Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week, ZDNet has learned, in what appears to be a coordinated wave of attacks.
SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card.
The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts.
These types of attacks have been going on for half a decade now, but they've exploded in 2017 and 2018 [1, 2, 3] when attackers started focusing on attacking members of the cryptocurrency community, so they could gain access to online accounts used for managing large sums of Bitcoin, Ethereum, and other cryptocurrencies.
But while these attacks were very popular last year, this year, the number of SIM swapping attacks appeared to have gone down, especially after law enforcement started cracking down and arresting some of the hackers involved in these schemes [1, 2, 3, 4, 5].
Something happened last week
But despite a period of calm in the first half of the year, a rash of SIM swapping attacks have been reported in the second half of May, and especially over the past week.
All of the users listed in the tweets above are connected in one way or another to the cryptocurrency community.
Some of them have publicly admitted to losing funds, such as Sean Coonce, who penned a blog post about how he lost over $100,000 worth of cryptocurrency due to a SIM swapping attack.
Some victims avoided getting hacked
ZDNet also spoke with some of the other victims over the weekend. Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.
One victim, who wanted to remain anonymous, said that once hackers realized access to cryptocurrency exchange accounts was not possible, intruders quickly switched tactics and targeted social media and email accounts, successfully hijacking the victim's Instagram account.
This exact same thing also appears to have happened to other users, with hackers taking over social media accounts over the past week when they realized they couldn't access cryptocurrency accounts.
SIM swapping attacks happened in the US alone
The majority of these SIM swapping attacks appear to have taken place over the last week alone, and targeted US-based users only.
While some of the users who reported SIM swapping attacks on Twitter said they were T-Mobile customers, the issue isn't limited to T-Mobile alone.
In conversations that ZDNet had with other victims, some revealed they were also AT&T customers.
In an interview last year, Caleb Tuttle, a detective with the Santa Clara County District Attorney's office, said SIM swapping attacks happen in one of three ways.
The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company's network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target's existing SIM card with a new one.
Whatever happened over these past two weeks, the perpetrators won't be able to hide for long.
If there's something that we learned until now is that SIM swappers rarely get away with their crimes, mainly because there's way too much logging happening at telecom providers for the attackers to have a clean getaway.
Related cybersecurity coverage:
- I2P network proposed as the next hiding spot for criminal operations
- Chinese military to replace Windows OS amid fears of US hacking
- New attack creates ghost taps on modern Android smartphones
- Russian military moves closer to replacing Windows with Astra Linux
- CI build logs continue to expose company secrets
- Microsoft releases new version of Attack Surface Analyzer utility
- How WannaCry is still launching 3,500 successful attacks per hour TechRepublic
- The best identity theft monitoring services for 2019 CNET