Spain's National Police Agency, the Policía Nacional, said last week it dismantled an unnamed cybercriminal organization and arrested eight individuals in connection with a series of SIM swapping attacks that were carried out with the goal of financial fraud.
The suspects of the crime ring masqueraded as trustworthy representatives of banks and other organizations and used traditional phishing and smishing techniques to obtain personal information and bank data of victims before draining money from their accounts.
"They usurped the identity of their victims through the falsification of official documents and tricked employees of telephone stores into getting the duplicate of SIM cards, cards where they received security confirmation messages from banks that allowed them to empty their victims' accounts," the authorities said.
Seven of the arrests were made in Barcelona and one in Seville. As many as 12 bank accounts were frozen as part of the illicit operation. The first known instance of fraud attributed to the gang is said to have occurred in March 2021.
SIM swapping, also known as SIM hijacking, is a malicious technique wherein criminal actors target mobile carriers to gain access to victims' bank accounts, virtual currency accounts, and other sensitive information. The SIM swap is often facilitated through social engineering, insider threat, or phishing techniques.
The scheme involves an attacker impersonating a victim and tricking the mobile carrier into switching the victim's mobile number to a SIM card under their control. Alternatively, this can also be achieved by bribing an employee of the mobile carrier or tricking the employees into downloading malware used to break into systems and conduct the SIM swaps.
Once the phone numbers are ported, threat actors leverage the "identity" to perform account resets, bypass SMS-based two-factor authentication protections, and seize control of the target's online accounts.
A spike in SIM swapping fraud
Over the years, SIM swapping has evolved into an increasingly prevalent form of cybercrime, causing theft to the tune of millions of dollars from victims' cryptocurrency wallets and bank accounts. In November 2021, U.S. prosecutors indicted a U.K. national for orchestrating a SIM-swapping attack to siphon $784,000 worth of cryptocurrency.
Then in December 2021, a sixth member associated with an international hacking group known as The Community was sentenced in connection with a multimillion-dollar SIM swapping conspiracy.
The arrests come as the U.S Federal Bureau of Investigation (FBI) said that from January to December 2021, it received 1,611 SIM-swapping complaints that resulted in adjusted losses of more than $68 million. In comparison, the agency received 320 complaints related to SIM-swapping incidents from 2018 to 2020, with adjusted losses of about $12 million.