Nine Men Accused of Stealing $2,5M in SIM Swapping Attacks

A fifteen-count indictment has been unsealed today by the U.S. Department of Justice charging six men part of a hacking group dubbed "The Community" for allegedly being behind a SIM swapping fraud which led to the theft of roughly $2,5M worth of cryptocurrency.

Three other individuals, who were the employees of mobile phone providers and suspected to have been part of the SIM swapping, have been charged in a criminal complaint with wire fraud linked to attacks operated by "The Community."

U.S. Attorney Matthew Schneider and U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) Detroit Angie Salazar were the ones who announced the charges of in the Eastern District of Michigan.

SIM swapping attacks (also known as SIM hijacking attacks) are identity theft attacks in which malicious actors get control of a target's mobile phone number by convincing mobile phone service providers to swap the phone number to a SIM card controlled by the attackers via social engineering or with the help of a bribed employee of the provider.

SIM swapping operations

The unsealed indictment charges the six members of "The Community" with conspiracy to commit wire fraud, wire fraud and aggravated identity theft and also claims that the accused used the victims' phone numbers to get control of their "email, cloud storage, and cryptocurrency exchange accounts."

As the San Francisco Division of the Federal Bureau of Investigation detailed in a SIM swapping alert issued two months ago, on March 6, 2019, criminals behind SIM hijacking attacks follow this procedure:

  • Identify the victim: Identify a victim likely to own a large amount of digital currency, particularly cryptocurrency. Identify the victim’s mobile telephone number and the mobile phone carrier.
  • Swap the SIM card: Socially engineer a customer service representative from the mobile phone company in order to port the victim’s phone number to a SIM card and phone in the control of the attackers.
  • Password resets: Initiate password resets on the victim’s email, cloud storage, and social media accounts (password resets usually accomplished by text messages to the victim’s telephone number).
  • Access accounts: Gain access to the victim’s accounts and identify digital currency keys, wallets, and accounts that may be stored in them. Defeat any SMS-based or mobile application-based two-factor authentication on any accounts with control of the victim’s phone number.
  • Steal currency: Transfer the digital currency out of the victim’s account into accounts controlled by the attackers.

The SIM hijacking attacks

As described in the unsealed indictment, after successfully gaining access to their targets' various online accounts, "The Community" would purportedly "reset passwords on online accounts and/or request two-factor authentication (2FA) codes that allowed them to bypass security measures." 

Once the group had access to the victims' cryptocurrency exchange accounts and wallets, they would purportedly funnel the funds to wallets controlled by "The Community."

"Mobile phones today are not only a means of communication but also a means of identification," said U.S. Attorney Matthew Schneider.  "This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it."

The indictment also claims that the defendants executed seven SIM hijacking attacks with the aid of the three charged mobile phone service provider employees which supposedly helped the "The Community" to "steal the identities of subscribers to their employers’ services in exchange for bribes."

As the DoJ press release announcing the charges says:

If convicted on the charge of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years in prison. A conviction of aggravated identity theft in support of wire fraud carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud.

"The allegations against these defendants are the result of a complex cryptocurrency and identity theft investigation led by Homeland Security Investigations, which spanned two continents," stated Salazar. "Increasingly, criminal groups are turning exclusively to web-based schemes to further their illicit activities, which is why HSI has developed capabilities to meet these threats head on."

At the moment, all the defendants are presumed innocent with the government having to prove that they are guilty of the charges that come with the unsealed indictments and criminal complaints.

Related Articles:

US sanctions crypto exchanges used by Russian darknet market, banks

LockBit ransomware gang has over $110 million in unspent bitcoin

Crypto miner arrested for skipping on $3.5 million in cloud server bills

FBI warns of massive wave of road toll SMS phishing attacks

Ex-Amazon engineer gets 3 years for hacking crypto exchanges