Cryptohack Roundup: FTX Hacker Was a SIM SwapperAlso: AI Fake IDs Pass Crypto Exchange KYC; Treasury and SEC Address Crypto Issues
This week, SIM swappers were linked to the FTX hack, AI-generated fake IDs likely bypassed crypto KYC checks, the Treasury addressed the illicit use of crypto, the SEC increased crypto oversight, Quantstamp released January's crypto hack statistics, and South Korea passed a new crypto crime law.
See Also: What is next-generation AML?
FTX Hack and SIM Swapping
Three individuals that United States prosecutors charged last week for orchestrating a series of SIM-swapping attacks potentially stole more than $400 million from FTX in 2022, hours after the company had filed for bankruptcy.
In a Jan. 24 court filing, federal prosecutors charged Robert Powell, Carter Rohn and Emily Hernandez with carrying out SIM-swapping attacks by stealing the identities of 50 victims and convincing telecom providers to port victims' numbers to the phones of the accused. The filing mentions an attack on an unidentified Victim Company-1, in which on Nov. 11 and Nov. 12, 2022, Hernandez allegedly impersonated an employee, allowing Powell to access that employee's AT&T account and eventually the company accounts, to transfer "over $400 million in virtual currency" out of the company's crypto wallets.
A Feb. 1 blog post by blockchain security firm Elliptic said it "appears likely that FTX is the Victim Company-1 named in the indictment," as the details in the indictment are similar to the FTX hacking incident. A Bloomberg report on the same day said that the company referred to in the indictment was indeed FTX, citing two people familiar with the case.
Some of the funds were sent to the crypto exchange Kraken shortly after the hack, and the exchange's chief security officer, Nicholas Percoco, said at the time that he was aware of the user's identity.
OnlyFake Documents at $15 a Pop
OnlyFake, a new service that purportedly uses artificial intelligence neural networks and generators, reportedly passed KYC checks on several crypto exchanges. The platform offers realistic fake driver's licenses and passports from 26 countries and accepts payment in various cryptocurrencies through Coinbase's commercial payments service - all for $15 apiece. According to 404 Media, it bypassed KYC verification on OKX with a British passport that it had generated using the site. These fake IDs could also pass KYC checks on Binance, Kraken, Bybit, Huobi, Coinbase and Revolut, according to "John Wick," the pseudonymous owner, the media outlet reported. The service is especially helpful to crypto thieves, money launderers and nation-state actors who seek to commit crimes, protect their real identities and obfuscate the flow of funds.
Treasury Department Addresses Illicit Use of Crypto
The U.S. Department of the Treasury said that criminals, scammers and illicit actors are increasingly using virtual assets and that cryptocurrencies are a common medium for laundering funds linked to fraud, drug trafficking, human smuggling and corruption. Despite virtual asset service providers being subject to anti-money laundering and anti-terrorism financing requirements, as well as sanctions rules, some fail to comply with the regulations, which creates a loophole for exploitation by illicit actors, the department said. DeFi platforms particularly pose challenges, and many fail to adhere to the rules. The report also addresses the growing risk of money laundering in the online gaming sector due to its anonymity and rapid expansion and says that terrorists are adapting to technological changes to better fund their activities.
SEC Increases Oversight on Crypto
The U.S. Securities and Exchange Commission adopted rules that mandate compliance with federal securities laws for market participants with significant liquidity-providing roles. The SEC extended these regulations to encompass cryptocurrency transactions. The rules passed in a 3-2 vote during a meeting Tuesday, finalized a rule-making proposal initially outlined in a 194-page document in 2022, which contained a solitary mention of crypto in a footnote. The approved 247-page rule applies to individuals engaging in transactions involving crypto assets that meet the definition of securities or government securities, except those with assets totaling less than $50 million. The rule's scope extends to decentralized finance activities. Specifically, individuals whose trading activities in crypto asset securities align with the rule's definition of "as part of a regular business" are subject to registration as dealers or government securities dealers.
Crypto Hack Statistics for January
Crypto hacks in January caused $38.9 million worth of losses, decentralized finance security startup Quantstamp said. Malicious actors used smart contract breaches, scams and private key compromises in the top five hacks of the month, it said. The top incidents include the $4.5 million flash loan attack on Radiant Capital, the $6.1 million Gamma Strategies hack, the $460,000 Wise Lending oracle manipulation attack, the $4 million Socket protocol theft and the $1.7 million Goledo Finance theft.
South Korea's New Law for Crypto Crime
South Korea's primary financial regulator is introducing crypto-focused regulation in its Virtual Asset Users Protection Act to safeguard investors from market crimes. The Financial Services Commission disclosed the new law on Wednesday. It contains provisions that prohibit the use of undisclosed significant information, market manipulation, and illegal trading activities and imposes severe penalties - such as fixed-term imprisonment exceeding one year or fines ranging from three to five times the amount of illicit profits. Criminals who make more than $3.8 million from illegal crypto trading scams face life sentences. Scheduled to take effect on July 19, 2024, the legislation was enacted on July 18, 2023. The law emerged in response to an industry crisis involving Terraform Labs and its South Korean founder Do Kwon, following a market collapse in May 2022 that resulted in losses exceeding $450 billion.