Login
Criminals could remotely tamper with the data that apps used by airplane pilots rely on to inform safe takeoff and landing procedures, according to fresh research.β¦
Blackbaud, which had data on millions of people stolen from it by one or more crooks, has promised to shore up its IT defenses in a proposed deal with the FTC.β¦
Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers.β¦
Interpol has arrested 31 people following a three-month operation to stamp out various types of cybercrime.β¦
Joshua Schulte, a former CIA employee and software engineer accused of sharing material with WikiLeaks, was sentenced to 40 years in prison by the US Southern District of New York on Thursday.β¦
Partner Content Application programming interfaces (APIs) play a significant role in today's digital economy, but at the same time they can also represent a data security vulnerability.β¦
Cloudflare has just detailed how suspected government spies gained access to its internal Atlassian installation using credentials stolen via a security breach at Okta in October.β¦
Cyber attacks using AI-generated deepfakes to bypass facial biometrics security will lead a third of organizations to doubt the adequacy of identity verification and authentication tools as standalone protections.β¦
Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.
A graphic illustrating the flow of more than $400 million in cryptocurrencies stolen from FTX on Nov. 11-12, 2022. Image: Elliptic.co.
An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.k.a. βR,β βR$β and βElSwapo1,β was the ringleader of a SIM-swapping group called the βPowell SIM Swapping Crew.β Colorado resident Emily βEmβ Hernandez allegedly helped the group gain access to victim devices in service of SIM-swapping attacks between March 2021 and April 2023. Indiana resident Carter Rohn, a.k.a. βCarti,β and βPunslayer,β allegedly assisted in compromising devices.
In a SIM-swapping attack, the crooks transfer the targetβs phone number to a device they control, allowing them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.
The indictment states that the perpetrators in this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID. However, the document refers to the victim in this case only by the name βVictim 1.β
Wiredβs Andy Greenberg recently wrote about FTXβs all-night race to stop a $1 billion crypto heist that occurred on the evening of November 11:
βFTXβs staff had already endured one of the worst days in the companyβs short life. What had recently been one of the worldβs top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the companyβs CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.β
βFTX had, it seemed, hit rock bottom. Until someoneβa thief or thieves who have yet to be identifiedβchose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the companyβs cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.β
The indictment says the $400 million was stolen over several hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the attackers in the FTX heist began to drain FTX wallets on the evening of Nov. 11, 2022 local time, and continuing until the 12th of November.
Robinson said Elliptic is not aware of any other crypto heists of that magnitude occurring on that date.
βWe put the value of the cryptoassets stolen at $477 million,β Robinson said. βThe FTX administrators have reported overall losses due to βunauthorized third-party transfersβ of $413 million β the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. Either way, itβs certainly over $400 million, and we are not aware of any other thefts from crypto exchanges on this scale, on this date.β
The SIM-swappers allegedly responsible for the $400 million crypto theft are all U.S. residents. But there are some indications they had help from organized cybercriminals based in Russia. In October 2023, Elliptic released a report that found the money stolen from FTX had been laundered through exchanges with ties to criminal groups based in Russia.
βA Russia-linked actor seems a stronger possibility,β Elliptic wrote. βOf the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.β
Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, said the flow of stolen FTX funds looks more like what his team has seen from groups based in Eastern Europe and Russian than anything theyβve witnessed from US-based SIM-swappers.
βI was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that βScattered Spiderβ has worked with [ransomware] groups like ALPHV/BlackCat,β Bax said.
CISAβs alert on Scattered Spider says they are a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.
βScattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,β CISA said, referring to the groupβs signature βTactics, Techniques an Procedures.β
Nick Bax, posting on Twitter/X in Nov 2022 about his research on the $400 million FTX heist.
Earlier this week, KrebsOnSecurity published a story noting that a Florida man recently charged with being part of a SIM-swapping conspiracy is thought to be a key member of Scattered Spider, a hacking group also known as 0ktapus. That group has been blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.
Financial claims involving FTXβs bankruptcy proceedings are being handled by the financial and risk consulting giant Kroll. In August 2023, Kroll suffered its own breach after a Kroll employee was SIM-swapped. According to Kroll, the thieves stole user information for multiple cryptocurrency platforms that rely on Kroll services to handle bankruptcy proceedings.
KrebsOnSecurity sought comment for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated in the event any of them respond.
Attorneys for Mr. Powell said they do not know who Victim 1 is in the indictment, as the government hasnβt shared that information yet. Powellβs next court date is a detention hearing on Feb. 2, 2024.
Update, Feb. 3, 12:19 p.m. ET: The FBI declined a request to comment.
The Biden administration has expressed to congressional representatives its strong opposition to undoing the Securities and Exchange Commission's (SEC) strict data breach reporting rule.β¦
Ransomware gang LockBit is claiming responsibility for an attack on a Chicago children's hospital in an apparent deviation from its previous policy of not targeting nonprofits.β¦
Chinese attackers are preparing to "wreak havoc" on American infrastructure and "cause societal chaos" in the US, infosec, and law enforcement bosses told a US House committee on Wednesday.β¦
Multiple vulns in Docker disclosed by Snyk Security Labs
China's Volt Typhoon spies infected "hundreds" of outdated Cisco and Netgear equipment with malware so that the devices could be instructed to break into US critical infrastructure facilities, the Justice Department has said.β¦
Trusting a ransomware crew to honor a deal isn't the greatest idea, and the world seems to be waking up to that. It's claimed that number of victims who chose to pay dropped to a new low of 29 percent in the last quarter of 2023.β¦
Security researchers believe the Akira ransomware group could be exploiting a nearly four-year-old Cisco vulnerability and using it as an entry point into organizations' systems.β¦
Volt Typhoon, the Chinese government-backed cyberspies whose infrastructure was at least partially disrupted by Uncle Sam, has been homing in on other US energy, satellite and telecommunications systems, according to Robert Lee, CEO of security shop Dragos.β¦
Ivanti has finally released the first round of patches for vulnerability-stricken Connect Secure and Policy Secure gateways, but in doing so has also found two additional zero-days, one of which is under active exploitation.β¦
FreshRSS 