The sixth and final defendant in a gang accused of perpetrating a multimillion-dollar SIM hijacking case was sentenced to 10 months in prison and ordered to pay more than $121,000 in restitution, the Department of Justice announced Tuesday.
Garrett Endicott, 22, from Missouri, was connected to a hacking group known as “The Community,” which engaged in a string of SIM hijacking incidents targeting individual users’ cryptocurrency exchange accounts in seven states, according to DOJ. SIM hijacking, or SIM swapping, is a technique where an attacker takes control of a target’s phone number, allowing the attackers to receive text messages and other forms of two-factor authentication protocols that are then used to log into accounts.
The gang, known as “The Community,” faced charges of conspiracy to commit wire fraud, wire fraud and aggravated identity theft. Three people who worked for mobile phone providers and helped the gang were also charged with wire fraud.
In SIM swapping, attackers either bribe mobile phone provider employees for access to target accounts or socially engineer their way into the accounts by calling provider support lines, posing as the target, and getting the company to reassign the mobile number to a SIM card controlled by the attacker. This group employed both methods, the government alleged.
Law enforcement has long battled SIM hijacking and swapping. Earlier this month, Canadian police arrested a teenager accused of stealing $36 million in cryptocurrency from a single victim in a SIM hijacking attack, representing that country’s single biggest cryptocurrency theft. In September, DOJ announced charges against a California man accused in a SIM swapping scheme that targeted at least 40 people.
But the Federal Communication Commission recently joined the fight against SIM-swapping, too, with a proposed rule meant to crack down on the phenomenon.
Endicott was indicted in 2019 along with five others. The other members of the gang were sentenced to between two to four years in prison, and one was sentenced to probation. The thieves stole tens of millions of dollars worth of cryptocurrency, the government alleges, with individual victims losing cryptocurrency valued, at the time, between less than $2,000 and more than $5 million.
Three people who weren’t part of the gang but who worked for mobile phone providers were indicted at the same time as the six members of the gang, accused of helping the hacker crew steal identities of targets in exchange for bribes.