AT&T is rolling out a protection that prevents unauthorized changes to mobile accounts as the carrier attempts to fight a costly form of account hijacking that occurs when a scammer swaps out the SIM card belonging to the account holder.
The technique, known as SIM swapping or port-out fraud, has been a scourge that has vexed wireless carriers and their millions of subscribers for years. An indictment filed last year by federal prosecutors alleged that a single SIM swap scheme netted $400 million in cryptocurrency. The stolen funds belonged to dozens of victims who had used their phones for two-factor authentication to cryptocurrency wallets.
Wireless Account Lock debut
A separate scam from 2022 gave unauthorized access to a T-Mobile management platform that subscription resellers, known as mobile virtual network operators, use to provision services to their customers. The threat actor gained access using a SIM swap of a T-Mobile employee, a phishing attack on another T-Mobile employee, and at least one compromise of an unknown origin.
This class of attack has existed for well over a decade, and it became more commonplace amid the irrational exuberance that drove up the price of bitcoin and other cryptocurrencies. In some cases, scammers impersonate existing account holders who want a new phone number for their account. At other times, they simply bribe the carrier’s employees to make unauthorized changes.
Prosecutors said that Eric Council Jr., 25, of Athens, Alabama, was part of a criminal group that aimed to profit by publicizing the fake decision to drive a spike in the value of bitcoin and then sell large amounts of the currency they had acquired at a much lower price. Council’s alleged role in the conspiracy was to take control of a phone number that received text messages that received two-factor authentication codes for the SEC account.
Anatomy of a SIM swap
The indictment, filed in US District Court for the District of Columbia, lays out, step by step, how the alleged SIM swap worked:
12. COUNCIL, and others, executed a SIM swap of the cellular telephone account associated with victim C.L., among others, in order to obtain things of value.
a. On or about January 9, 2024, a co-conspirator identified victim C.L. as having authorized access over the telephone number linked to the SECGov X account.
b. On or about January 9, 2024, COUNCIL received instruction from a coconspirator to perform a SIM swap of victim C.L.’s cellular telephone account, which was maintained by AT&T.
c. On or about January 9, 2024, COUNCIL traveled to an AT&T store in Huntsville, Alabama and presented an identification card in C.L.’s name. COUNCIL claimed to be an FBI employee who broke his phone and needed a new SIM card, and thereby obtained a new SIM card tied to C.L.’s account (the “C.L. SIM card”).
d. On or about January 9, 2024, after obtaining the C.L. SIM card, COUNCIL walked to a Huntsville Apple store and purchased a new iPhone for the purpose of effectuating the SIM swap. COUNCIL then inserted the C.L. SIM card into this iPhone in order to receive two-factor security reset codes associated with the @SECGov X account.
e. On or about January 9, 2024, COUNCIL received the “X confirmation code” to reset the @SECGov X account and promptly transmitted this code to a co-conspirator.
f. On or about January 9, 2024, a co-conspirator used this fraudulently obtained security code to gain access to the @SECGov X account.
g. On or about January 9, 2024, a co-conspirator, using such access, issued a fraudulent tweet on the @SECGov X account in the name of the SEC Chairman, falsely announcing the approval by the SEC of BIC ElF’s.
h. On or about January 9, 2024, after receiving the reset codes, COUNCIL drove to Birmingham, Alabama to return the iPhone for cash.
After the SIM swap was performed, prosecutors said, Council then performed Internet searches that incriminated him in the fraud conspiracy. The searches included: “SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” and “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them.”
The US may have uncovered the nation’s largest “SIM swap” scheme yet, charging a Chicago man and co-conspirators with allegedly stealing $400 million in cryptocurrency by targeting over 50 victims in more than a dozen states, including one company.
A recent indictment alleged that Robert Powell—using online monikers “R,” “R$,” and “ElSwapo1″—was the “head of a SIM swapping group” called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka “Carti” and “Punslayer”) and Colorado woman Emily Hernandez (allegedly aka “Em”) to gain access to victims’ devices and “carry out fraudulent SIM swap attacks” between March 2021 and April 2023.
SIM-swap attacks occur when someone fraudulently induces a wireless carrier to “reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor,” the indictment said. Once the swap occurs, the bad actor can defeat multi-factor authentication protections and access online accounts to steal data or money.
Powell’s accused crew allegedly used identification card printers to forge documents, then posed as victims visiting Apple, AT&T, Verizon, and T-Mobile retail stores in Minnesota, Illinois, Indiana, Utah, Nebraska, Colorado, Florida, Maryland, Massachusetts, Texas, New Mexico, Tennessee, Virginia, and the District of Columbia.
According to the indictment, many of the alleged victims did not suffer financial losses, but those that did were allegedly hit hard. The hardest hit appears to be an employee of a company whose AT&T device was allegedly commandeered at a Texas retail store, resulting in over $400 million being allegedly transferred from the employee’s company to co-conspirators’ financial accounts. Other individual victims allegedly lost cryptocurrency valued between $15,000 and more than $1 million.
Co-conspirators are accused of masking stolen funds, sometimes by allegedly hiding transfers in unhosted or self-hosted virtual currency wallets. If convicted, all stolen funds must be forfeited, the indictment said.
Powell has been charged with conspiracy to commit wire fraud and conspiracy to commit aggravated identity theft and access device fraud, Special Agent Brent Bledsoe said in the indictment. This Friday, Powell faces a detention hearing, where he has been ordered by the US Marshals Service to appear in person.
Powell’s attorney, Gal Pissetzky, told Ars that Powell has no comment on the indictment at this time.
SIM swaps escalating in US?
When Powell’s alleged scheme began in 2021, the FBI issued a warning, noting that criminals were increasingly using SIM-swap attacks, fueling total losses that year of $68 million.
Since then, US law enforcement has made several arrests, but none of the uncovered schemes come close to the alleged losses from the thefts Powell’s crew are being accused of.
In 2022, a Florida man, Nicholas Truglia, was sentenced to 18 months for stealing more than $20 million from a single victim. On top of forfeiting the stolen funds, Truglia was also ordered to forfeit more than $900,000 as a criminal penalty. According to security blogger Brian Krebs, Truglia was connected to a group that allegedly stole $100 million using SIM-swap attacks.
Last year, there were a few notable arrests. In October, the Department of Justice sentenced a hacker, Jordan Dave Persad, to 30 months for stealing nearly $1 million from “dozens of victims.” And in December, four Florida men received sentences between eight and 27 months for stealing more than $509,475 in SIM-swap attacks.
Ars could not find any FBI warnings since 2021 raising awareness that losses from SIM-swap attacks may be further increasing to amounts as eye-popping as the alleged losses in Powell’s case.
A DOJ official was unable to confirm if this is the biggest SIM-swapping scheme alleged in the US, directing Ars to another office. Ars will update this report with any new information the DOJ provides.
US officials seem aware that some bad actors attempting SIM-swap attacks appear to be getting bolder. Earlier this year, the Securities and Exchange Commission was targeted in an attack that commandeered the agency’s account on X, formerly known as Twitter. That attack led to a misleading X post falsely announcing the approval of bitcoin exchange-traded funds, causing a brief spike in bitcoin’s price.
To protect consumers from SIM-swap attacks, the Federal Communications Commission announced new rules last year to “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.” But an Ars review found these new rules may be too vague to be effective.
In 2021, when European authorities busted a SIM-swapping ring allegedly targeting high-profile individuals worldwide, Europol advised consumers to avoid becoming targets. Tips included using multifactor authentication, resisting associating sensitive accounts with mobile phone numbers, keeping devices updated, avoiding replying to suspicious emails or callers requesting sensitive information, and limiting personal data shared online. Consumers can also request the highest security settings possible from mobile carriers and are encouraged to always use stronger, longer security PINs or passwords to protect devices.
