surprisingly simple methods.
Recovery Is Extremely Difficult: Nearly a year after the $477 million theft of cryptoassets from FTX, the identity of the thief remains unknown until the 2024 arrests. Even with arrests, it is not clear whether any of the stolen assets are under their control, and might be recovered .
How to Protect Yourself
Learning from FTX’s mistakes can help you build stronger defenses against SIM swap attacks and other security threats:
Never Use SMS for Important Accounts: Replace SMS-based two-factor authentication with app-based authenticators like Google Authenticator or Authy. These generate codes locally on your device and can’t be intercepted through SIM swaps.
Use Hardware Security Keys: For your most important accounts, especially those containing significant funds, invest in hardware security keys like YubiKey or Google Titan. These provide the strongest form of two-factor authentication available.
Limit Personal Information Exposure: Review your social media profiles and remove personal details like your phone number, address, or birth date. Criminals use this information to convince phone carriers they’re you.
Add Carrier Security: Contact your mobile provider and add extra security measures to your account, such as requiring in-person verification for any changes or adding a unique PIN that’s required for account modifications.
Use Cold Storage: For cryptocurrency holdings, store the majority of your funds in hardware wallets that aren’t connected to the internet. This ensures that even if your online accounts are compromised, your primary holdings remain safe.
Monitor Account Activity: Set up alerts for any login attempts or account changes. The faster you detect unauthorized access, the more likely you can limit damage.
Consider a Dedicated Phone Number: Some security-conscious investors use a separate phone number solely for important financial accounts, making it harder for attackers to target the right number.
For comprehensive online security, consider using NordVPN to encrypt your internet connection and protect against various online threats. While a VPN won’t prevent SIM swapping, it adds another layer of protection for your overall digital security.
The FTX SIM swap attack serves as a stark reminder that in the world of cryptocurrency, you are your own bank—and that comes with all the responsibilities of protecting your own assets. No exchange, no matter how large or well-funded, can guarantee your funds’ safety. The best defense is understanding the threats you face and taking proactive steps to protect yourself.
This article is for educational purposes only. It is not financial advice. See our full disclaimer.