The U.S. DoJ announced charges against nine individuals, 6 members of a hacking group known as ‘The Community’ and 3 former employees of mobile phone providers. The latter group helped the hackers to steal roughly $2.5 million worth of the cryptocurrency through SIM Swapping attacks.
“Six individuals connected to a hacking group known to its members as “The Community” were charged in a fifteen count indictment unsealed today with conspiracy to commit wire fraud, wire fraud and aggravated identity theft, announced United States Attorney Matthew Schneider.” reads the press release published by the DoJ. “In addition, a criminal complaint was unsealed charging three former employees of mobile phone providers with wire fraud in relation to the conspiracy.”
The alleged members of The Community hacker group are five Americans and an Irishman and have been charged with 15 criminal counts
The three former employees of mobile phone providers are Americans and have been charged in a criminal complaint with the wire fraud.
Below the full list of defendants charged in the indictment:
In SIM swap frauds crooks are able to port the phone number of the victims to a new SIM card under their control.
A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by organizations to protect their customers.
Attackers obtain victims’ information by launching a phishing campaign, or by purchasing them in the underground market.
Crooks use the information gathered on the victims in the attempt to impersonate them in front of a telco operator and ask it to provide a new SIM to replace the old one that was lost or stolen.
They can prove their identity by answering basic security questions and requesting the cancellation of the old SIM and the activation of a new one. Once obtained a new SIM, crooks can operate with the victim’s mobile account, intercepting or initiating calls, accessing SMSs (including authorizations codes sent by bank and cryptocurrency exchanges) and to authorize transactions.
“SIM Hijacking or “SIM Swapping” is an identity theft technique that exploits a common cyber-security weakness – mobile phone numbers. This tactic enabled “The Community” to gain control of victims’ mobile phone number, resulting in the victims’ phone calls and short message service (“SMS”) messages being routed to devices controlled by “The Community”.” continues the DoJ.
According to the DoJ, ‘SIM Hijacking‘ was often facilitated by the employee of a mobile phone provider, in other cases the attack was accomplished by a member of “The Community” contacting a mobile phone provider’s customer service—posing as the victim—and requesting that the victim’s phone number be swapped to a SIM card under the control of the gang.
The indictment confirms that the defendants executed seven SIM swapping attacks that resulted in the theft of victims’ funds from their cryptocurrency exchange wallets. Crooks transferred approximately $2.5 million worth of cryptocurrency to wallets under the control of the group.
Each defendant faces a maximum penalty of 20 years in jail . Meanwhile, an aggravated identity theft charge carries a maximum sentence of 2 years in prison.
“If convicted on the charge of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years in prison.” continues concludes the DoJ. “A conviction of aggravated identity theft in support of wire fraud carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud.”
In February, a 20-year-old college student that has stolen more than $5 million worth of cryptocurrency through SIM swapping attacks gets a 10 years jail sentence.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.