On November 7, a security news and investigation blog KrebsOnSecurity published an interview with REACT Task Force, a California-based law enforcement group dedicated to fighting cybercrime.
As per the article, members of REACT consider “SIM swapping” one of its “highest priorities” in a bid to fight cryptocurrency fraud. Here is how fraudsters use 99 cent SIM cards bought off eBay to steal millions worth of crypto with just one call.
“SIM swapping”: what is it?
SIM swapping is the process of making a telecom provider like, say, T-Mobile, transfer the victim’s phone number to a SIM card held by the attacker — usually bought off of eBay and plugged into a “burner” phone, as Samy Tarazi, a sergeant at the Santa Clara County Sheriff’s office and a REACT supervisor, told KrebsOnSecurity:
“We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies [...] we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.”
According to the Motherboard investigation, SIM swapping “is relatively easy to pull off and has become widespread.” It also suggested that “hundreds of people across the US have had their cell phone number hijacked in this so-called ‘Port Out Scam.’”
Indeed, in California, where the REACT team is based, SIM swapping appears to be a new craze among crypto fraudsters. Tarazi told KrebsonSecurity:
“It’s probably REACT’s highest priority at the moment, given that SIM swapping is actively happening to someone probably even as we speak right now.”
He added, however, that “there are only a few dozen individuals” responsible for committing those crimes:
“For the amounts being stolen and the number of people being successful at taking it, the numbers are probably historic.”
So how exactly does having access to someone’s phone number help to steal crypto?
Once the hackers get access to the victim’s phone number, they use it to reset his or her passwords and break into their accounts, including email and accounts on cryptocurrency exchanges. Consequently, they get access to crypto funds stored on hot wallets.
The tactics employed by criminals to perform SIM swapping may vary. As per Motherboard, fraudsters often use the so-called “plugs”: telecom company insiders who get paid to do illegal swaps. An anonymous SIM hijacker told the publication:
“Everyone uses them […] When you tell someone [who works at a telecoms company] they can make money, they do it.”
A different anonymous source a the telecom provider Verizon told Motherboard that he had been approached via Reddit, where he was offered bribes in exchange for SIM swaps. Similarly, a T-mobile store manager was reportedly messaged by fraudsters on Instagram after posting a picture of himself and tagging it #T-mobile. He was told that he could make up to $1,000 per week for transferring customers’ phone numbers on new SIM cards.
Another Verizon employee claimed that the hacker, who also found him on Reddit, promised that they would make “$100,000 in a few months” if he would cooperate — all he had to do is “either activate the SIM cards for [the hacker] when [he was] at work or give [the attacker his] Employee ID and PIN.”
Indeed, Caleb Tuttle, a detective at the Santa Clara County District Attorney’s office, highlighted three common SIM swapping scenarios in an interview with KrebsOnSecurity:
- The attacker bribes or threatens a mobile store employee into assisting in the crime;
- Current and/or former mobile store employees intentionally abuse their access to customer data;
- Mobile store employees trick unsuspecting associates at other branches into swapping a victim’s existing SIM card with a new one.
SIM-swapping allows thieves to bypass even two-factor authentication, especially if it involves SMS backup, as Wired points out. Detective Tuttle’s comment for KrebsOnSecurity seems to confirm this: he advises people to use something other than text messages for two-factor authentication on their email accounts. Specifically, he mentions the Authy mobile app or Google Authenticator as possible alternatives:
“Let’s say I have a Coinbase account and I have it set up to require a password and a one-time code generated by Authy, but my Gmail account tied to that Coinbase account doesn’t use Authy and just uses SMS for two-factor. Once I SIM swap that person, I can often also use that access to [request a link via text message] to reset his Gmail password, and then set up Authy on the Gmail account using my device. Now I have access to your Coinbase account and can effectively lock you out of both.”
Sergeant Tarazi also urges the public to recognize the potential danger of SMS-based two-factor authentication, although it has become a common security solution for online services.
“[...] most people who aren’t following the SIM swapping problem have no idea their phone and associated accounts can be taken over so easily. [...] In this case, the victim didn’t download malware or fall for some stupid phishing email. They just end up getting compromised because they followed the industry standard.”
Who are the targets?
People who are active in the cryptocurrency community, mostly: they might work at cryptocurrency-related startups, participate as speakers at blockchain conferences, or discuss their crypto investments on social media.
REACT Lieutenant John Rose explains that it is much easier and safer for SIM swappers to steal crypto funds alone, even if they discover passwords for traditional bank accounts during the hack:
“Many SIM swap victims are understandably very scared at how much of their personal information has been exposed when these attacks occur. But [the attackers] are predominantly interested in targeting cryptocurrencies for the ease with which these funds can be laundered through online exchanges, and because the transactions can’t be reversed.”
The REACT team has participated in several cases involving SIM swapping at this point.
For instance, in early July 2018, Christian Ferri, CEO of San Francisco-based cryptocurrency firm BlockStar was hacked and reportedly lost $100,000 worth of cryptocurrencies as a result of SIM swap, according to KrebsOnSecurity.
Ferri was on a trip in Europe when he found out that his T-Mobile phone no longer had service — the hackers had allegedly broken into T-Mobile’s customer database and deactivated the SIM card in his phone. Instead, they activated a new one, which was plugged into their own device.
The thieves used control over his mobile number to change his Gmail account password. Then, they accessed a Google Drive document with Ferri’s credentials to other sites, including a cryptocurrency exchange. Despite having the possibility to steal more funds from Ferri, the thieves only targeted his crypto savings.
Interestingly, Ferri told KrebsOnSecurity that when he reached out to T-Mobile about the attack, the company informed him that the criminal had entered a T-Mobile store and showed a fake ID in Ferri’s name.
However, when the REACT team studied video surveillance footage from the date and time of his SIM swap, it allegedly showed no evidence of anyone entering the store to present a fake ID. Ferri argues that the T-Mobile's explanation of the incident “was a misunderstanding at best, and more likely a cover-up at some level.”
Police step in: arrests are being made
The first reported case against someone who allegedly used SIM swapping surfaced in late July 2018, when California police arrested a 20-year-old Joe Ortiz, who reportedly hacked around 40 victims with the help of still unidentified collaborators.
As Motherboard points out, Ortiz and his associates “specifically targeted people involved in the world of cryptocurrency and blockchain,” allegedly hacking several people during the Consensus conference in New York in May.
The hacker is now facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him. Ortiz has reportedly told investigators that he and his “co-conspirators” have access to “millions of dollars in cryptocurrency,” as per the statement filed in court by the chief investigator.
Next month, in August, police in California arrested another alleged SIM swapper, a 19-year old
Xzavyer Narvaez. Narvaez is accused of seven counts of computer crimes, identity fraud, and grand theft, according to the complaint.
Before getting arrested, Narvaez reportedly managed to spend some of the stolen Bitcoin on sports cars. After studying DMV records, the police found that he bought a 2018 McLaren paying partly in Bitcoin and partly by trading-in a 2012 Audi R8, which Narvaez purchased with Bitcoin in June 2017.
According to court documents, the law enforcement also obtained data from Bitcoin payment provider BitPay, and cryptocurrency exchanges Bittrex. It revealed that between March 12, and July 12 of 2018, Narvaez’s account had managed 157 Bitcoin (now worth about $1 million).
A separate investigation overseen by REACT resulted in two men getting arrested in Oklahoma. Fletcher Robert Childers, 23, and Joseph Harris, 21, were accused of stealing $14 million from a San Jose-headquartered cryptocurrency company Crowd Machine via SIM swaps.
As per Etherscan, around 1 billion tokens were transferred from Crowd Machine wallet to exchanges on September 22 — and the token price tanked, losing around 87% of its price over the night, as data obtained from CoinMarketCap.com shows.
Crowd Machine Founder and CEO Craig Sproule confirmed that the hack took place and two suspects were arrested to Oklahoma News 4, but declined to provide any additional details to the media, citing the ongoing investigation.
Special Agent in Charge, Ken Valentine, provided more details regarding the incident, discussing the nature of SIM swaps:
"If (a suspect) targeted the right person who has the cryptocurrency on that phone, well then you have immediate access to that. With two-factor authentication they have the account number for the cryptocurrency and can receive authentication messages on the swapped cell phone.”
“Like a hotel giving a thief with a fake ID a room key:” Legal precedent in SIM swapping
In a separate high profile SIM swapping case, on August 15, Puerto Rico-based entrepreneur and CEO of TransformGroup, Michael Terpin, filed a $224 million lawsuit against AT&T. He believes that the telecom giant had provided hackers with access to his phone number, which led to a major crypto heist. That could be a legal precedent for SIM swapping, where the victim sues their telecom provider for allowing hackers to take over their phone number.
Terpin claims that he lost $24 million worth of cryptocurrencies as a result of two hacks that occured over the course of seven months: The 69-page complaint mentions two seperate episodes, dated June 11, 2017 and Jan. 7, 2018. In both cases, as per the document, AT&T, failed to protect Terpin’s digital identity.
First, in the summer of 2017, the entrepreneur found out that his AT&T number had been hacked when his phone suddenly went dead, according to the complaint. He then learned from AT&T that his password had been changed remotely “after 11 attempts in AT&T stores had failed.”
After gaining access to Terpin’s phone, the attackers used his personal information to break into his accounts that use telephone numbers as a means of verification, including his “cryptocurrency accounts.” The hackers also reportedly hijacked Terpin’s Skype account to impersonate him and convince one of his clients to send them cryptocurrency.
AT&T reportedly cut off access to the hackers only after they managed to steal “substantial funds” from Terpin. The document also states that after the incident, on June 13, 2017, Terpin met with AT&T representatives to discuss the attack and was promised that his account would be moved to a “higher security level” with “special protection.”
Nevertheless, half a year later, on Jan. 7, 2018, Terpin’s phone reportedly turned off again because of another attack. The complaint claims that “an employee in an AT&T store cooperated with an imposter committing SIM swap fraud,” despite extra security measures being taken back in June 2017.
The thieves allegedly stole about $24 million worth of cryptocurrency during the second attack, even though he tried to contact AT&T “instantly” after his phone stopped working. AT&T allegedly “ignored” his request. The plaintiff complaint argues that Terpin’s wife also tried calling AT&T at the time, but was put on “endless hold” when she asked to be connected to AT&T’s fraud department.
"What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner," the complaint stated, emphasizing the potential scale of port out scams, as well as telecom providers’ responsibility.
“AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud.”
Meanwhile, law enforcement has started paying extra attention to SIM swapping, as above mentioned incidents in California show. REACT commander John Rose ambitiously stated:
“REACT isn’t going to stop the SIM swapping investigation until SIM swapping stops. If it’s gonna take us arresting every SIM swapper in United States.”