A Chicago man has been arrested on federal charges filed in Washington, D.C., alleging he participated in a sophisticated “SIM swap” scheme that allegedly siphoned $400 million in virtual currency from a single company and millions more from other individual victims.
Robert Powell was arrested quietly last week and made an initial appearance at the Dirksen U.S. Courthouse in Chicago, where prosecutors moved to have him held without bond pending transfer to U.S. District Court in Washington, court records show.
A detention hearing for Powell is currently set for Friday in Chicago before U.S. Magistrate Judge Heather McShain.
Powell’s Chicago-based attorney, Gal Pissetzky, declined to comment on the case Monday.
Powell was among three defendants charged in an indictment filed under seal in Washington with conspiracy to commit wire fraud and aggravated identity theft.
Also charged was Carter Rohn, 24, of Indianapolis, and Emily Hernandez, 23, of Colorado Springs, Colorado, records show. They were both arrested last week and have made initial appearances in federal court in their home districts.
SIM swapping is a technique in which attackers gain control of a telephone number by having it reassigned to a new device. Such attacks represent a growing security threat for government agencies and corporations because they can target not only finances but manipulate social media accounts to spread misinformation, authorities have said.
A similar scheme was used recently in the high-profile attack on the U.S. Securities and Exchange Commission’s account on the social media platform X, formerly known as Twitter.
According to the 18-page indictment, which was made public in Chicago as part of the removal proceedings, Powell, who used the online moniker “ElSwapo1,” teamed up with others to fraudulently obtain victims’ personal information.
In some instances, the schemers created phony identification cards and traveled to wireless service provider retail outlets in states across the country, where the fake documents were used to convince the stores to “port” data over from the victims’ phones, according to the charges.
Once the information was transferred, the defendants could circumvent two-factor authentication security, giving them access to a victims’ virtual currency accounts, social media passwords, email and other sensitive data, the indictment alleged.
The indictment listed seven specific instances in which the schemers were allegedly able to hack into a victim’s accounts and get virtual currency, commonly known as cryptocurrency.
By far the largest occurred in November 2022, when Powell allegedly directed co-conspirators to execute a SIM swap against an employee of a company, identified in the charges only as Victim Company 1.
A co-schemer sent Hernandez a fraudulent identification document that had the victim’s personal information but Hernandez’s photo, according to the indictment. Hernandez then used the phony ID at a mobile phone service store in Texas, where she convinced them to port over the victim’s information to a new device.
Over the next two days, the co-conspirators drained more than $400 million worth of virtual currency from the company’s accounts, according to the indictment.
On the same day, Powell also targeted another victim, identified only as “A.C.,” whose identity was also stolen. The charges allege a different co-conspirator impersonated A.C. at a Texas mobile store, and once the SIM swap was made, the schemers stole nearly $600,000 in virtual currency.
Other similar attacks were conducted by the group over a two-year period between March 2021 and April 2023, the indictment stated, including one instance in November 2022 when the group used the stolen identity of a victim “V.C.” at a cellphone store in Utah and stole more than $1 million.
The group pulled similar scams at stores across the country, including in Illinois, Indiana, Minnesota, Nebraska, New Mexico, Colorado, Virginia and Florida, according to the indictment.
Powell’s arrest last week came days after the SEC provided further details into a separate SIM swap attack of it’s account on X earlier this month.
Daywatch
Weekdays
Start each day with Chicago Tribune editors’ top story picks, delivered to your inbox.
Reuters has reported the top financial regulatory agency said that, six months prior to the incident, staff had removed an added layer of protection, known as multifactor authentication, and did not restore it until after the Jan. 9 attack.
As anticipation mounted for the agency’s approval of exchange-traded products tracking bitcoin, an unidentified person or persons gained access to the account, posting the false announcement that approval had already been granted, causing a momentary jump in the cryptocurrency’s price, according to Reuters.
In a split vote, the commission granted approval the following day.
“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account,” an SEC spokesperson said in a statement reported by the news service.
Law enforcement agencies are working to learn how the hackers prevailed on the SEC’s mobile carrier to make the switch, the SEC said, without identifying the carrier, Reuters reported, while lawmakers have demanded explanations as to how the SEC could have left itself exposed to such an attack.
Reuters contributed.
jmeisner@chicagotribune.com