SIM Swappers Swindle Millions — Biggest Criminal Threat in Crypto in 2019?


Cryptocurrency crime trends have been in the spotlight in recent weeks, but SIM swapping has been strangely absent in a number of reports on 2018.

Cryptocurrency analytics companies CipherTrace and Chainalysis released two different reports focusing on the major crime trends in the space in 2018. While their data and findings sum up the biggest threats of the last 12 months, they’ve omitted the prevalence of SIM swapping in recent times.

How it works

SIM swapping is a relatively simple concept to understand, but the potential damage that can be done to an individual is scary, to say the least.

Cointelegraph approached multinational cybersecurity and anti-virus company Kaspersky Labs to provide an accurate definition of how SIM swapping works and the various ways in which it is carried out.

Attackers obtain basic information about an individual, then use that to request that user’s phone number to be switched to a SIM card that the attackers own. Once that is done, the attacker is able to receive any SMS that the victim receives.

With that access, the attacker can then request passwords and other sensitive user data from various service providers — like banks — and gain access to private accounts.

Kaspersky Labs security researcher Alexey Malanov says the act of replacing SIM cards to access two-factor authentication (2FA) credentials has become prevalent:

“A typical scenario can look like this: an attacker arrives at a regional department of a communication provider — like a mobile operator — with forged documents that are supposed to prove a customer’s valid identity. Or, the attacker simply gets in close contact with an employee of the department and receives a duplicate of a victim’s SIM cards. The authentic SIM card in the victim’s phone turns off at that moment, so all subsequent SMS communications and phone calls are redirected to the attacker’s phone.”

Access to a user’s 2FA gives a hacker a massive advantage when it comes to accessing and changing account details, which eventually gives them access to data and funds.

Two-factor authentication is an added security measure to protect access to a service like a cryptocurrency wallet. Users are still required to know the password to an account and possess a device to prove their identity.

However, once a hacker has access to a user’s credentials through a SIM swap, they can access the second factor of authentication, being able to receive SMS codes of the original users phone. Therefore, hackers have a far greater chance of being able to reset passwords to accounts, as Malanov explains:

“If you have forgotten the password from the service, then you can often restore it using the same phone number to receive a text message. Sometimes additional knowledge is required (for example, a login or email address), but such information is often not strongly protected. That is why obtaining an unlocked phone from a victim, or at least access to receiving their SMS communications, will practically guarantee the success of the hack and a theft of funds.”

Sim-swapping — more powerful than phishing?

SIM swapping is not a new phenomenon, but given the technological advances of smartphones over the last decade, the information that can potentially be garnered by criminals using this method makes it a big threat to individuals and their privacy.

Modern times have seen the emergence of applications that allow people to access and manage their bank accounts and other sensitive financial information using smartphones and other devices.

While this has created a new age of convenience, it also provides a unique opportunity for criminals to steal data and money from people around the world with relative ease.

As Chainalysis reported, Ethereum scams were of particular concern over the last two years, and a major tool of the scam artists and criminals was phishing. Simply put, users were duped by emails or communications that looked official, which lead to them providing sensitive information like usernames and password.

This gives criminals access to their accounts, which are then emptied by these nefarious groups.

Given that attackers can get enough information about a user, they can convince a service provider to carry out a SIM swap, giving the attacker access a user’s SMS service.

Once they’ve done this, the battle is already won, as they can request one-time passwords and other services that give them access to the user’s accounts.

This modus operandi has traditionally targeted users’ bank accounts, but these financial institutions have made concerted efforts to double-down on security checks and verification. However, if a user’s funds are stolen, most financial institutions are able to roll back transactions or cover these circumstances with insurance protection.

This, unfortunately, is not the case when it comes to cryptocurrencies. If an attackers gains access to a user’s private key or cryptocurrency wallet and sends cryptocurrency to another wallet, it is impossible to roll back the transaction.

This is why cryptocurrency wallets and private keys are seemingly becoming a focal point for SIM-swapping attacks.

Crypto users in the crosshairs

One need look no further than the most recent SIM-swapping scandals in the crypto space to understand that this has become a lucrative way to steal and launder funds.

An in-depth report in November last year delved into the murky details of SIM swapping in the crypto community.

According to numerous sources, attackers make use of social engineering to trick or convince telecommunication employees to carry out these SIM swaps. In some instances, the attackers bribe or threaten employees, while other employees abuse their access to customer information and feed that to hackers for financial incentives.

Furthermore, cryptocurrency users are a preferred target due to the anonymous nature of the technology, which makes it easier to launder stolen funds. This has led to prominent people in the cryptocurrency space becoming targets of these attackers.

KrebsonSecurity’s interview with California-based law enforcement group Regional Enforcement Allied Computer Team (REACT) Task Force uncovers a number of instances in which active members of the crypto community have fallen prey, like Christian Ferri, CEO of cryptocurrency firm BlockStar.

Hackers managed to carry out a SIM swap through Ferri’s mobile operator, whose database they had access to. Once that was done, they reset his Gmail password with the use of his cellphone number — then specifically used information from a Google Document to steal funds from his crypto wallet. As KrebsonSecurity notes, the hackers could have stolen more, but they seemed to be targeting Ferri’s cryptocurrency holdings.

Catching perpetrators

SIM swappers have enjoyed relative success through their endeavors, but a swathe of arrests in 2018 highlighted the carelessness of a few young criminals.

July 2018 marks the first time someone was arrested for SIM swapping in the crypto space, as California police arrested 20-year-old Joe Ortiz, who had allegedly hacked around 40 victims. Ortiz and a group of still unidentified collaborators targeted users in the crypto space, hacking a number of victims at the Consensus conference in New York in May. The 20 year old pleaded guilty to theft amounting to $5 million and accepted a plea deal of 10 years in prison for his crimes at the end of January 2019 — in what authorities describe as the first conviction of a crime for SIM swapping.

Following that, 19-year-old Xzavyer Narvaez was arrested in California in August 2018 for using SIM swapping to commit computer crimes, identity fraud and grand theft. Narvaez was careless in his use of his ill-gotten gains, buying a number of sports cars over a two-year period, which formed part of the evidence authorities used to press charges. Furthermore, Narvaez’s cryptocurrency account processed around 157 Bitcoin between March and July 2018, valued at over $1 million dollars at the time.

Just a month later, in September 2018, 21-year-old hacker Nicholas Truglia was arrested for stealing $1 million worth of cryptocurrency by using a SIM swap to access the victim’s account.

In November 2018, two men — aged 23 and 21 — were arrested for stealing $14 million from a cryptocurrency company by using SIM swaps.

Following Ortiz’s prosecution in January 2019, 20-year-old Dawson Bakies was indicted in February for stealing the identities and funds of over 50 victims across the country in a SIM-swapping scandal orchestrated from his home. This was the first successful indictment of a criminal for using SIM swapping in New York.

Manhattan District Attorney Cyrus R. Vance said the case sends out a strong message to perpetrators of these crimes:

“Today my Office is putting the small handful of sophisticated ‘SIM Swappers’ out there on notice. We know what you’re doing, we know how to find you, and we will hold you criminally accountable, no matter where you are. We’re also asking wireless carriers to wake up to the new reality that by quickly porting SIMs — in order to ease new activations and provide speedy customer service — you are exposing unwitting, law-abiding customers to massive identity theft and fraud.”

On Feb. 4, California prosecutors indicted 21-year-old Ahmad Hared and 23-year-old Matthew Ditman with conspiracy to commit computer fraud and abuse, access device fraud, extortion and aggravated identity theft through the use of SIM swapping. The pair are accused of trying to gain access to funds controlled by executives of cryptocurrency-related companies and cryptocurrency investors. They face potential five-year jail sentences and hefty fines.

Should service providers share the blame?

An United States investor, Michael Terpin, who fell prey to a SIM swap carried out by Truglia, made a move in August 2018 that would look to hold telecom service providers accountable for negligence that led to fraudulent SIM swaps. Terpin filed a $224 million lawsuit against U.S. telecoms provider AT&T for negligence that led to the loss of around $24 million in cryptocurrency holdings. The victim is understood to be the co-founder of an angel group of Bitcoin investors known as BitAngels.

Terpin filed a 69-page report with the U.S. District Court in Los Angeles against AT&T because the $24 million theft was a result of the “digital identity theft” of his cell phone account. In the papers, Terpin accuses AT&T of cooperating with the hacker, gross negligence, violation of statutory duties and breaking the commitments of its privacy policy.

The victim described the telecom company’s behavior “like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.” Terpin is looking for $24 million in compensation from AT&T, as well as $200 million in punitive damages.

In January 2019, Terpin also set his sights on Truglia, whom his legal team has identified as the primary suspect in the SIM swap. Truglia and a group of accomplices are alleged to have carried out the SIM swap that led to the theft of $24 million worth of cryptocurrencies.

Combatting SIM swapping

The prevalence of SIM swapping and the amount of media coverage on the subject has made many people aware of the threat this poses to their privacy, data and financial assets. Nevertheless, knowledge of the subject can only do so much to stem the amount of these crimes being carried out.

As Malanov tells Cointelegraph, the onus is primarily on mobile operators and banks to protect the credentials of their users and clients. He suggests that, should a SIM be swapped by an operator, all SMS communications should be blocked for a short period of time to protect the user, as is done by all mobile operators in Russia:

“This is a very inconvenient procedure for honest authentic users, but also a very effective one. Once a SIM card is replaced with a new one, as a rule, one cannot receive sms for a while, which can be uncomfortable. However, such action gives users time to inform their mobile operator in case they did not request to replace the SIM card. This measure is currently used by all major mobile operators in the Russian Federation.”

Furthermore, telecom companies should implement strict identity checks, and request users to confirm certain details and information before a SIM swap is carried out.

The banking sector can also play a part in the prevention of theft and fraud through SIM swapping. According to

Malanov, banks are able to notice the change of a SIM card ID, and can refuse to send an SMS with a code until a user undergoes certain security checks, such as voice analysis, password or code confirmation, and other information.  The security researcher also notes the power of anti-fraud systems used by banks, which analyses customer behavior through mobile or bankings apps:

“It is very important to analyze transactions. Obviously, the withdrawal of any amounts of money — large or small — that are unrelated to the customer’s regular account behavior is extremely suspicious and such activities should be stopped regardless of any fraudulent activity surrounding the customer’s SIM cards or passwords.”

Conventional institutions have a big role to play when it comes to combating SIM-swapping crimes. However, the cryptocurrency space provides a unique challenge that requires individuals to take great care of their information and data.

Malanov highlights this fact, given the decentralized and trustless nature of cryptocurrencies, and the lack of stricter security measures offered by some cryptocurrency exchanges and wallet services:

“Cryptocurrency is unique when it comes to security procedures. As a rule of thumb, prevention and protection measures used by banks are not used by exchanges and online wallets. This is not only due to the lower maturity of cryptocurrency organizations in comparison with banks, but also the ideology of cryptocurrencies. For instance, the owner of cryptocurrency (the one who has access to a private key) is entitled to make any transfers without restrictions from anti fraud systems. Another complication is that cryptocurrency transfers cannot be cancelled, disputed, reimbursed or blocked. What is stolen will remain stolen.”