Alleged SIM-swap scammer nabbed for stealing $5m in Bitcoin

On 12 July, Los Angeles police arrested a 20-year-old college student from Boston at the LA International Airport.

Bound for Europe, he was lugging a Gucci bag: only one piece of swag among many that prosecutors allege were bought with the proceeds of cryptocurrency that he ripped off in SIM swap scams.

They’re charging Joel Ortiz with hijacking phone numbers to steal the Bitcoin and other cryptocurrencies. Ortiz is now facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest and subsequently obtained by Motherboard.

Ortiz allegedly hijacked around 40 victims’ phone numbers with the help of a gang of scammers. His co-conspirators haven’t yet been named, according to court documents. All together, the crooks allegedly stole $5 million, including some from cryptocurrency investors at a blockchain conference called Consensus that’s run by CoinDesk.

Included in the court documents was a screen grab that gives a hint as to how much control these scammers can get over our lives given they nab enough information about us to convince our phone companies that yes indeed, it’s really, truly us, calling to port our own phone number to a new SIM card:

“Hi Daddy Love you,” texted the daughter of one of the hacker’s alleged cryptocurrency investor victims.

The reply: “TELL YOUR DAD TO GIVE US BITCOIN”.

SIM card swap scams have been around for years. So too have the many flavors of cryptocurrency scams, be they exploiting Twitter to con naïve users out of their digital currencies (last month, one fraudster even managed to compromise a verified Twitter account), looting the exchanges (sometimes using real-life robbers with real-life guns), or carting off hundreds of the servers used to mine the digital currencies.

But the crime that Ortiz stands accused of is reportedly the first time an alleged SIM-swap fraudster has ripped off cryptocurrency.

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number. But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

That’s how the investor’s daughter managed to text her “I love you” message to the thief who had her dad’s phone number: she just texted the same number she’s always used.

Unfortunately, the same goes for communication with your sensitive accounts, like bank accounts: it’s all under the control of a thief when you’ve been victimized by a fraudulent SIM swapper.

Banks have traditionally sent authorization codes needed when using 2FA or 2SV – that’s two-factor authentication or two-step verification – via SMS to complete a financial transaction. (Fortunately, this is becoming less common: The United States National Institute for Standards and Technology [NIST] in 2016 published new guidelines forbidding SMS-based authentication in 2FA. Besides the security risks of mobile phone portability, problems with the security of SMS delivery have included malware that can redirect text messages and attacks against the mobile phone network such as the so-called SS7 hack.)

By stealing your phone number, the crooks have also stolen access to your 2FA codes – at least, until you manage to convince your account providers that somebody else has hijacked your account.

Crooks have made the most of that window of opportunity to:

  • Change as many profile settings on your account as they can.
  • Add new payment recipient accounts belonging to accomplices.
  • Pay money out of your account where it can be withdrawn quickly in cash, never to be seen again.

By changing settings on your account, they make it more difficult both for the bank to spot that fraud is happening and for you to convince your bank that something has gone wrong.

But back to Ortiz: he was a member of OGUSERS, an online marketplace for selling online accounts and virtual goods and a black market for valuable, stolen Instagram and Twitter accounts. SIM swap fraudsters are also known to sell stolen accounts on the site.

Motherboard spoke to one cryptocurrency investor who was attacked during Consensus and allegedly lost nearly $1.5m that he had crowdfunded in an Initial Coin Offering (ICO). It was one of at least three attacks during the conference.

The investor requested anonymity, fearing that he’d be targeted again. He told Motherboard that the first indication of the swap came when he looked at his phone and found that it was dead. He knew what that meant, given that the day before, it had happened to a friend.

We were having a meeting and all of a sudden he says ‘f*ck, my phone just stopped working.’

Later in the day, the investor said that his friend texted him:

My f*cking SIM got hacked.

Court documents allege that Ortiz took control of the entrepreneur’s phone number, reset his Gmail password, and then gained access to his cryptocurrency accounts. Visiting the AT&T store to get his number back did no good. By then, it was too late.

Erin West, the Santa Clara County deputy district attorney, told Motherboard that many people are getting scammed by these SIM swappers, but not enough are coming forward to report it.… so please, if you’ve been scammed, she asked, DO REPORT IT:

This is happening in our community, and unfortunately, there are not a lot of complaints to law enforcement about it. We would welcome the opportunity to look into other complaints of this happening. We think that this is something that’s underreported and very dangerous.

Ortiz’s plea hearing is scheduled for 9 August. His bail has been set at $1m.

What to do?

Last year, we reported on the rising trend of fraudsters using SIM swaps to drain accounts. Fast-forward 14 months, and it doesn’t matter that they’re going after digital instead of nondigital currency: the precautions we can all take to avoid becoming victims stay the same.

Here they are again:

  • Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
  • Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
  • Use an on-access (real time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s logon page, then springs into action to record what you type while you’re logging on. A good real time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
  • Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
  • Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of logon codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If in doubt, don’t give it out!