UK hacker-for-hire jailed for role in SIM-swapping attacks, data theft

The teenager touted his services in exchange for cryptocurrency.

What is Black Hat and why is it so important? CBS' Dan Patterson is at Black Hat in Las Vegas. He breaks down why it is a must-see for hackers and cybersecurity professionals, plus the most interesting things happening at this year's conference.

A British teenager has been sentenced to 20 months in prison after offering hacker-for-hire services to cash in on trends including SIM-swapping attacks.

The UK's Norfolk police force said that 19-year-old Elliot Gunton, of Norwich, was sentenced at Norwich Crown Court on Friday after pleading guilty to hacking offenses. money laundering, the hacking of an Australian Instagram account, and the breach of a Sexual Harm Prevention Order.

In April 2018, a routine visit was conducted to Gunton's home with respect to the Sexual Harm Prevention Order that was imposed in 2016 for past offenses. 

During the inspection, law enforcement found software which indicated the teenager may be involved in cybercrime, and the further investigation of a laptop belonging to Gunton and seized by police revealed that he had been offering himself as a provider of hacking services. 

See also: Hacker who launched DDoS attacks on Sony, EA, and Steam gets 27 months in prison

Specifically, Gunton offered to supply stolen personal information to those that hired him. This information, which could include personally identifiable information (PII) such as names, addresses, and online account details, could then be used to commit fraud and SIM-swapping attacks. 

The theft and sale of PII is a commonplace occurrence today. However, SIM-swapping attacks are a relatively new phenomenon. 

In order to conduct a SIM-swap, a fraudster will obtain some PII from a target and then call up their telephone subscription provider while pretending to be the true owner of the account. Social engineering then comes into the mix to convince the operator to switch the telephone number belonging to the victim to the attacker's control. 

It might only be a short window in which the victim does not realize their number has been transferred, but this time frame can be enough for an attacker to bypass two-factor authentication (2FA), intercept calls and text messages, request password resets, and compromise online accounts ranging from email addresses to cryptocurrency wallets. 

Payments were made in cryptocurrency including Bitcoin (BTC) in an attempt to mask his activities. Business was booming for Gunton, it seems, considering that he must pay back over £400,000 ($484,000). 

TechRepublic: How to prevent data destruction from cybersecurity attacks

However, the jail sentence has already been served on remand and so Gunton will not have to serve any further time. 

The 19-year-old is subject to a community order that prevents him from owning a device capable of connecting to the Internet unless it is made available for the police to view at any time, Internet histories must not be deleted, and he is also not permitted to make use of any VPN, encryption, or the Tor network. 

CNET: The best password managers of 2019 and how to use them

"Gunton was exploiting the personal data of innocent businesses and people in order to make a considerable profit but he did not succeed in hiding all of his ill-gotten gains which enabled us to seize hundreds of thousands of pounds worth of Bitcoin," said Detective Sergeant Mark Stratford. "This emerging type of criminality requires police investigators to be at the forefront of technological advancements in order to effectively combat the ever-growing paradigm of cybercrime."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0