US law enforcement has dismantled a prominent cybercriminal ring which managed to steal over $2.4 million by hijacking the SIM cards of its victims.
Last week, the US Department of Justice (DoJ) revealed that nine individuals have been charged with wire fraud in relation to the hacking group in a Michigan federal court.
In total, six individuals have been charged with conspiracy to commit wire fraud, wire fraud, and aggravated identity theft, and three additional members of the scheme -- all of which are former employees of mobile phone providers -- have been charged with wire fraud.
The criminal ring was known as "The Community." The nine members, including eight Americans and one Irishman who were between 19 and 28 years of age, allegedly performed SIM hijacking in order to steal cryptocurrency.
SIM-swapping and SIM hijacking are an emerging problem for law enforcement. The tactics used to perform identity theft and to steal funds requires a criminal to gain enough information to pass security checks with a mobile phone provider's customer service team in order to request a number transfer.
If a customer service representative falls for the scam, they will believe the person on the phone is the account holder and will agree to move the mobile phone number to a new SIM card.
Once the phone number is in an attacker's control, they have a small time window in which to bypass two-factor authentication (2FA) checks implemented by online services the victim uses, and this also not only includes email accounts and social media, but also cryptocurrency exchanges and storage systems.
CNET: Your most sensitive data is likely exposed online. These people try to find it
Granted the keys to these kingdoms, criminals are then able to redirect the victim's calls and texts, including 2FA verification codes, access accounts, and whisk away the proceeds, such as cryptocurrency.
The Community apparently specializes in exploiting this security weakness. The cybercriminal gang not only used social engineering to accomplish these goals, however, as they also managed to bribe some mobile phone provider employees into participating in SIM hijacking attempts.
Prosecutors say that the group allegedly managed to steal cryptocurrency from their victims estimated to be worth $2,416,352. Seven attacks were performed to law enforcement's knowledge.
While the main members of The Community performed the SIM hijacking attacks, the three former staff members of unnamed mobile phone providers were reportedly in on the scheme and helped facilitate the theft of victim identities.
TechRepublic: Cybersecurity burnout: 10 most stressful parts of the job
If convicted, wire fraud alone could result in a sentence of up to 20 years behind bars. Conspiracy to commit wire fraud also has the same maximum penalty, and aggravated identity theft in support of wire fraud carries a sentence of up to two years in prison.
See also: SEC, or Shortseller? Elon Musk appears to mock agency following $40m settlement
In November, a 21-year-old was accused of performing a SIM hijacking attack to steal $1 million in cryptocurrency from a San Francisco resident. While another SIM-swapper was recently sentenced to 10 years in prison for stealing $5 million from his victims, as a novel way of circumventing 2FA and other security measures for online accounts, it is unlikely that the occasional capture of such criminals will prove a deterrent -- especially when you consider how much money can be stolen by breaking into cryptocurrency wallets.
These are the worst hacks, cyberattacks, and data breaches of 2018
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0