Six hackers charged over SIM swapping attacks

Aided by three former telecom employees, five Americans and one Irishman allegedly took control of their victim’s phone numbers and then emptied their crypto wallets. They now face charges of wire fraud, conspiracy to commit wire fraud, and aggravated identity theft. The collaborators, former employees of AT&T and Verizon, have been charged separately.

A SIM swap is a form of attack increasingly used to target cryptocurrency users. A SIM swap is the process an attacker uses to bypass 2FA security by impersonating the victim and persuading a mobile phone carrier to reroute the phone number to a SIM card controlled by the attacker.

Next-generation crypto crime

As the final safeguard for many online accounts, gaining control of a mobile phone number is a high-value target for crypto hackers. Once a hacker has control of a victim’s phone number, depending on the individual’s security protocols, the hacker can use this to reset passwords on email addresses and social media accounts and even gain access to cryptocurrency wallets.

According to blockchain security experts CipherTrace, this type of attack is increasingly common. The firm’s Q4 2018 Cryptocurrency Anti-Money Laundering Report identified SIM swapping as a “next-generation crypto crime” and a major threat facing the ecosystem.

Most of the attacks though, can be traced to just a few dozen individuals, says Sergeant Samy Tarazi from REACT Task Force, a law enforcement unit dedicated to fighting cybercrime:

“We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies. I mean, if someone gets robbed of $100,000 that’s a huge case, but we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.”

Although the attacks have been on the radar of authorities for some time, the first conviction was only made in February, when college student Joel Ortiz pleaded guilty to stealing more than $5 million in bitcoin by hijacking the phone numbers of around 40 bitcoin users. He was sentenced to ten years in prison.

One of the most prolific SIM swappers, the self-styled Robin Hood Nicholas Truglia, bragged of his crimes on Twitter before being arrested in November 2018. He was ordered to pay victim Michael Terpin $74.8 million in compensation — a sum three times the size of his original loss.

The SIM swapping protocol

One of Truglia’s other victims, tech entrepreneur Robert Ross, responded to the theft of $1 million from his Gemini and Coinbase accounts by launching StopSIMCrime — an initiative to raise awareness about the issue and put pressure on telecom companies to help prevent future losses.

The San Francisco Division of the Federal Bureau of Investigation published guidance earlier this month on how to avoid SIM swapping attacks. Their report reveals the typical modus operandi of SIM swappers, who rely on a mix of research and social engineering to identify targets and then trick telecom operators into rerouting the victim’s number to a different SIM card.

As the FBI warns, the majority of victims are “heavy investors in or early adopters of cryptocurrency”, are identified by the attacker on social media or in real life, and then intensely researched to obtain mobile telephone numbers and network details — which can sometimes be found on the dark web if not readily available on social media.

With this information, hackers are able to trick telecom operators into porting the phone number, allowing them to initiate password resets on the victim’s email, cloud storage, and social media accounts through phone-based 2FA text messages.

As the FBI suggests, moving away from phone-based 2FA is the first step to protect against SIM swapping. This applies to individual crypto exchange and wallet accounts, and email accounts.

Security is best achieved with one-time codes generated by apps like Authy and Google Authenticator that don’t rely on the mobile phone number and are not directly vulnerable to SIM swapping attacks. Next-generation two-factor authentication dongles like the Titan Security Key by Google provide an extra layer of security.