Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Join us on September 3rd for The Evolution of Cloud Network Security webinar. Register now!

A Successful SIM Swap Attack: Unpacking the 2022 FTX Hack

Published 09/02/2025

Home
Industry Insights
A Successful SIM Swap Attack: Unpacking the 2022 FTX Hack
Written by Megan Theimer, Content Marketing Manager, CSA.

CSA’s Top Threats to Cloud Computing Deep Dive 2025 reflects on eight recent real-world security breaches. The report presents the narrative of each incident, as well as the relevant cloud security risks and mitigations. Today we’re reflecting on the seventh incident covered in the Deep Dive: FTX 2022.

 

The FTX Group had implemented several weak security measures. These included SMS-based two-factor authentication (2FA) and limited cloud platform controls. In November 2022, FTX's oversights enabled attackers to steal approximately $400 million USD worth of crypto assets. FTX's ineffective controls left billions of dollars of additional assets at risk. 

FTX’s inadequate transaction monitoring and approval workflows enabled attackers to authorize large-scale fund transfers without intervention. Through a SIM swap scam, the attackers accessed FTX’s always-connected hot wallets, secret keys, and critical systems. Once inside, they escalated privileges and transferred funds while remaining undetected. 

The identity of the threat actor was unknown for the first year after the breach. Then, in September 2023, authorities indicted three criminal co-conspirators. In January 2024, the US Attorney’s Office for DC unsealed the indictment, following the arrest of the defendants. It identified them as Robert Powell, Carter Rohn, and Emily Hernandez.

Multiple Top Threats contributed to this incident. Limited IAM controls resulted in a SIM swap attack (Top Threat #2: Identity and Access Management). This allowed the attackers to intercept OTPs, reset account credentials, and access FTX’s cloud systems and wallets.

Once the attackers had access, they exploited the poor internal segmentation (Top Threat #1: Misconfiguration and Inadequate Change Control). They also took advantage of the lack of transaction monitoring (Top Threat #6: Insecure Software Development). 

 

Technical Impacts

  • Confidentiality: No one has named the victims. However, the theft compromised the confidentiality of FTX’s secret keys and wallet access credentials. This led to unauthorized transfers of over $400 million USD in crypto assets. 
  • Integrity: The FTX platform has remained in bankruptcy as investigators still seek to recapture some of the stolen assets. It appears from the court filings that the system integrity remained intact and that all the victims are identifiable.
  • Availability: Although FTX claimed the hack did not directly disrupt system uptime or operations, legal actions temporarily restricted exchange and customer funds access. 
 

Business Impacts

  • Financial: The theft of over $400 million USD resulted in a major liquidity crisis that forced FTX into bankruptcy. 
  • Operational: The U.S. Bankruptcy Court for the District of Delaware appointed new FTX management. The new team transferred some funds to offline (cold) wallets to prevent additional losses. Then, they announced in October 2024 that the bankruptcy plan would provide a full refund, plus interest, for former FTX customers. This was mainly a results of the enormous rise in the price of cryptocurrencies since the bankruptcy filing. 
  • Compliance: Officials arrested and sentenced the CEO. This was partly because of a lack of reasonable controls or compliance with U.S. law. 
  • Reputational: Newly appointed CEO John Ray filed a statement with the Bankruptcy Court. He stated, “Never in my career have I seen such a complete failure of corporate controls.” Notably, FTX’s reputation may end up rehabilitated after all the customers receive full reimbursement.
 

Preventive Mitigation

  • User Access Provisioning: Implementing a user access provisioning and deprovisioning process ensures that access is only granted to authorized personnel. This reduces the likelihood of unauthorized users gaining access to critical systems. This process includes regularly auditing user permissions and access rights to ensure compliance with the principle of least privilege. It also involves integrating access provisioning with HR systems to automatically revoke access upon employee termination. 
  • Strong Authentication: Define and implement multi-factor authentication methods to ensure secure access to cloud environments and applications. This reduces the likelihood of unauthorized access to misconfigured systems. OTP-based MFA has become less and less secure, requiring more effective methods such as passkeys. Implement adaptive authentication that considers user behavior, location, and device posture to dynamically adjust authentication requirements.
  • Unauthorized Change Protection: Technical controls should be in place to prevent unauthorized changes to accounts and systems. In the case of FTX, this would have included restricting the ability to transfer funds out of accounts. 
  • Change Management Baseline: Establish a baseline for user accounts. Ensure that management approves all devices associated with the account. 
  • Training and Awareness: Human error (e.g., reliance on weak 2FA) played a major role in the FTX breach. Training enhances staff awareness of risks associated with SIM swaps, privilege misuse, and other issues with mobile devices.
 

Detective Mitigation

  • Detection of Baseline Deviation: Implement detection measures with proactive notification in case changes deviate from the established baseline. A change in SIM card associations is a deviation that FTX could have detected and rejected. 
  • User Access Review: Review and revalidate user access for least privilege and separation of duties with a frequency commensurate with organizational risk tolerance. Consistent and periodic access reviews can establish a baseline and then indicate deviations from that baseline. 
  • Network Defense: The lack of sufficient defenses within FTX’s network allowed attackers to access and move funds. Implementing defense-in-depth techniques, such as monitoring for anomalous traffic, could help prevent or contain similar breaches. 
  • Security Monitoring and Alerting: Identify and monitor security-related events within applications and the underlying infrastructure. Define and implement a system to generate alerts to responsible stakeholders based on such events and corresponding metrics.
 

Corrective Mitigation

  • Remediation: Establish and maintain a risk-based corrective action plan to remediate incident and breach case findings. Review and report remediation status to relevant stakeholders. Banks have clawback processes for unauthorized transfers. FTX had no such recourse, and found themselves in a nightmare situation. 
  • Change Restoration: Define and implement a process to proactively roll back changes to a previously known good state. This would have ensured that FTX could restore customer funds. 
  • Incident Response Plans: Ensure that incidents involving unauthorized access or fund transfers trigger immediate containment and recovery steps. 
  • Security Breach Notification: Define and implement processes, procedures, and technical measures for security breach notifications. Report security breaches and assumed security breaches as per applicable SLAs, laws, and regulations. 
  • Key Rotation: No one had properly rotated FTX’s compromised keys, allowing attackers to maintain access to funds. Establishing key rotation policies based on cryptoperiods or detected threats would help limit the impact of compromised keys. 
  • Backup (Recovery): Poor backup and restoration processes delayed FTX’s ability to recover critical customer funds. Periodically backing up sensitive financial data, keys, and configurations and ensuring their confidentiality, integrity, and availability would enable faster recovery after incidents.
 

Key Takeaways from This Incident

  • 2FA is insufficient to prevent malicious actors from accessing accounts. Any financial institution holding money or crypto assets must protect deposits with substantially more security controls. Passkeys, hardware security keys, and/or biometric authentications are all current-generation approaches far superior to 2FA. 
  • Enhanced IAM practices, including enforcing least privilege and MFA, are critical to reducing the risks of future data leaks. Regularly conduct access reviews and audits. 
  • To reduce the incidence of theft and restore trust, financial institutions must develop and maintain clawback processes. Otherwise, they must insure their depositors, or they risk bankruptcy from a single successful hack. 
  • Strong corporate governance and effective internal controls are essential to detecting and mitigating security risks. Organizations must implement board-level cybersecurity oversight, conduct independent audits, and establish continuous monitoring to prevent large-scale breaches. 
  • Comprehensive incident response plans, tailored to crypto-specific risks, are crucial to limiting financial and operational damage. Organizations should prioritize rapid detection, containment, and recovery by developing playbooks that address hot wallet compromises, SIM swaps, and unauthorized transactions.
 

Interested in reading about other recent cyber incidents? CSA’s Top Threats to Cloud Computing Deep Dive 2025 analyzes seven other notable cloud breach cases. Get a detailed breakdown of the Snowflake, Football Australia, CrowdStrike, Toyota, Darkbeam, Retool/Fortress, and Microsoft incidents. This breakdown includes:Cover of Top Threats to Cloud Computing Deep Dive 2025

  • An attack detail
  • A description of the threat actor
  • The associated top threats
  • The technical and business impacts
  • Relevant Cloud Controls Matrix (CCM) controls to use for preventive, detective, and corrective mitigation
  • Essential metrics to measure control effectiveness
  • Key takeaways
Identity and Access ManagementVulnerabilitiesMisconfigurationTop Threats

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Register Now for CSA's Virtual Zero Trust Summit 2025
Securing MLOps: Protecting ML, LLMOps & AgentOps Pipelines
Upcoming Webinar: From Risk to ROI - The Business Case for Identity Security
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Level up with Cloud Infrastructure Security Training
Related Articles:
Achieving Resilience Through Zero Trust

Published: 08/29/2025

The Emerging Identity Imperatives of Agentic AI

Published: 08/28/2025

Introducing DIRF: A Comprehensive Framework for Protecting Digital Identities in Agentic AI Systems

Published: 08/27/2025

The Urgent Need for Hypervisor Security in Healthcare

Published: 08/26/2025