Eight men were arrested across England and Scotland this week as part of a coordinated crackdown against a SIM swapping gang that has hijacked the identities and social media profiles of US celebrities.
The UK National Crime Agency, which made the arrests on Tuesday, said the gang targeted well-known sports stars, musicians, and influencers, primarily located in the US.
"These arrests follow earlier ones in Malta (1) and Belgium (1) of other members belonging to the same criminal network," Europol, which coordinated the multi-national investigation, said today.
Officials said this gang engaged in SIM swapping attacks, where they tricked US mobile operators into assigning a celebrity's phone number to a new SIM card under the attacker's control.
While they had access to the victim's phone number, the SIM swappers would reset passwords and bypass two-factor authentication on the victim's accounts.
"This enabled them to steal money, bitcoin and personal information, including contacts synced with online accounts," the NCA said.
Europol said the gang stole more than $100 million worth of cryptocurrency using this method.
"They also hijacked social media accounts to post content and send messages masquerading as the victim," UK investigators added.
The investigation involved authorities in the US, the UK, Canada, Malta, and Belgium and got underway in 2020, after the infamous Twitter hack, where SIM swapping was also involved.
Authorities previously noted a rise in SIM swapping-related incidents, as criminal groups find the technique easier to carry out when compared to orchestrating highly-technical phishing and malware campaigns.
The practice usually relies on tricking telco call center staff into assigning a phone number to a new SIM card, but it often also relies on rogue employees inside telephone companies willing to cooperate with criminal gangs.
One such employee was charged in the US on Monday. The US Department of Justice indicted Stephen Daniel Defiore for his role in helping SIM swappers steal the identities of at least 19 people while working as an employee for an unnamed US phone company between August 2017 and November 2018.
US authorities said Defiore received $2,325 in a series of twelve payments for his role in the scheme. If found guilty, he now faces a prison sentence of up to five years and a fine of up to $250,000.