SIM-swapping 21-year-old scores $1 million by hijacking a phone

The man reportedly targeted well-known business leaders, making off with one victim's life savings.
Written by Charlie Osborne, Contributing Writer

A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency.

The New York Post reports that Nicholas Truglia used his apartment in West 42nd Street, in the Bay Area, as a base to track down targets for his SIM-swapping scheme.

SIM-swapping is an attack in which criminals call customer service representatives and ask to port a number to a new device. While often only temporary -- as victims will quickly notice their reception die and pursue the matter -- this window can give attackers the chance to circumvent two-factor authentication (2FA) security checks and access high-value accounts.

According to US prosecutors, Truglia targeted San Francisco resident Robert Ross on October 26, successfully pulling off a SIM-swap and stealing a combined $1 million from both a Coinbase and Gemini account.

The cryptocurrency stored in these accounts were Ross' life savings, the publication notes, and was destined for his two daughters' college funds.

See also: What we can expect from future cryptocurrency regulation worldwide

While Ross quickly noticed something was wrong with his mobile device and called his provider, by the time his service was restored and number recovered, his cryptocurrency had been stolen and converted into cash.

Other executives had also been allegedly targeted but these attacks did not lead to further cryptocurrency thefts, despite the compromise of their mobile devices. In total, law enforcement says the 21-year-old claimed six victims.

Truglia is the same man that reportedly accused his friends earlier this month of torturing him following a night out in an effort to force him to hand over his cryptocurrency wallet credentials. The alleged SIM-swapper accused associates of holding his head underwater and physically abusing him, as well as stealing his personal possessions -- despite it now appearing that his coveted cryptocurrency stash was not his to begin with.

TechRepublic: How to install fail2ban on Ubuntu Server 18.04

After his arrest on November 14, law enforcement was able to recover $300,000. The rest, however, has not been traced.

Truglia is now being held pending extradition to Santa Clara, Califonia, in order to face a total of 21 felony charges relating to theft, damage to a personal computer, fraud, and the use of personal data without authorization.

SIM-swapping is emerging as a serious problem especially as so many of our online accounts -- some of which containing financial assets -- are linked to our mobile devices. As a result, service providers may begin to feel the sting if they fall for more fraudulent calls made by would-be SIM-swappers.

CNET: Russian hacking tool gets extra stealthy to target US, European computers

Earlier in November, a court case was filed against AT&T on behalf of customers who have lost cryptocurrency due to successful SIM-swapping attacks.

Black Friday 2018: The best early US deals in tech

Previous and related coverage

Editorial standards