A Bitcoin (BTC) peer-to-peer exchange made on the HodlHodl platform went awry as a scammer appears to have used a SIM spoofing attack to make the seller believe he was about to receive the money.
The episode was reported on June 2 by a Reddit user going by the name of Gandeloft. According to the victim, he wanted to cash out his Bitcoin savings of 0.1747 BTC, worth $1677 as of press time. Through the HodlHodl platform, he found a merchant willing to offer 1650 Euro, or $1848, for the Bitcoins. This appears to have been higher than the going market rate at the time due to the sudden Bitcoin price slip, which saw it reverse the gains made less than 24 hours earlier.
The buyer offered to use the Revolut app to settle the trade, asking for the victim’s phone number to make the payment. The victim then received a realistic SMS that purportedly came from Revolut, saying that the transfer was pending, and would be cleared in a few hours due to “difference in locations.”
At first glance, the message came from the same identifier that sent two-factor authentication codes, making it appear genuine. While the user did not see the money on the Revolut app, the scammer then successfully pressured the victim into releasing his BTC from escrow.
The victim told Cointelegraph that Revolut confirmed that the SMS did not come from them, while the merchant platform HodlHodl refused to provide any additional data that could help catch the perpetrator. According to the victim, the platform replied by saying, "We do not provide any information about our users. You can contact your bank and find out all the details". In this case, however, no bank-traceable transactions actually occurred.
Cointelegraph requested comment from Revolut and HodlHodl, but did not immediately receive a response.
SIM-based attacks getting more common
Phishing attacks are generally easy to recognize, but the ability to spoof official addresses can give them added credibility. SIM spoofing is relatively easy to perform and very difficult to discover, though the specifics vary by country. The carriers are nevertheless able to understand the true origin of the spoofed SMS.
Mobile networks are also vulnerable to a more serious attack called SIM swapping. This can be done by tricking customer support into swapping phone numbers with a different provider, though there are several other methods.
Lending provider BlockFi recently suffered a data leak where an employee’s phone number was swapped to gain access to internal records.
Exchange users have also been targeted by such attacks through the years, with one high profile case resulting in the alleged loss of $24 million dollars through a SIM swap performed on the AT&T network.