Ten people have been arrested in connection with a series of SIM-swapping attacks that raised more than $100 million by taking over the cell phone accounts of high-profile individuals, authorities said on Wednesday.
SIM swapping is a crime where a target’s legitimate SIM card is replaced with one of the attacker’s. The attacker then initiates password resets for email accounts, cryptocurrency holdings, and other key resources. With control of the target’s cell phone, the attacker responds to text messages sent by the account providers to complete the password reset.
The account hijacking usually happens with the help of a malicious employee working for the mobile operator, or with the help of an attacker impersonating the rightful account owner and requesting a new card.
Aimed at the rich and famous
Authorities in Europe said the suspects were part of a network that last year carried out SIM-swapping attacks against prominent individuals, including sports stars, musicians, internet influencers and their families.
After taking over the accounts, the attackers allegedly stole money, cryptocurrency and personal information from the victims, including contacts. The attackers also allegedly hijacked social media accounts and posted content and messages masquerading as victims. Cryptocurrency losses exceeded $100 million, authorities at Europol said.
Eight suspects between the ages of 18 and 26 were arrested in the United Kingdom on Tuesday. The action followed earlier arrests of two other suspects, based in Malta and Belgium. Press releases here and here respectively from Europol and the UK’s National Crime Agency did not name the suspects or say if anyone had made a plea.
“Sim swapping requires significant organization through a network of cybercriminals, each committing different types of crime to achieve the desired outcome,” said Paul Creffield, chief of operations at the NCA’s National Cyber Crime Unit. “This network targeted a large number of victims in the US and regularly attacked those they believed would be lucrative targets, such as famous sports stars and musicians.”
SIM swapping has grown into a major criminal enterprise in recent years, fueled largely by the rise of cryptocurrency accounts that can hold millions of dollars in digital coins. In early 2019, a Massachusetts man pleaded guilty to a SIM swap attack that yielded $5 million in cryptocurrency. Later that year, an AT&T subscriber sued the wireless carrier, alleging that its employees helped hackers carry out SIM swap attacks that robbed the plaintiff of $1.8 million in cryptocurrency. Last March, European authorities announced the arrests of 12 people alleged to have been part of a SIM-swapping ring that stole more than $4 million.
The arrests are the result of a collaboration between law enforcement agencies from the NCA, the United States Secret Service, Homeland Security Investigations, the FBI and the Santa Clara California District Attorney’s Office. Investigators informed victims when they were targeted, and if possible before a SIM swap was successful. The victims then had the option of preventing the attack from working.
Europol gave the following advice to prevent SIM swapping attacks:
- Use two-factor authentication apps instead of having an authentication code sent via SMS
- If possible, do not associate a mobile phone number with sensitive online accounts
- Keep device software up to date
- Do not respond to suspicious emails or contact callers asking for personal information by phone
- Limit the amount of personal data shared online
Two other precautions are:
- Make sure the security PIN or password for the mobile account is as strong as possible. Many PINs have four digits by default, but can optionally be made longer
- Ask the mobile operator to set your account to any type of high security setting available. This may be an option where SIM changes must be made in person or require a special password or PIN.