‘All hell was breaking loose’: Mystery deepens in case of Highland Park man accused of $400 million crypto hack on FTX

By the time the FBI raided Robert Powell’s luxurious Highland Park home three years ago, what agents saw as the red flags of fraud were everywhere.

The 23-year-old Powell was living alone on the North Shore despite having no legitimate income, according to federal court records obtained by the Tribune. He had a $150,000 BMW in the garage but rarely went out. One day, a letter carrier found six grand in cash in Powell’s mailbox. Powell allegedly told police it was how he paid his rent.

Federal investigators suspected Powell, originally from Elkhart, Indiana, was the leader of an elaborate cyber scheme that bilked PayPal users of more than a million dollars nationwide, according to an FBI search warrant affidavit filed in 2021.

Powell was also believed to be involved with a violent Indiana-based gang known as the “ChoppaBoyz,” whose founding members were under indictment in a drug-related home invasion in South Bend and also were accused of robbing two of Powell’s associates in Utah as they carried a quarter of a million dollars in fraud proceeds back to Indiana, the affidavit stated.

But the only charge that ever surfaced against Powell was a misdemeanor gun count filed in Lake County.

Until now.

Three years after the March 2021 raid, Powell, now 26, has been accused of helping pull off a much larger heist, one that seems ripped from the pages of some cyber-security pulp thriller: The $400 million hack of FTX, the failed crypto currency exchange headed by convicted fraudster Sam Bankman-Fried.

As the Tribune first reported, Powell was arrested at his home on Museum Drive last month on a federal indictment filed in Washington, D.C., charged with participating in a sophisticated “SIM swap” scheme with two out-of-state associates that allegedly siphoned at least $400 million in virtual currency from a single company and millions more from other individual victims.

While the indictment referred to the company only as “Victim Company 1,” the alleged hack occurred Nov. 11, 2022, the same day that FTX collapsed into bankruptcy. Bankman-Fried was later convicted of a massive fraud on investors and is awaiting sentencing next March in New York. Sources have confirmed to the Tribune that Victim Company 1 is FTX.

At the time, speculation was rampant that the hack was an inside job, but the details of how it went down had remained a whodunit.

While Powell has now been outed as one of the alleged FTX hackers, the investigative records obtained by the Tribune only deepen the mystery of how he could have pulled off the massive theft from such a high-profile target while he was already on the FBI’s radar.

In fact, the 2021 affidavit indicated the feds were aware at the time that Powell was moving on from PayPal to more sophisticated SIM swap schemes, which use stolen identities to get cellphone carriers to switch over a number to a new device, allowing the hacker to loot a victim’s virtual accounts.

At Powell’s detention hearing in Chicago earlier this month, prosecutors said they had agreed to have Powell’s live-in girlfriend act as his third-party custodian while on home confinement, an idea that the judge nixed after she told him she had no job and that Powell paid for her school and other expenses.

Powell wound up being released on house arrest with no custodian, just orders to stay off encrypted channels and use the internet only to communicate with family, look for work and play video games.

Sources told the Tribune the initial investigation was being led by authorities in the Northern District of Indiana, which includes the town of Elkhart where Powell is from and his family still lives.

The U.S. attorney’s office in South Bend had no comment on the status of its probe, and a spokesperson for federal prosecutors in Washington also declined to answer questions about the case filed there.

‘All hell was breaking loose’

The sprawling, $2 million, seven-bedroom home where Powell has lived for at least the past four years sits on a quiet, cul-de-sac lane just off of Half Day Road, a few doors away from Bulls legend Michael Jordan’s former estate.

It’s typical well-to-do suburbia, with a basketball hoop in the driveway, a hammock and fire pit on the back patio and fenced-in yard for the dogs.

On a recent weekday morning, the home was quiet, with shades drawn. But neighbors said the peaceful scene belied Powell’s dramatic arrest a few weeks ago.

Just after 4:30 a.m. Wednesday, Jan. 24, a contingent of law enforcement vehicles descended on Museum Drive. Neighbors awoke to the sound of shouting through a loudspeaker for the occupants to come out, followed by a series of bright flashes and booms.

“All hell was breaking loose,” said Tracy Marshbanks, who lives a few doors away. “I was just getting up, and I was like, is it fireworks? Gunshots?”

Marshbanks looked out the door to see more “flash-bang” explosions, the type law enforcement uses to stun or disorient subjects during an operation. He grabbed his night vision camera and tried to film video but the lights the police had on the house were too bright, he said.

Marshbanks, who moved into the neighborhood two years ago and does not know Powell, said neighbors couldn’t figure out why there wasn’t anything on the news about the arrest. A few days later, someone forwarded him the Tribune story about Powell’s charges.

Powell’s Chicago-based defense attorney, Gal Pissetzky, declined to discuss the details of the investigation, but said the way in which Powell was arrested was over the top.

“At the time they raided Mr. Powell’s home and arrested him, the government knew he was represented by counsel,” Pissetzky said. “All they had to do was make a phone call and I would gladly have arranged for him to surrender.”

The dramatic takedown in Highland Park was the culmination of an investigation that began in June 2020 in Cedar City, Utah, when a young couple reported to local police that they’d been robbed in a hotel parking lot by armed men of a backpack containing $250,000 in cash, the 2021 FBI affidavit stated.

The victims of the robbery initially gave police a phony story that they’d earned the money doing odd construction jobs over a four-day “cross-country road trip,” according to the affidavit.

Months later, however, the couple came clean, telling investigators that “they had participated in a fraud scheme while in California and that they were transporting cash proceeds from that scheme back to the Midwest when they were robbed,” the affidavit stated.

They told investigators the leader of the fraud scheme was Powell, their friend from Elkhart who had figured out a way to exploit weaknesses in the online wallet PayPal to steal at least $1.3 million from unsuspecting victims beginning as far back as 2018, according to the affidavit.

Powell told his associates he’d hacked into PayPal accounts of more than 1,200 victims by acquiring their identifying information from the dark web, the affidavit stated. From there, he allegedly was able to transfer funds into dummy accounts opened under fake ID cards, and recruited “semi-unwitting” participants who had legitimate bank accounts to withdraw money as cash.

The rest of the money was turned over to Powell’s associates, and ultimately kicked up to Powell himself, according to the FBI document.

Powell was also able to take advantage of a new partnership between PayPal and retail giant Walmart. Due to delays in reporting transactions between the two systems, Powell and his associates found they could withdraw cash from a PayPal account at a Walmart even though the account had been drained of funds a short time before, according to the affidavit.

The two victims of the Utah robbery told authorities Powell had paid to fly them to California, where they met with other associates and, on Powell’s instructions, targeted numerous Walmarts in the Los Angeles area over the course of several days, the affidavit stated.

According to the FBI, Powell would not go to the Walmarts with them, but was set up nearby and used a computer to transfer the withdrawn funds to other PayPal accounts.

At the end of their trip, Powell gave them the backpack full of cash and instructed to “drive it back to Indiana,” according to the affidavit. The couple said they’d made a similar trip to Houston that same summer.

After they were robbed, one of the victims allegedly discussed with Powell whether “they should step away from fraud schemes and related illegal activities,” the affidavit stated.

Powell replied “he would ‘never’ stop, even if he made enough money to afford to walk away,” the affidavit stated.

The couple said that recently, Powell had been branching into a new scheme “involving cellphones and cryptocurrency,” the affidavit stated. Though Powell had not let them in on any details, in January 2021 he instructed them to obtain numerous cellphones and accounts and bring them to his courier in Chicago.

Soon after, Powell grew suspicious that his friends were cooperating with law enforcement. In a series of Facebook messenger texts, Powell allegedly threatened one of the friends who had been robbed in Utah, saying he knew that authorities had reached out, the affidavit alleged.

“I had more trust in you than that,” one message from Powell allegedly read. “But if anything happens Ima already know it was yo shorty … Once the snitching Go out the window. It’s hand on. You know how it go.”

Another message allegedly read, “I’ll be out in 5 years. I’ll find u guys.”

‘ChoppaBoyz’ 

In the early morning hours of June 26, 2020, police in Cedar City, Utah, just outside Zion National Park, responded to a 911 call from a Hampton Inn. They were told by the victims that a group of men had approached them with guns, pistol whipped them and stole their backpack with a large amount of cash before taking off in a Honda Accord with Indiana plates, according to court records.

State police later spotted the car heading south on Interstate 15, leading to a high-speed chase that ended about 40 miles away when the suspects bailed out of the car and fled on foot, local news reported at the time. One suspect was quickly arrested while the other was found later by police. A third suspect was labeled a fugitive.

Emmanuel Martinez-Guevara and Carlos Reyes, both 20 at the time, were charged with aggravated robbery and aggravated assault theft, court records show. Inside their Honda, police found a wallet belonging to a third suspect, Marco Fernandez, as well as an AK-47 rifle and jewelry. Fernandez was ultimately arrested and charged with the robbery, according to court records.

Two months after the robbery, Martinez-Guevara, Reyes and Fernandez were indicted in federal court in Indiana on home invasion and robbery charges alleging they and two other associates broke into a drug dealer’s house in South Bend on June 9, 2020, zip tied the homeowner and a female occupant, tortured them and shot the homeowner in the leg.

They fled with a safe, drugs, cash and a handgun, as well as the jewelry that was later found in their Honda in Utah, according to the charges.

The Indiana indictment alleged their gang, the “ChoppaBoyz,” operated out of Elkhart and was known for selling narcotics as well as legitimate merchandise such as T-shirts, ballistic vests, and other memorabilia. The “ChoppaBoyz” insignia featured a silhouette of a military-style rifle.

Martinez-Guevara, Reyes and Fernandez all pleaded guilty to the home invasion charges and were sentenced to 10 years in federal prison. They were also found guilty in the Utah robbery and will serve state sentences consecutively, court records show.

Meanwhile, they started talking to investigators about Powell.

Fernandez told them that Powell, whom he’d known for years, made millions as a “scammer.” He said they often exchange photos with each other on Snapchat to brag about cash or “valuables that they had been able to acquire,” according to the affidavit.

Reyes and Martinez-Guevara told investigators similar accounts, adding that they had participated in various fraud schemes orchestrated by Powell, but were kept in the dark on how they operated. Their role was mostly to recruit people who had Chase bank accounts they could use to launder the stolen PayPal proceeds. Reyes and Martinez-Guevara would keep a cut and pay off the bank account owners for their efforts, the affidavit alleged.

While Powell was in California with his associates, he sent Fernandez a video posing “with what appeared to be more than $1 million in cash,” Fernandez said, which is what spurred him and his co-defendants to travel west and commit the armed robbery in Utah.

“They knew (the victims were) traveling back to the Midwest with a substantial amounts of cash from the scheme, and so they traveled out to rob them,” the affidavit stated.

‘ElSwapo’ strikes  

When investigators started looking into Powell and his girlfriend’s backgrounds, they found no legitimate income to explain how two people in their early 20s could be living so extravagantly, including renting the $2 million home in Highland Park, the affidavit stated.

Among the questionable expenses, Powell’s girlfriend had purchased a brand new Mercedes-Benz in September 2020 from a dealership in Naperville, putting down $22,000 cash as part of the financing. Records showed she’d never had a job, according to the FBI.

On other occasions, investigators conducting surveillance spotted a BMW i8 parked in the garage, a high-end sports car that retails for about $140,000, the affidavit stated.

On Feb. 2, 2021, a postal carrier was delivering mail on the block and found more than $6,000 in cash sitting in Powell’s mailbox, according to the FBI. The carrier reported the discovery to police and turned in the cash.

When officers interviewed Powell at the residence, Powell “claimed that he had placed the cash in the mailbox because it was his rental payment and that it was the typical way that he paid his landlord,” according to the affidavit.

“Even if this was a legitimate rental payment, such a transaction corroborates the fact that Powell is maintaining an extremely luxurious standard of living and continues to deal in substantial amounts of cash,” the FBI alleged in the affidavit.

But after the March 2021 raid, Powell was charged only with a misdemeanor count of having a gun without a valid firearm owner’s identification card. Records show the charge was eventually dismissed.

As the federal investigation continued, Powell allegedly began expanding his operation to illegal SIM swaps. According to the recent indictment filed in Washington, by early November 2022, Powell, who used the online monikers “R$” and “ElSwapo1” had already teamed up with others to steal at least $1.3 million from two victims.

At the same time, the sensational meltdown of Bankman-Fried’s FTX exchange was making headlines around the world. Customers were pulling funds off FTX en masse, leading to the Bahamas freezing the exchange’s assets on Nov. 10, 2022. The next day, Bankman-Fried had stepped down as CEO and his company filed for Chapter 11 bankruptcy protection.

“The things that you pray for, don’t always come in that form,” Powell posted cryptically on Facebook at the time of the FTX collapse.

On Nov. 11, the day of the bankruptcy filing, Powell allegedly directed co-conspirators to execute a SIM swap against an employee of FTX, the indictment alleged.

A co-schemer sent associate Emily Hernandez, of Colorado Springs, Colorado, a fraudulent identification document that had the victim’s personal information but Hernandez’s photo, according to the indictment. Hernandez then used the phony ID at a mobile phone service store in Texas, where she convinced them to port over the victim’s information to a new device.

Within hours, the co-conspirators had drained more than $400 million worth of virtual currency from FTX accounts, according to the indictment.

The hack was initially reported on crypto analytics sites as possibly as much as $477 million in various tokens stolen from FTX’s operational wallets. Once company insiders noticed what was happening, they moved millions more assets into “cold storage,” but the damage had already been done.

“FTX has been hacked, all funds seem to be gone,” an FTX administrator reportedly posted on the company’s; Telegram channel, according to news reports. “FTX apps are malware. Delete them.”

On the same day, Powell also targeted another victim, identified only as “A.C.,” whose identity was also stolen. The charges allege a different co-conspirator impersonated A.C. at a Texas mobile store, and once the SIM swap was made, the schemers stole nearly $600,000 in virtual currency, the indictment alleged.

The group pulled similar scams at stores across the country, including in Illinois, Indiana, Minnesota, Nebraska, New Mexico, Colorado, Virginia and Florida, according to the indictment.

Powell, Hernandez, and a third alleged co-schemer, Carter Rohn, 24, of Indianapolis, were all charged in the indictment with conspiracy to commit wire fraud and aggravated identity theft. They have made initial appearances virtually in U.S. District Court in Washington and have been released on bond in their home districts, records show.

Powell could face up to life in prison if convicted.

Powell, meanwhile, appears to have gone silent on social media. But a Facebook account linked to him was still filled with earlier posts that seemed to reference his world, from complaining about “rats” going to the authorities to ruminations about risk versus reward.

“Better to risk everything and walk away with nothing, than playing it safe,” he wrote in June 2022.

Two months later Powell posted a different message on the same profile:

“Never count my money before my blessings, because there’s no telling what’s going to happen.”

jmeisner@chicagotribune.com

Related posts