Hackers allegedly stole $2.4 million in cryptocurrency in a six-month SIM hijacking spree
Nine people were charged with crimes related to stealing more than $2.4 million in cryptocurrency by hijacking victims’ mobile phone numbers, the U.S. Department of Justice said Thursday.
Six men from throughout the U.S. and one from Ireland were named in an indictment unsealed Thursday alleging wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.
Stealing mobile phone numbers, also known as SIM hijacking, typically involves hackers posing as their victim in order to transfer a phone number from one device to another. Once an attacker is granted access to the phone number, they can bypass two-factor authentication that relies on one-time codes delivered via SMS messages.
The Justice Department indictment alleges that members of the group, known as “The Community,” bribed customer support representatives to provide phone numbers, then used the numbers to subvert two-factor authentication and infiltrate a victims’ accounts, changing their passwords along the way.
Three other men charged in the criminal complaint worked at the phone companies and allegedly provided information about customers to members of the hacking group in exchange for a fee.
Seven attacks carried out between December 2017 and May 2018 resulted in the theft of cryptocurrency valued at more than $2.4 million, according to the indictment.
The defendants in this case range in age from 19 to 28 years old.
The maximum penalty for defendants found guilty of conspiracy to commit wire fraud is 20 years in prison. Wire fraud also carries a maximum penalty of 20 years in prison. A conviction on aggravated identity theft could result in a maximum of two years in prison.
SIM Hijacking has emerged over the past two years as an opportunistic crime carried out by thieves hoping for access not just to cryptocurrency wallets, but also social media and e-commerce information. In one case, highlighted in July by Motherboard, scammers took over the phone of a mom in Salt Lake City, Utah and demanded she give up her Instagram name, @Rainbow, or else watch her credit be destroyed.
You can read the full indictment below.
[documentcloud url=”http://www.documentcloud.org/documents/5996035-Community-Indictment.html” responsive=true text=false]