U.S. DoJ charges 9 individuals that stole $2.5M through SIM swapping

The U.S. Department of Justice charged nine individuals connected to a hacking crew focused on identity theft and SIM swapping attacks.

The U.S. DoJ announced charges against nine individuals, 6 members of a hacking group known as ‘The Community’ and 3 former employees of mobile phone providers. The latter group helped the hackers to steal roughly $2.5 million worth of the cryptocurrency through SIM Swapping attacks.

“Six individuals connected to a hacking group known to its members as “The Community” were charged in a fifteen count indictment unsealed today with conspiracy to commit wire fraud, wire fraud and aggravated identity theft, announced United States Attorney Matthew Schneider.” reads the press release published by the DoJ. “In addition, a criminal complaint was unsealed charging three former employees of mobile phone providers with wire fraud in relation to the conspiracy.”

The alleged members of The Community hacker group are five Americans and an Irishman and have been charged with 15 criminal counts, including conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

The three former employees of mobile phone providers are Americans and have been charged in a criminal complaint with the wire fraud.

Below the full list of defendants charged in the indictment:

• Conor Freeman, 20, of Dublin, Ireland
• Ricky Handschumacher, 25 of Pasco County, Florida
• Colton Jurisic, 20 of, Dubuque, Iowa
• Reyad Gafar Abbas, 19, of Rochester, New York
• Garrett Endicott, 21, of Warrensburg, Missouri
• Ryan Stevenson, 26, of West Haven, Connecticut
• Jarratt White, 22 of Tucson, Arizona (former mobile phone provider employee)
• Robert Jack, 22 of Tucson, Arizona (former mobile phone provider employee)
• Fendley Joseph, 28, of Murrietta, California (former mobile phone provider employee)

In SIM swap frauds crooks are able to port the phone number of the victims to a new SIM card under their control.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by organizations to protect their customers.

Attackers obtain victims’ information by launching a phishing campaign, or by purchasing them in the underground market.

Crooks use the information gathered on the victims in the attempt to impersonate them in front of a telco operator and ask it to provide a new SIM to replace the old one that was lost or stolen.

They can prove their identity by answering basic security questions and requesting the cancellation of the old SIM and the activation of a new one. Once obtained a new SIM, crooks can operate with the victim’s mobile account, intercepting or initiating calls, accessing SMSs (including authorizations codes sent by bank and cryptocurrency exchanges) and to authorize transactions.

“SIM Hijacking or “SIM Swapping” is an identity theft technique that exploits a common cyber-security weakness – mobile phone numbers.  This tactic enabled “The Community” to gain control of victims’ mobile phone number, resulting in the victims’ phone calls and short message service (“SMS”) messages being routed to devices controlled by “The Community”.” continues the DoJ.

According to the DoJ, ‘SIM Hijacking‘ was often facilitated by the employee of a mobile phone provider, in other cases the attack was accomplished by a member of “The Community” contacting a mobile phone provider’s customer service—posing as the victim—and requesting that the victim’s phone number be swapped to a SIM card under the control of the gang.

The indictment confirms that the defendants executed seven SIM swapping attacks that resulted in the theft of victims’ funds from their cryptocurrency exchange wallets. Crooks transferred approximately $2.5 million worth of cryptocurrency to wallets under the control of the group.

Each defendant faces a maximum penalty of 20 years in jail . Meanwhile, an aggravated identity theft charge carries a maximum sentence of 2 years in prison.

“If convicted on the charge of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison.  The charges of wire fraud each carry a statutory maximum penalty of 20 years in prison.” continues concludes the DoJ. “A conviction of aggravated identity theft in support of wire fraud carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud.”

In February, a 20-year-old college student that has stolen more than $5 million worth of cryptocurrency through SIM swapping attacks gets a 10 years jail sentence.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SIM Swapping, Cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]