Authorities bust SIM-swap ring they say took millions from the rich and famous

Small electronic devices spread across a faux wood surface.

Enlarge / Close-up photograph of a SIM card, a SIM-card replacement, and a smartphone.

reader comments

87 with 61 posters participating, including story author

Ten people have been arrested in connection with a series of SIM-swapping attacks that reaped more than $100 million by taking over the mobile phone accounts of high-profile individuals, authorities said on Wednesday.

SIM-swapping is a crime that involves replacing a target’s legitimate SIM card with one belonging to the attacker. The attacker then initiates password resets for accounts for email, cryptocurrency holdings, and other important resources. With control over the target’s mobile phone, the attacker responds to text messages the account providers send to complete the password reset.

The account hijacking typically occurs with either the help of a malicious employee who works for the mobile carrier, or with the help of an attacker posing as the rightful account owner and asking for a new card.

Targeting the rich and famous

Authorities in Europe said that the suspects were part of a network that carried out SIM-swapping attacks throughout last year against high-profile individuals, including sports stars, musicians, Internet influencers, and their families.

After taking over the accounts, the attackers allegedly stole victims’ money, cryptocurrency, and personal information, including contacts. The attackers also allegedly hijacked social media accounts and posted content and messages that masqueraded as the victims. Cryptocurrency losses exceeded $100 million, authorities with Europol said.

Ten hackers arrested for a string of SIM-swapping attacks against celebrities.

Eight suspects, ages 18 to 26, were arrested in the UK on Tuesday. The action followed earlier arrests of two other suspects, located in Malta and Belgium. Press releases here and here from Europol and the UK’s National Crime Agency, respectively, didn’t name the suspects or say if any had entered a plea.

netted $5 million in cryptocurrency. Later that year, an AT&T subscriber sued the mobile carrier on allegations its employees helped hackers perform SIM-swap attacks that robbed the plaintiff of $1.8 million worth of cryptocurrency. Last March, European authorities announced the arrests of 12 individuals alleged to have been part of a SIM-swapping ring that stole more than $4 million.

The arrests are the result of a partnership of law enforcement agencies from the NCA, US Secret Service, Homeland Security Investigations, the FBI, and the Santa Clara California District Attorney’s Office. Investigators notified victims when they were targeted, and when possible did so prior to a SIM swap being successful. The victims then had the opportunity to prevent the attack from working.

Europol provided the following advice for avoiding SIM-swapping attacks:

  • Use two-factor authenticator apps rather than having an authentication code sent over SMS
  • When possible, do not associate a mobile phone number with sensitive online accounts
  • Keep device software up to date
  • Don’t reply to suspicious emails or engage over the phone with callers who request personal information
  • Limit the amount of personal data shared online

Two other precautions include:

  • Ensure the security PIN or password for the mobile account is as strong as it can be. Many PINs by default have four digits but can optionally be made longer
  • Ask the mobile carrier to put your account on any type of high security setting available. This may be include an option that requires SIM changes to be made in person or to require a dedicated password or PIN.
Article Categories: