Eight men aged between 18 and 26 have been arrested across the UK today facing criminal charges under the “Computer Misuse Act,” money laundering, and fraud. The young men engaged in attacks known as “SIM swapping.”
This means to port other people’s numbers into empty SIM cards and then use their access to the telecommunication network to bypass SMS-based two-factor authentication mechanisms that protect the number owner’s accounts on internet platforms. As for their victims, these were mainly U.S.-based actors, singers, sports stars, and well-known social media personas with large followerships.
According to the NCA (National Crime Agency), the men had a financial motive, as they were using the stolen accounts to trick other people into sending them money in the form of crypto. In other cases, they attempted to extort their victims into paying a ransom or have their accounts abused and their social media personas ridiculed.
In several cases, the FBI was able to identify the hacks before the actors were given the opportunity to cause any damage - and even informed the targeted users so they could be prepared and remain vigilant. The procedure of identifying the eight men involved the NCA, FBI, and Europol, so it was a cross-border law enforcement effort. For now, there was no mention about the enablement aspect of the operation, i.e., whether or not someone was working on a telco who aided the crooks in the number porting process.
The arrested individuals will now be extradited to the United States for prosecution, while the Santa Clara California District Court is already preparing to accept them for the hearings. The American judiciary isn’t being at all lenient towards SIM swappers, treating them as high-level criminals, and rightfully so.
As for the celebs and valuable account holders in general, relying upon SMS-based or even email-based 2FA isn’t the best way to secure your account. If you insist on doing so, use a private number for the verification, one that absolutely nobody else knows. Even then, a corrupt insider working for a telco may find the subscriber name in catalogs and make the correlation, so, ideally, use an authentication app - or even better, a USB key.