Ten people have been arrested in connection with a series of SIM-swapping attacks that reaped more than $100 million by taking over the mobile phone accounts of high-profile individuals, authorities said on Wednesday.
SIM-swapping is a crime that involves replacing a target’s legitimate SIM card with one belonging to the attacker. The attacker then initiates password resets for accounts for email, cryptocurrency holdings, and other important resources. With control over the target’s mobile phone, the attacker responds to text messages the account providers send to complete the password reset.
The account hijacking typically occurs with either the help of a malicious employee who works for the mobile carrier, or with the help of an attacker posing as the rightful account owner and asking for a new card.
Targeting the rich and famous
Authorities in Europe said that the suspects were part of a network that carried out SIM-swapping attacks throughout last year against high-profile individuals, including sports stars, musicians, Internet influencers, and their families.
After taking over the accounts, the attackers allegedly stole victims’ money, cryptocurrency, and personal information, including contacts. The attackers also allegedly hijacked social media accounts and posted content and messages that masqueraded as the victims. Cryptocurrency losses exceeded $100 million, authorities with Europol said.
Eight suspects, ages 18 to 26, were arrested in the UK on Tuesday. The action followed earlier arrests of two other suspects, located in Malta and Belgium. Press releases here and here from Europol and the UK’s National Crime Agency, respectively, didn’t name the suspects or say if any had entered a plea.
“Sim swapping requires significant organisation by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome,” said Paul Creffield, head of operations in the NCA’s National Cyber Crime Unit. “This network targeted a large number of victims in the US and regularly attacked those they believed would be lucrative targets, such as famous sports stars and musicians.”
SIM-swapping has emerged as a major criminal enterprise over the past few years, fueled in large part by the rise of cryptocurrency accounts that can hold millions of dollars in digital coin. In early 2019, a Massachusetts man pleaded guilty to a SIM-swap attack that netted $5 million in cryptocurrency. Later that year, an AT&T subscriber sued the mobile carrier on allegations its employees helped hackers perform SIM-swap attacks that robbed the plaintiff of $1.8 million worth of cryptocurrency. Last March, European authorities announced the arrests of 12 individuals alleged to have been part of a SIM-swapping ring that stole more than $4 million.
The arrests are the result of a partnership of law enforcement agencies from the NCA, US Secret Service, Homeland Security Investigations, the FBI, and the Santa Clara California District Attorney’s Office. Investigators notified victims when they were targeted, and when possible did so prior to a SIM swap being successful. The victims then had the opportunity to prevent the attack from working.
Europol provided the following advice for avoiding SIM-swapping attacks:
- Use two-factor authenticator apps rather than having an authentication code sent over SMS
- When possible, do not associate a mobile phone number with sensitive online accounts
- Keep device software up to date
- Don’t reply to suspicious emails or engage over the phone with callers who request personal information
- Limit the amount of personal data shared online