A Successful SIM Swap Attack: Unpacking the 2022 FTX Hack
Published 09/02/2025
CSA’s Top Threats to Cloud Computing Deep Dive 2025 reflects on eight recent real-world security breaches. The report presents the narrative of each incident, as well as the relevant cloud security risks and mitigations. Today we’re reflecting on the seventh incident covered in the Deep Dive: FTX 2022.
The FTX Group had implemented several weak security measures. These included SMS-based two-factor authentication (2FA) and limited cloud platform controls. In November 2022, FTX's oversights enabled attackers to steal approximately $400 million USD worth of crypto assets. FTX's ineffective controls left billions of dollars of additional assets at risk.
FTX’s inadequate transaction monitoring and approval workflows enabled attackers to authorize large-scale fund transfers without intervention. Through a SIM swap scam, the attackers accessed FTX’s always-connected hot wallets, secret keys, and critical systems. Once inside, they escalated privileges and transferred funds while remaining undetected.
The identity of the threat actor was unknown for the first year after the breach. Then, in September 2023, authorities indicted three criminal co-conspirators. In January 2024, the US Attorney’s Office for DC unsealed the indictment, following the arrest of the defendants. It identified them as Robert Powell, Carter Rohn, and Emily Hernandez.
Multiple Top Threats contributed to this incident. Limited IAM controls resulted in a SIM swap attack (Top Threat #2: Identity and Access Management). This allowed the attackers to intercept OTPs, reset account credentials, and access FTX’s cloud systems and wallets.
Once the attackers had access, they exploited the poor internal segmentation (Top Threat #1: Misconfiguration and Inadequate Change Control). They also took advantage of the lack of transaction monitoring (Top Threat #6: Insecure Software Development).
Technical Impacts
- Confidentiality: No one has named the victims. However, the theft compromised the confidentiality of FTX’s secret keys and wallet access credentials. This led to unauthorized transfers of over $400 million USD in crypto assets.
- Integrity: The FTX platform has remained in bankruptcy as investigators still seek to recapture some of the stolen assets. It appears from the court filings that the system integrity remained intact and that all the victims are identifiable.
- Availability: Although FTX claimed the hack did not directly disrupt system uptime or operations, legal actions temporarily restricted exchange and customer funds access.
Business Impacts
- Financial: The theft of over $400 million USD resulted in a major liquidity crisis that forced FTX into bankruptcy.
- Operational: The U.S. Bankruptcy Court for the District of Delaware appointed new FTX management. The new team transferred some funds to offline (cold) wallets to prevent additional losses. Then, they announced in October 2024 that the bankruptcy plan would provide a full refund, plus interest, for former FTX customers. This was mainly a results of the enormous rise in the price of cryptocurrencies since the bankruptcy filing.
- Compliance: Officials arrested and sentenced the CEO. This was partly because of a lack of reasonable controls or compliance with U.S. law.
- Reputational: Newly appointed CEO John Ray filed a statement with the Bankruptcy Court. He stated, “Never in my career have I seen such a complete failure of corporate controls.” Notably, FTX’s reputation may end up rehabilitated after all the customers receive full reimbursement.
Preventive Mitigation
- User Access Provisioning: Implementing a user access provisioning and deprovisioning process ensures that access is only granted to authorized personnel. This reduces the likelihood of unauthorized users gaining access to critical systems. This process includes regularly auditing user permissions and access rights to ensure compliance with the principle of least privilege. It also involves integrating access provisioning with HR systems to automatically revoke access upon employee termination.
- Strong Authentication: Define and implement multi-factor authentication methods to ensure secure access to cloud environments and applications. This reduces the likelihood of unauthorized access to misconfigured systems. OTP-based MFA has become less and less secure, requiring more effective methods such as passkeys. Implement adaptive authentication that considers user behavior, location, and device posture to dynamically adjust authentication requirements.
- Unauthorized Change Protection: Technical controls should be in place to prevent unauthorized changes to accounts and systems. In the case of FTX, this would have included restricting the ability to transfer funds out of accounts.
- Change Management Baseline: Establish a baseline for user accounts. Ensure that management approves all devices associated with the account.
- Training and Awareness: Human error (e.g., reliance on weak 2FA) played a major role in the FTX breach. Training enhances staff awareness of risks associated with SIM swaps, privilege misuse, and other issues with mobile devices.
Detective Mitigation
- Detection of Baseline Deviation: Implement detection measures with proactive notification in case changes deviate from the established baseline. A change in SIM card associations is a deviation that FTX could have detected and rejected.
- User Access Review: Review and revalidate user access for least privilege and separation of duties with a frequency commensurate with organizational risk tolerance. Consistent and periodic access reviews can establish a baseline and then indicate deviations from that baseline.
- Network Defense: The lack of sufficient defenses within FTX’s network allowed attackers to access and move funds. Implementing defense-in-depth techniques, such as monitoring for anomalous traffic, could help prevent or contain similar breaches.
- Security Monitoring and Alerting: Identify and monitor security-related events within applications and the underlying infrastructure. Define and implement a system to generate alerts to responsible stakeholders based on such events and corresponding metrics.
Corrective Mitigation
- Remediation: Establish and maintain a risk-based corrective action plan to remediate incident and breach case findings. Review and report remediation status to relevant stakeholders. Banks have clawback processes for unauthorized transfers. FTX had no such recourse, and found themselves in a nightmare situation.
- Change Restoration: Define and implement a process to proactively roll back changes to a previously known good state. This would have ensured that FTX could restore customer funds.
- Incident Response Plans: Ensure that incidents involving unauthorized access or fund transfers trigger immediate containment and recovery steps.
- Security Breach Notification: Define and implement processes, procedures, and technical measures for security breach notifications. Report security breaches and assumed security breaches as per applicable SLAs, laws, and regulations.
- Key Rotation: No one had properly rotated FTX’s compromised keys, allowing attackers to maintain access to funds. Establishing key rotation policies based on cryptoperiods or detected threats would help limit the impact of compromised keys.
- Backup (Recovery): Poor backup and restoration processes delayed FTX’s ability to recover critical customer funds. Periodically backing up sensitive financial data, keys, and configurations and ensuring their confidentiality, integrity, and availability would enable faster recovery after incidents.
Key Takeaways from This Incident
- 2FA is insufficient to prevent malicious actors from accessing accounts. Any financial institution holding money or crypto assets must protect deposits with substantially more security controls. Passkeys, hardware security keys, and/or biometric authentications are all current-generation approaches far superior to 2FA.
- Enhanced IAM practices, including enforcing least privilege and MFA, are critical to reducing the risks of future data leaks. Regularly conduct access reviews and audits.
- To reduce the incidence of theft and restore trust, financial institutions must develop and maintain clawback processes. Otherwise, they must insure their depositors, or they risk bankruptcy from a single successful hack.
- Strong corporate governance and effective internal controls are essential to detecting and mitigating security risks. Organizations must implement board-level cybersecurity oversight, conduct independent audits, and establish continuous monitoring to prevent large-scale breaches.
- Comprehensive incident response plans, tailored to crypto-specific risks, are crucial to limiting financial and operational damage. Organizations should prioritize rapid detection, containment, and recovery by developing playbooks that address hot wallet compromises, SIM swaps, and unauthorized transactions.
Interested in reading about other recent cyber incidents? CSA’s Top Threats to Cloud Computing Deep Dive 2025 analyzes seven other notable cloud breach cases. Get a detailed breakdown of the Snowflake, Football Australia, CrowdStrike, Toyota, Darkbeam, Retool/Fortress, and Microsoft incidents. This breakdown includes:
- An attack detail
- A description of the threat actor
- The associated top threats
- The technical and business impacts
- Relevant Cloud Controls Matrix (CCM) controls to use for preventive, detective, and corrective mitigation
- Essential metrics to measure control effectiveness
- Key takeaways
Unlock Cloud Security Insights
Subscribe to our newsletter for the latest expert trends and updates
Related Articles:
Achieving Resilience Through Zero Trust
Published: 08/29/2025
The Emerging Identity Imperatives of Agentic AI
Published: 08/28/2025
The Urgent Need for Hypervisor Security in Healthcare
Published: 08/26/2025