How Sim Swapping Works & How the $5 Million Thief Was Caught

  • Twitter
  • Facebook
  • Google+
  • Pinterest

Have you ever tried to hack someone’s Facebook account? Someone you know enough to attempt their security questions in hopes of getting in? Maybe to post some embarrassing status updates or just give them a scare? (Disclaimer: this is not advised). One 20-year-old student is sticking to these same well known old school tactics but taking his hacking game to a whole other level. Joel Ortiz has been sentenced to 10 years in prison after accepting a plea deal for stealing over USD $5 million’s worth in cryptocurrency from users. He did this by swapping and hijacking their sims and using their phone numbers to bypass their two factor authentication so that he could make transactions from their cryptocurrency wallets.

This may come as a surprise to some but sim swapping is a very real and increasingly common under reported crime. The way this works is that a hacker first does his or her research. After knowing enough about you, s/he creates a fraudulent persona of you and calls your cellphone provider claiming that your sim has been misplaced and that you require a transfer.

Once a new sim is issued, the hacker retrieves the sim card and then undergoes all of the sim activation via phone, prepared enough to answer any generic questions that may be asked on the call. Once this step is complete, the hacker now has your cellphone number which is connected to numerous social media, wallet, and retail accounts which can be hacked by resetting your password through the two factor authentication that is at the very fingertips of your hacker: your phone number.

Sim swapping has been used for several kinds of offenses ranging from social media and cloud media hacking for blackmail to emptying online currency wallets through excessive online purchases and transactions. It’s clear what Ortiz’s intent was but how exactly did he pull this off, and better yet, how did he get caught?

It seems that the events leading up to Ortiz’s arrest were sparked by a reputable investor coming forward with a noisy enough complaint about his sim getting hacked that law enforcement authorities decided to look into the matter.

According to Motherboard’s reveal of the court documents, Ortiz hacked the investor numerous times over a couple months. He firstly changed his email and crypto wallet account passwords. This was the first step to gaining access to the block chain investor’s finances. Then, he added his own back end authentication through the Google Authenticator application. This was the second but most important step as it ensured that the account was not recoverable by regular means.

Ortiz went beyond the necessary steps of the theft though to inappropriately text message the investor’s wife and daughter. This is where the cellphone provider AT&T got approached by law enforcement officials demanding transcripts and tracings of these messages. The search into the hijacked cellphone number showed that it was being used on two separate Samsung Android mobile phones, which the investor did not own. These devices were identifiable by their IMEI numbers and Google was granted a search warrant to track them down.

Screenshot of Retrieved Conversation Between Ortiz and the Investor’s Daughter from the Court Documents. Image: MotherBoard

Google got back to the law enforcement officials with a set of email accounts that were linked to the given IMEI numbers. Looking further into the communications on these accounts, there was evidence that they were linked to criminal activity which demanded an even deeper investigation. Through these emails, Ortiz was linked to many phishing scams, uploaded content of how to exploit security vulnerabilities, and particular information on sim swapping.

Unknowing Ortiz had an email on his Google account in which there was a photo of him holding his ID card. This made the rest of the search and arrest much easier. First, warrants were issued to seize all the cryptocurrency accounts that he was using to make his transactions. Over a million US dollars were found of which a quarter have been recovered from the accounts by the police. It was difficult to know where the rest was stored to recover it too.

Image: The Mercury News

After exploiting over 40 cellphone numbers, some users numerous times, and stealing over 5 million US dollars’ worth of cryptocurrency, Ortiz was sitting at the Los Angeles International Airport headed to Europe and flashing an out of budget Gucci bag. Law enforcement officials swooped in before he could board the plane and arrested the 20 year old. Ortiz was charged with 28 offences which include 13 of identity theft, 13 of hacking, and 2 of grand theft. After a handful of court dates, Ortiz agreed to take a plea deal which brought with it 10 years of prison time but the official decision regarding his case will be announced by the Judge on the 14th of March.

The co-conspirators of this crime, who have been counted up to be quite a few, have not been revealed in the court documents release to Motherboard but it’s a good guess that they will be found and arrested in connection with this crime as well.

Crypto mining exploits have become common. Divisive and cunning malwares are everywhere. But this, this is something unusual. According to Engadget, Ortiz will be the first person to be sentenced to prison for a sim swapping and hijacking theft offence, but unfortunately, he may not be the last. Authorities believe, though, that this will send a clear message to other criminals arrested for the same kind of offence, others not caught yet, and ones considering committing such a damaging attack.

Sim swapping has remained an underdog and relatively unknown theft offence for years, but it has recently gained momentum. Phone companies and call services have taken notice of the threat and are undergoing better training to handle these kinds of situations. The first step to such a damaging attack demands that the phone number be passed through to another device. This requires some sort of user verification and confirmation of the phone number being lost and needing a recovery transfer. Service provider professionals are being trained in identifying fraudulent requests and seeking out thorough identification and confirmation before a phone connection is passed onto another device.

Mobile service providers may also look into providing sim tracking services through which a reportedly missing but active sim can be traced. In addition to this social media platforms and other accounts are looking into stepping up their two factor authentication after numerous such reports of phone number hackings and authentication bypasses. Instagram in particular has faced several such hackings and is alert on coming up with a solution to the problem

error: Content is protected !!