Two SIM swappers arrested for CMCT hack

Suspects stand accused of stealing cryptocurrency worth $14 million from a California startup.
Written by Catalin Cimpanu, Contributor

Oklahoma City police arrested two men last week on suspicion of hacking and stealing $14 million worth of cryptocurrency from Crowd Machine, a cryptocurrency startup.

According to KFOR, an Oklahoma City TV station that first reported the arrests, the two men are Fletcher Robert Childers, 23, and Joseph Harris, 21, both of Missouri.

    Also: California governor signs country's first IoT security law CNET

    Childers and Harris stand accused of using a technique called SIM swapping to temporarily take over the phone number of another person --in this case of a Crowd Machine employee.

    The two allegedly used this temporary access to steal hundreds of millions of Crowd Machine Compute Tokens (CMCTs) from the California-based startup.

    According to members of the cryptocurrency community, the hackers transferred the stolen CMCTs to exchanges, where they converted the funds in other digital currencies.

    The sudden dump of millions of CMCTs on the market crashed the CMCT price by nearly 80 percent on September 23, the day of the hack.


    CMCT price evolution before and after hack

    Crowd Machine admitted to the hack a day later, on September 24, and some cryptocurrency exchanges stopped trading its tokens. On the next day, the company revealed that authorities made an arrest. The hackers' identities were made public on Friday, after the KFOR report.

    Childers and Harris are the fourth and fifth suspects arrested in the US for SIM swapping. The technique has become widely popular with hackers in the past year.

    Hackers use it to hijack the phone numbers in order to bypass SMS-based two-factor authentication for high-value social media or cryptocurrency accounts. After gaining access to these accounts, they steal cryptocurrency funds or put up the social media accounts up for sale on underground forums.

    The first ever arrest for a SIM swapping attack took place in July, this year. The suspect's name is Joel Ortiz, a 20-year-old from Boston, accused of SIM swapping at least 40 persons from whom he stole over $5 million worth of cryptocurrency.

      Also: Cheat sheet: How to become a cybersecurity pro TechRepublic

      A second man was arrested days after Ortiz, Ricky Joseph Handschumacher, a 25-year-old from Port Richey, Florida. Investigators believe Handschumacher was part of a nine-man squad involved in similar SIM swapping attacks. He stands accused of using SIM swapping to break into the online accounts of several businessmen, including the CEO of the Gemini cryptocurrency exchange.

      The third man arrested is Xzavyer Clemente Narvaez, a 19-year-old from Santa Clara. Narvaez used SIM swapping attacks to steal over $1 million worth of cryptocurrency from people's online accounts.

      These are 2018's biggest hacks, leaks, and data breaches

      Previous and related coverage:

      What is malware? Everything you need to know

      Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

      Security 101: Here's how to keep your data private, step by step

      This simple advice will help to protect you against hackers and government surveillance.

      VPN services 2018: The ultimate guide to protecting your data on the internet

      Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

      Related stories:

      Editorial standards