Ten people belonging to a criminal network have been arrested in connection with a series of SIM-swapping attacks that resulted in the theft of more than $100 million by hijacking the mobile phone accounts of high-profile individuals in the U.S.
The Europol-coordinated year-long investigation was jointly conducted by law enforcement authorities from the U.K., U.S., Belgium, Malta, and Canada.
"The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families," Europol said in a statement. "The criminals are believed to have stolen from them over $100 million in cryptocurrencies after illegally gaining access to their phones."
The eight suspects, aged 18 to 26, are said to be part of a larger ring, two members of which were nabbed previously in Malta and Belgium. The latest arrests were made in England and Scotland.
The sweep comes almost a year after Europol led an operation to dismantle two SIM swap criminal groups that stole €3.5 million ($3.9 million) by orchestrating a wave of more than 100 attacks targeting victims in Austria, emptying their bank accounts through their phone numbers.
Typically achieved with the help of a corrupt insider or using social engineering lures, SIM swapping refers to the technique adopted by cybercriminals to persuade phone carriers into porting their victims' cell services to a SIM card under their control.
The SIM swap then grants attackers access to incoming phone calls, text messages, and one-time verification codes (or one-time passwords) that various websites send via SMS messages as part of the two-factor authentication (2FA) process.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
Once in control of the target's mobile phone, the authorities noted that the criminals accessed personal information, including contacts synced with online accounts, and stole money, with cryptocurrency losses exceeding $100 million in 2020.
"They also hijacked social media accounts to post content and send messages masquerading as the victim," the U.S. Secret Service said.
The arrested suspects face charges for offences under the Computer Misuse Act, as well as fraud and money laundering. They are also expected to be extradited to the U.S. for prosecution.
To avoid SIM swapping attacks, it's recommended that users keep their device's software up to date, limit data-sharing online, and enable 2FA via apps instead of having an authentication code sent over SMS.
"When possible, do not associate your phone number with sensitive online accounts," Europol cautioned.