In the U.S. alone, SIM-swapping attacks resulted in $72 million worth of losses last year, four-million dollars more than 2021, according to the Federal Bureau of Investigation. In a 2022 public service announcement, the FBI defined SIM swapping as a โmalicious technique where criminal actors target mobile carriers to gain access to victims’ bank accounts, virtual currency accounts, and other sensitive information.โ
The PSA noted that threat actors โprimarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques.โ Threat actors execute their SIM swap attacks via social-engineering ruses, where they impersonate authorized mobile-carrier account holders and dupe customer service representatives into โswitching the victim’s mobile number to a SIM card in the criminal’s possession,โ according to the PSA.
Even more troubling are insider-threat scenarios. In these cases, mobile carrier employees function as co-conspirators, facilitating thievesโ access to the customer accounts they are targeting in exchange for the cut of the action. These malicious insiders are often recruited on Dark Web cybercriminal forums and on Telegram.
Meanwhile, threat actors also direct phishing attacks on mobile-carrier employees. Attackers obtain employeesโ contact details and send them emails or texts impersonating their trusted network of friends, business colleagues, or vendor relationships. These malicious communications are trip-wired with a malware payload that attackers use to โhack mobile carrier systems that carry out SIM swaps,โ according to the FBI.
After attackers have successfully swapped their victims SIM card, they redirect all calls and texts and other data to their devices. This rerouting of communications enables attackers to send โForgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,โ notes the PSA.
From here, threat actors exploit their newfound control over victimsโ two-factor authentication (2FA) portals to take over financial and other accounts of interest, resetting account login credentials to lock authorized users out of the online services they use. Over the last few years, cryptocurrency investors have been hyper-targeted by SIM swap attackers.
A recent Forbes article ย describes one such case where Bart Stephens, a cofounder and managing founder of crypto fund Blockchain Capital, fell victim to a SIM-swapping attack that resulted in the theft of โ$6.3 million of bitcoin, ether and other cryptocurrencies from his digital wallets.โ Stephens has filed a lawsuit against the SIM swapper, who is only identified as โJane Doeโ in the court filing, in an effort to recover his stolen digital assets.
The Dark Web & Telegram are Staging Points for SIM Swap Heists
Stephensโs lawsuit, filed in Northern District of California this past August, alleges that the attacker โused personal information available online and on the dark web to bypass security checks with his cellular network provider and change account passwords in May,โ per Forbes reporting. After taking over his mobile-carrier account, the attacker ordered a new cell phone and โported Stephenโs private cell number to a SIM in the new device,โ Forbes wrote.
In the Dark Web forum posts below, two threat actors target Coinbase customers specifically.
This crime is becoming increasingly more accessible to young amateurs, as some threat actors even publish and productize full-fledged SIM swapping guides on the Dark Web and Telegram.ย
Stephensโs lawsuit highlights the prominence of the underground cybercriminal ecosystem as a staging point for the commission of SIM swapping crimes. A recent article published in 404 Media explains how this ecosystem works by spotlighting the digital exploits of ACG, โa group of alleged hackers who the FBI says are responsible for a wave of Bitcoin thefts and other crimes,โ according to the story.
ACG, which counts around six members, โare a 21st century version of bank robbers. Instead of a gang lifting physical cash from a vault, these opportunists work together to quickly take over a targetโs phone number, intercept their login codes, then pilfer any cryptocurrency they own before the victim has much of a chance to react at all,โ according to the 404 Media story.
As the story notes, ACG is a subset of โThe Comm,โ a โnebulous networkโ that includes thousands of โhackers, gamers, and young girlsโ who correspond across roughly 100 Telegram channels and Discord servers, most of which are fraud focused. Most members of this ecosystem are older teenagers and early 20somethings.
More experienced cybercriminal members of the Comm also network on the Dark Web, selling access or recruiting team members and money mules on hacker forums like XSS, Exploit, Russian Anonymous Marketplace (RAMP), Breach Forums, and Dread.
But accomplished cybercriminals can also be found coordinating SIM swap attacks and conducting other illegal business in some of the Commโs more prolific fraud-oriented Telegram groups. Cryptosec learned from cybercriminal sources that some of the Commโs favored community resources for SIM swapping include the following Telegram channels: Sim Swamp, Sim Kitties, Omerta, Star Fraud, and others.
The above are Telegram groups where experienced and budding SIM swappers, and other cybercriminals network, looking for new scams and other cybercriminals to partner with.
When it comes to SIM swapping, the theme of partnership is key to understanding this attack typology. More lucrative heists are rarely the work of lone wolves. As the 404 Media story analogized, โEveryone in a bank job has a specific role. A SIM swapping gang is no different.โ
Anatomy of Heist
These thefts begin with a โSearcher, who breaks into a personโs email account, perhaps by using software to churn through a mass of potential passwords or buying the login credentials from another hacker,โ according to a 404 Media reporting. Logs are increasingly being obtained by initial access brokers (IABs) on the Dark Web who acquire these credentials via the mass-infection of devices with information stealers (info- stealers). ย
A recent research report authored by Israeli threat intelligence company Hudson Rock noted that info-stealers acquire the following data from infected devices:
- Credentials: Info-stealers collect login links, usernames, and passwords stored in browsers like Google Chrome.
- Cookies
- Documents and text files: Info-stealers know to discover and target high-risk ones with financial information, corporate data, secret keys, 2FA backup codes, server passwords, crypto private keys, etc.
- Machine-specific properties
More advanced versions of these trojans are capable of bypassing latest-edition anti-virus (AV) software, according to Hudson Rock research. People typically become infected with info-stealers after downloading pirated software that is laced with the trojan, according to Hudson Rock. One info-stealer that is particularly popular among the cybercriminal elite is Raccoon.
On August 14, following a six-month absence, the developers of this info-stealer announced the release of the Raccoon version 2.3.0 across multiple cybercriminal forums.
In the post below, threat actor โchurkโ solicits access to logs for American Coinbase and Kraken customers.
Other Searchers, like the Canadian scammer โYahya,โ who was recently exposed by blockchain investigator ZachXBT, apparently had access to a compromised Twitter (now X) admin panel that allowed him to micro-target users who were more likely to possess large sums of crypto.
Once Searchers compromise a victimโs account, they scour the inbox, looking for indicators that their target owns significant amounts of crypto, per the 404 Media report. Some markers that Searchers look out for include emails displaying the victimโs Bitcoin balance, a receipt from when the person previously liquidated their crypto, or โanything that would signal this target is worth pushing to the next step,โ according to the 404 Media report.ย
โOnce the Searcher gets a hit, they prepare to cover the gangโs tracks. They configure the inbox to hide incoming emails from the targetโs Bitcoin exchange,โ noted the 404 Media story. This step is analogous to knocking out the security cameras.
Searchers take this measure to set the stage for the next phases of the heist when their co-conspirators swap the targetโs SIM and access the victimโs crypto account. Now, if the crypto exchange detects an unusual login or transaction activity, all correspondence will be hidden from the victim.
In the next phase of the attack, the social engineering ruse, the โCaller steps in,โ noted 404 Media. โThis person is the sweetalker, the one who is going to trick the bank employees to let them into the vault,โ according to 404 Media. In this case, the vault is the victimโs mobile carrier account. Meanwhile the mark, or the immediate target of the social engineering attack, is the telecom providerโs customer support representative.
The Caller impersonates the crypto-account holder they are targeting and feign a variety of different scenarios. Some common ruses noted by the 404 Media report include: โIโve lost my phoneโ or โI need to transfer my number to a new one.โ Of course, these sweet talkers are often armed with a war chest of personally identifying information (PII) about their target like their birthdate, address, social security number, and more. This enhanced level of preparation makes social engineering attacks that much more convincing.
Once the Caller dupes the telecom providerโs customer service rep into porting the number to one in the gangโs control, the SIM swap is complete. Now, the actual crypto heist begins, as the โHolder,โ or the gang member who actually has control over the SIM-swapped phone, receives the 2FA codes from the exchange, according to 404 Media.ย ย ย
โThe Holder then relays those codes back to the Searcher, who has since moved on to a more aggressive role. They finally enter the targetโs cryptocurrency accounts, and start filling their duffel bagsโ with crypto, noted 404 Media. The Searcher transfers crypto from the victimโs exchange account to wallets the gang controls, while the Holder continues to relay 2FA authorization codes back to them from the SIM-swapped phone.
From there, more sophisticated SIM-swap gangs can launder their funds through a variety of methods, including mixing (blending), chain-hopping across different cryptocurrencies, and chain-peeling their scores across a long and labyrinthine series of smaller transactions. However, some ACG members and many other threat actors are apparently lacking in operational security (OpSec).
As Joseph Cox, the author of the 404 Media article noted in the comments section of his story, โIt’s so funny that even with a bunch of bitcoin tracing tools available, they don’t even come up in the court records. Who needs them when hackers are using phones in their own names.โ
Takeaways
As the 404 Media illustrated, modern, high-stakes SIM-swapping is increasingly taking the form of an organized conspiracy, with multiple threat actors operating as a gang to perform their frauds. The Dark Web and Telegram offer individual SIM swappers and organized SIM swap gangs a plethora of resources to recruit co-conspirators and target victims.
The most concerning aspect of this attack typology is the prevalence of malicious telecom insiders who are willfully complicit in the illegal transfer of authorized mobile accounts to bad actors. The aggressive resurgence of SIM swapping also illustrates the rise of a new generation of cybercriminals and fraudsters, predominantly in the West, who are loosely networked via the underground Comm ecosystem.
Comm-nexus threat actors, which Microsoft has dubbed โOcto Tempest,โ were even reportedly involved in the multi-decamillion-dollar ransomware attacks that struck Caesars Entertainment and MGM Resorts International. Cybersecurity company Morphisec believes that Octo Tempest threat actors initiated their ransomware attack against MGM by first phishing an admin employee via SMS messaging.
This initial compromise enabled Octo Tempest to SIM swap the admin, which allowed them to gain access to MGMโs cloud environment and deploy a strain of ALPHV ransomware. As Microsoft noted in a recent research report, the group became an ALPHV affiliate in June. Microsoft said ALPHVโs acceptance of Octo Tempest is โnotable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals.โ
Microsoft said that โOcto Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion.โ Research into this group, which โoverlaps with research associated with 0ktapus, Scattered Spider, and UNC3944, was initially seen in early 2022, targeting mobile telecommunications and business process outsourcing organizations to initiateโ SIM swaps, according to Microsoft.
Initially, Microsoft said that Octo Tempest monetized their intrusions by โselling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.โ However, this group has evolved from basic SIM swap attacks to staging $15-million-and-up ransomware heists against major gaming companies. The group has thus emerged as โone of the most dangerous financial criminal groups,โ cautions Microsoft.
The rise of Octo Tempest illustrates that SIM swap threat actors are becoming increasingly more sophisticated. To protect themselves from SIM swappers, digital-asset investors and users should do the following according to the 2022 FBI advisory:
- Do not advertise information about cryptocurrency assets on social media or forums.
- Do not provide your mobile number account information over the phone to representatives that request your account password or pin.
- Avoid posting personal information online, such as mobile phone number, address, or other PII.
- Use a variation of unique passwords to access online accounts.
- Monitor changes in SMS-based connectivity.
- Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
- Do not store passwords, usernames, or other information for easy login on mobile device applications.
Beyond these FBI tips, crypto users should also work with a threat intelligence vendor to rapidly identify the leakage