Hacking gang stole millions in cryptocurrency via SIM swaps

Six people have been indicted for allegedly being SIM card swappers who stole victims’ identities and their cryptocurrency, and three mobile phone company employees have been indicted for allegedly accepting bribes to help them steal subscribers’ identities.

On Thursday, federal prosecutors in the US Attorney’s Office for the Eastern District of Michigan said that the six alleged hackers are part of a hacking gang called “The Community.” The gang allegedly carried out seven attacks that netted a cryptocurrency haul valued at more than US $2.4 million.

The unsealed indictment charges Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25, of Pasco County, Florida; Colton Jurisic, 20, of Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri; and Ryan Stevenson, 26, of West Haven, Connecticut, with conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number …and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Prosecutors allege that The Community got control of victims’ mobile phone numbers and intercepted phone calls and text messages. They often purchased help by bribing an employee of a mobile phone provider. Other times, they used social engineering: contacting a mobile phone provider’s customer service; posing as the victim; and sweet-talking their way into having the victim’s phone number swapped to a SIM card in one of their own mobile devices.

Prosecutors also allege that The Community bribed the other three people charged in the indictment, who are all employees at mobile phone service companies – Jarratt White, 22, of Tucson, Arizona; Robert Jack, 22, of Tucson, Arizona; and Fendley Joseph, 28, of Murrietta, California. The three allegedly helped the hackers steal subscribers’ identities.

The indictment claims that once the gang had control of a victim’s phone number, they’d use it as a gateway to gain control of online services such as email, cloud storage, and cryptocurrency exchange accounts.

The Community gang members allegedly tried to hijack victims’ cryptocurrency wallets or online cryptocurrency exchange accounts so as to clean them out of funds. The indictment alleges that the defendants executed seven attacks that resulted in the theft of cryptocurrency valued at $2,416,352.

If convicted of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years, while the aggravated identity theft in support of wire fraud charge carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud. Maximum sentences are rarely handed out, however.

A rising trend

The past few years have seen many examples of  fraudsters using SIM swaps to drain accounts.

A steady drip of them have been arrested for going after cryptocurrency in particular: in March, Joel Ortiz, a 20-year-old SIM-swap scammer accused of stealing $5 million in Bitcoin, copped a plea and was sentenced to 10 years in prison.

Over the last 18 months or so, we’ve also seen SIM swappers arrested for hijacking phone numbers and using them to access emails, social media accounts, and online Bitcoin wallets. In August 2018, 19-year-old Xzavyer Narvaez, known as being one of the “best” SIM swappers out there, was accused of stealing around $1 million in Bitcoin. He used the loot to buy fancy sports cars.

Nicholas Truglia, 21, was also accused of stealing millions in Bitcoin last year. Part of that was $1 million that a Silicon Valley dad had put aside for his daughter’s college fund.

Yet another 21-year-old, Joseph Harris, was arrested in September for allegedly stealing more than $14 million in cryptocurrency.

What to do?

Whether they’re breaking into regular old bank accounts or Bitcoin accounts, the crime is obviously extremely costly for the victims who watch helplessly as their accounts drain. The growing tide of incidents has given rise to a regrettable number of times that Naked Security has found itself handing out advice on how to protect yourself from these SIM hijacks.

The indictment announced on Thursday presents yet another one of those times.

So, once again, here are those tips:

  • Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
  • Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
  • Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
  • Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
  • Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.