Wave of SIM swapping attacks hit US cryptocurrency users
Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week, ZDNet has learned, in what appears to be a coordinated wave of attacks.
SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card.
The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts.
These types of attacks have been going on for half a decade now, but they've exploded in 2017 and 2018 [1, 2, 3] when attackers started focusing on attacking members of the cryptocurrency community, so they could gain access to online accounts used for managing large sums of Bitcoin, Ethereum, and other cryptocurrencies.
But while these attacks were very popular last year, this year, the number of SIM swapping attacks appeared to have gone down, especially after law enforcement started cracking down and arresting some of the hackers involved in these schemes [1, 2, 3, 4, 5].
Something happened last week
But despite a period of calm in the first half of the year, a rash of SIM swapping attacks have been reported in the second half of May, and especially over the past week.
Sim Swapped. Phone number ported. Thanks @TMobile
— Andrew Kang (@Rewkang) June 1, 2019
That’s at least 15 of us in the crypto community in the last week.
3 SIM swap attacks in my feed these past days. All from the US. What the fuck is going on?
— María Paula, not Maria (@MPtherealMVP) May 25, 2019
Ps. 2FA EVERYTHING AND DON’T USE A SINGLE ACCOUNT
If you are in the US and have been simswapped, I recommend emailing Samy from the Regional Enforcement Allied Computer Team at starazi@rtf.sccgov.org. Stay secure and 2FA!
— Ron Patiro (@RonPatiro) May 25, 2019
Apparently @MolochDAO members are under SIM swap attack. Reminder to use 2fa apps and don’t use text verification for anything (especially gmail).
— Eric Conner (@econoar) May 26, 2019
Fuck I am getting sim swapped.
— 👹 Cassandra Shi (@cassshih) May 25, 2019
What's the immediate course of action to take when you suspect you've been SIM swapped (e.g. your iPhone carrier deactivates)? Asking for a friend...
— Ameen Soleimani 👹 (@ameensol) May 26, 2019
My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I'm equal parts embarrassed, hurt, and deeply remorseful.
— Sean Coonce (@cooncesean) May 20, 2019
In an effort to raise awareness about the attack, I wrote about it here: https://t.co/ZnbB0AN6Gd
I haven't gone public yet but I had three on me personally in the past week. Submitted an FBI report. All sign point to an inside job at the cell company. Phone records were wiped clean for an entire day and "recorded for quality and training purposes" settings were turned off.
— Chris Robison (@CBobRobison) May 25, 2019
I've been hearing about another spate of SIM-jackings involving @TMobile, possibly involving bypassed PINs, which hint at insiders or weak processes.
— Emin Gün Sirer (@el33th4xor) June 2, 2019
The traditional telecom companies won't clean up their act without a class action lawsuit and heavy fines. Switch to @googlefi. https://t.co/wp60qvyn7i
This happened to me too. Also @TMobile - also someone in support made a poor decision to ignore instructions and allow a SIM swap. Happy to share info if needed.
— John Caldwell (@ScheckTwit) June 2, 2019
All of the users listed in the tweets above are connected in one way or another to the cryptocurrency community.
Some of them have publicly admitted to losing funds, such as Sean Coonce, who penned a blog post about how he lost over $100,000 worth of cryptocurrency due to a SIM swapping attack.
Some victims avoided getting hacked
ZDNet also spoke with some of the other victims over the weekend. Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.
One victim, who wanted to remain anonymous, said that once hackers realized access to cryptocurrency exchange accounts was not possible, intruders quickly switched tactics and targeted social media and email accounts, successfully hijacking the victim's Instagram account.
This exact same thing also appears to have happened to other users, with hackers taking over social media accounts over the past week when they realized they couldn't access cryptocurrency accounts.
PSA: If you have @TMobile as your Cell provider, someone was able to convince them to swap the SIM on one of the lines on my account at 10 PM last night without my authorization and used it to break 2-factor authentication, and gain access to an @instagram account.
— Hunter Bond 🛴 Seattle (@BondHunterBond) May 27, 2019
My phone was hacked.
— Preethi Kasireddy (@iam_preethi) May 25, 2019
Hacker logged into my @telegram account and messaged a bunch of folks asking for BTC.
PSA: If you got a message from me asking for BTC, that was not me.
SIM swapping attacks happened in the US alone
The majority of these SIM swapping attacks appear to have taken place over the last week alone, and targeted US-based users only.
While some of the users who reported SIM swapping attacks on Twitter said they were T-Mobile customers, the issue isn't limited to T-Mobile alone.
In conversations that ZDNet had with other victims, some revealed they were also AT&T customers.
In an interview last year, Caleb Tuttle, a detective with the Santa Clara County District Attorney's office, said SIM swapping attacks happen in one of three ways.
The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company's network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target's existing SIM card with a new one.
Whatever happened over these past two weeks, the perpetrators won't be able to hide for long.
If there's something that we learned until now is that SIM swappers rarely get away with their crimes, mainly because there's way too much logging happening at telecom providers for the attackers to have a clean getaway.
2018's worst cryptocurrency scams, cyberattacks (in pictures)
Related cybersecurity coverage:
- I2P network proposed as the next hiding spot for criminal operations
- Chinese military to replace Windows OS amid fears of US hacking
- New attack creates ghost taps on modern Android smartphones
- Russian military moves closer to replacing Windows with Astra Linux
- CI build logs continue to expose company secrets
- Microsoft releases new version of Attack Surface Analyzer utility
- How WannaCry is still launching 3,500 successful attacks per hour TechRepublic
- The best identity theft monitoring services for 2019 CNET