No matter whether it is a domestic or offshore cryptocurrency company, they are facing increasing regulatory and economic concerns.

Author: Andrew Adams, Coindesk

Translator: Wu Blockchain

This article introduces a recent indictment by the US Department of Justice regarding a SIM card hijacking case, and argues that the defendants Powell et al. are not the attackers in the FTX hacking incident. The article also discusses the business risks of SIM card hijacking and the regulatory pressure it may bring to the cryptocurrency industry. Previously, Wu Blockchain had published a related article on SIM card hijacking, "Defenseless: Why Were a Large Number of Encrypted Twitter Accounts Stolen to Post Phishing Links? How to Prevent It," which introduced its attack principles and prevention measures.

Recently, the US Department of Justice quietly unsealed an indictment, and some mainstream and cryptocurrency media quickly reported on the matter, calling it the "unraveling" of a $4 billion cryptocurrency theft mystery, which was previously held by the now-defunct cryptocurrency exchange FTX.

However, this indictment is not the key to solving the mystery. It reveals a fact: whether domestic or offshore, cryptocurrency companies are facing increasing regulatory and economic concerns. In particular, the "SIM card hijacking" fraud event targeting FTX in November 2022 can be seen as the most basic "hacker" method - this method relies on identity theft and impersonation of financial account holders, mainly targeting companies that provide increasingly outdated two-factor or multi-factor authentication (i.e. "2FA" and "MFA") privacy protection for customers and account holders.

US federal regulators are increasingly concerned about the potential harm of privacy protection systems vulnerable to SIM card hijacking attacks. The Federal Communications Commission is developing new rules, and the Securities and Exchange Commission (SEC), which recently introduced cybersecurity regulations, is likely to force companies to enhance privacy protection measures against this specific threat. Especially after the SEC itself recently experienced a SIM card hijacking incident, it may be more determined to strengthen regulation in this area.

New Charges and FTX Hackers

On January 24, 2024, the US Attorney's Office for the District of Columbia publicly released an indictment titled United States v. Powell et al. It is alleged that Robert Powell, Carter Rohn, and Emily Hernandez collaborated to steal personal identifying information (PII) from more than 50 victims.

These three individuals then used the stolen information to create fake identification documents, with the aim of deceiving telecommunications providers into transferring the victims' phone accounts to new devices controlled by the defendants or unnamed "co-conspirators." These three defendants sold the stolen PII.

The plan relied on reassigning the victims' phone numbers to physical phones controlled by criminals, which required transferring or implanting the victims' numbers (essentially their identities) onto subscriber identity module (SIM) cards, which were actually stored in the criminals' new devices. This is known as the "SIM card hijacking" plan.

Through the SIM card hijacking plan described in the United States v. Powell case, the defendants and unnamed co-conspirators deceived wireless telecommunications providers into reassigning the phone numbers from legitimate users' SIM cards to SIM cards controlled by the defendants or those unnamed co-conspirators. Subsequently, the SIM card hijacking allowed Powell and the others to access the victims' electronic accounts at various financial institutions and steal funds from these accounts.

The main benefit of SIM card hijacking for the defendants was the ability to intercept messages from those financial accounts on the new fraudulent devices, which were intended to verify whether the person accessing the account was the legitimate account holder. Typically, if no fraud is involved, this authentication would result in sending SMS messages or other messages to the legitimate user, who would then verify the attempted account access by providing the code contained in the message. However, in this case, the secret code was sent directly to the fraudster, who used it to impersonate the account holder and withdraw funds.

Although Powell's indictment does not name FTX as a victim, the charges described in the indictment clearly refer to the largest SIM card hijacking fraud event, which apparently refers to the "hacker" event that occurred when FTX publicly announced bankruptcy - the date, time, and amount align with the publicly reported hacking attack, and media reports have included confirmation from internal sources that FTX is the "victim company -1" described in Powell's indictment. There were many speculations about the perpetrators of the FTX hacking incident when it occurred: were they insiders, or were government regulatory agencies operating in secret?

Many articles with headlines about Powell's indictment claim that the mystery has been solved: the three defendants carried out the FTX hacking attack. However, in reality, the content of the indictment implies the opposite. While the indictment accurately lists the names of the three defendants and details their alleged theft of personal identifying information (PII), transferring phone numbers to SIM cards obtained through fraudulent means, and selling stolen FTX access codes, it notably does not mention these three defendants in the process of actually stealing funds from FTX.

Instead, it mentions that "co-conspirators unauthorizedly accessed FTX accounts" and "co-conspirators transferred over $4 billion of virtual currency from FTX's virtual currency wallet to a virtual currency wallet controlled by the co-conspirators." The customary practice in drafting indictments is to mention the names of the defendants in the actions they carried out. Here, the unnamed "co-conspirators" took the final and most important steps. The mystery of who these "co-conspirators" are still exists and may continue until new charges emerge or the trial reveals more facts.

Regulatory Agencies and Business Risks

The FTX case highlights the growing awareness of prosecutors and regulatory agencies about the simplicity and prevalence of SIM card hijacking schemes. Reading the Powell indictment is no different from reading one of the hundreds of credit card theft charges pursued by federal and state prosecutors each year. In terms of fraudulent behavior, SIM card hijacking is low-cost, low-tech, and formalized. However, if you are a criminal, this method is effective.

The effectiveness of SIM card hijacking is largely a result of vulnerabilities in telecommunications anti-fraud and identity verification protocols, as well as the relatively weak anti-fraud and identity verification procedures default used by many online service providers (including financial services companies). Recently, in December 2023, the Federal Communications Commission issued a report and order taking steps to address the vulnerabilities of wireless service providers to SIM card hijacking. The report and order include requirements for wireless providers to use secure customer authentication methods before executing SIM swaps described in the Powell indictment, while attempting to maintain the relative convenience enjoyed by customers when legitimately swapping devices. This balancing act will continue to present challenges to telecommunications companies and service providers (including cryptocurrency companies) as the awareness of the convenience of using basic multi-factor authentication (MFA) and less secure two-factor authentication (2FA) through insecure SMS messaging channels grows.

Cryptocurrency Security

Wireless service providers are not the only group facing increasing scrutiny related to the charges in the Powell indictment. This case has lessons and warnings for the cryptocurrency industry as well.

Even if the defendants in the Powell case were not the actual individuals who accessed and depleted FTX wallets, they are alleged to have provided the authentication codes that enabled this, obtained through a relatively basic SIM card hijacking scheme. Against the backdrop of the SEC's emerging cybersecurity regime, this case highlights the need for exchanges operating in the US to develop processes for assessing and managing cybersecurity risks, including the "hacker" behavior implemented in the FTX case. Given that the SEC itself recently became a victim of a SIM card hijacking attack, we can expect its enforcement division to pay more attention to SIM card hijacking attacks against exchanges.

This may put offshore exchanges that seek to avoid supervision by the SEC or other regulatory agencies at a disadvantage. The SEC's requirements for regular public disclosure of information on network security risk management, strategies, and governance, along with external audits, ensure that customers and counterparties can understand the measures these companies take to mitigate risks similar to the FTX incident. Offshore companies may adopt similar transparent network security disclosure methods, but this requires these companies to be willing to be transparent, and these companies may have some resistance to the concept of transparency - as FTX has shown. Cryptocurrency companies and projects can expect greater pressure from regulatory agencies and the market to adopt, disclose, demonstrate, and maintain network security practices far beyond the level that can only prevent basic fraudsters (such as the defendants described in the Powell case) from escaping with millions of dollars.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。