Full Report
The Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) is pursuing funds taken from five victims between late October 2022 and March 2023, according to a news release.
Analysis Summary
# Incident Report: DOJ Seizure of Bitcoin Stolen via SIM Swapping
## Executive Summary
The U.S. Department of Justice (DOJ) is pursuing civil forfeiture of approximately \$5 million in Bitcoin stolen from five victims between late October 2022 and March 2023. The thefts were made possible through successful SIM swapping attacks, which allowed threat actors to gain control of victims' phone numbers and bypass multifactor authentication to drain cryptocurrency wallets. Following the illicit transactions, the stolen funds were laundered through multiple wallets before ultimately being consolidated into an account associated with the online casino Stake.com.
## Incident Details
- **Discovery Date:** Following the thefts, between late October 2022 and March 2023 (Federal forfeiture proceedings initiated later).
- **Incident Date:** Late October 2022 to March 2023.
- **Affected Organization:** Five unnamed victims of cryptocurrency theft.
- **Sector:** Financial Services/Cryptocurrency.
- **Geography:** Not specified, though proceedings are handled by DOJ CCIPS (likely U.S. based victims, given the reporting).
## Timeline of Events
### Initial Access
- **Date/Time:** Occurring between late October 2022 and March 2023.
- **Vector:** SIM Swapping.
- **Details:** Attackers successfully convinced mobile carriers to port the victims' phone numbers to devices controlled by the attackers. This provided access to SMS-based One-Time Passwords (OTPs) used for multifactor authentication (MFA) for cryptocurrency wallets.
### Lateral Movement
- **Details:** Attackers moved stolen funds through "multiple cryptocurrency wallets" to obscure the transaction path. They also utilized "circular" transactions, returning funds to their original source, consistent with money laundering techniques.
### Data Exfiltration/Impact
- **Details:** Approximately \$5 million in Bitcoin was stolen from the victims' cryptocurrency wallets. The final destination for the consolidated funds was an account at the online casino Stake.com.
### Detection & Response
- **Details:** The incidents were detected following unauthorized transactions from the victims' wallets. The response involves the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) filing civil forfeiture complaints to seize the identified $5 million in Bitcoin.
## Attack Methodology
- **Initial Access:** SIM Swapping (social engineering/carrier manipulation to gain control of phone numbers).
- **Persistence:** Not explicitly detailed, though rapid movement post-access suggests a short-term goal of immediate fund transfer rather than long-term persistence.
- **Privilege Escalation:** Bypassing MFA protections associated with cryptocurrency wallets via control of the phone number.
- **Defense Evasion:** Use of a multi-wallet "tour" and circular transactions designed to "clean" the illicit proceeds and evade tracing.
- **Credential Access:** Gaining access to wallet recovery/access codes facilitated by SMS-based MFA bypass.
- **Discovery:** Not specified, likely internal victim monitoring or financial institution alerts.
- **Lateral Movement:** Movement of stolen Bitcoin across numerous intermediary cryptocurrency wallets.
- **Collection:** Theft of Bitcoin held in victim wallets.
- **Exfiltration:** Transfer of Bitcoin from compromised wallets to attacker-controlled addresses, eventually consolidated.
- **Impact:** Significant financial loss for five victims.
## Impact Assessment
- **Financial:** \$5 million in Bitcoin targeted for seizure by the DOJ.
- **Data Breach:** Cryptocurrency assets were stolen (financial data/access credentials).
- **Operational:** Direct financial loss/theft for victims.
- **Reputational:** Unspecified, but potentially related to trust in mobile carriers and cryptocurrency security practices.
## Indicators of Compromise
(Note: Specific IOCs like wallet addresses or IP logs are not provided in the text, but derived indicators are listed.)
- **Network indicators:** Transactions originating from or leading to major mixing services or known problematic gambling platforms (e.g., Stake.com activity).
- **File indicators:** None specified.
- **Behavioral indicators:** A sequence of transactions involving rapid movement across numerous non-custodial wallets immediately following a phone number change event (SIM swap confirmation).
## Response Actions
- **Containment measures:** The DOJ is pursuing civil forfeiture actions to legally freeze and seize the cryptocurrency assets.
- **Eradication steps:** Not applicable to the response phase described; focused on asset recovery.
- **Recovery actions:** The DOJ is attempting to recover the stolen \$5 million in Bitcoin through legal means.
## Lessons Learned
- **Key takeaways:** SIM swapping remains a highly effective attack vector against accounts relying solely on SMS for MFA. Sophisticated money laundering techniques (circular transactions) were successfully employed to obscure the trail of stolen cryptocurrency.
- **What could have been done better:** Victims likely relied on SMS-based MFA instead of hardware keys or app-based authenticators (like TOTP), which are resilient to SIM swaps.
## Recommendations
- Organizations and individuals managing high-value cryptocurrency assets must immediately transition away from SMS-based or email-based Multifactor Authentication (MFA).
- Implement hardware security keys (e.g., FIDO2/U2F) for accessing critical accounts, which are impervious to SIM swapping attacks.
- Mobile carriers need strengthened verification protocols to prevent unauthorized phone number porting.