Friday, February 12, 2021

Phone Company Insiders Helped Global Sim-Swapping Gang Steal Millions in Cryptocurrency

 This week law enforcement agencies around the world made press releases about the arrest of SIM Swapping criminals.  The UK's National Crime Agency says "eight men have been arrested in England and Scotland as part of an investigation into a series of SIM swapping attacks, in which criminals illegally gained access to the phones of high-profile victims in the US.  They say these attacks targeted "numerous victims throughout 2020, including well-known influencers, sports stars, musicians, and their families."  NCA credits the US Secret Service, Homeland Security Investigations, the FBI, and the Santa Clara California District Attorney's Office for helping to uncover the network.

Paul Creffield, head of operations in the NCA's National Cyber Crime Unit and Assistant Director Michael D'Ambrosio were quoted in the NCA's press release, "Brits arrested for sim swapping attacks on US celebs" on February 9th.  The @NCA_UK Twitter thread shared the additional details that the men were between the ages of 18 and 26.

https://twitter.com/NCA_UK/status/1359232883118981133


Meanwhile, a 10FEB2021 press release from Europol proclaimed "Ten hackers arrested for string of sim-swapping attacks against celebrities." The EU report says that 8 criminals were arrrested on 09FEB2021 (presumably those in the UK) with earlier arrests of one criminal in Malta and one in Belgium of members "belonging to the same criminal network."  

A SIM, or Subscriber Identity Module, is the little chip that goes inside a phone and ties that phone to a particular account at a particular mobile provider.  If the phone provider believes you have a new phone, they can tell their system, this is the new SIM number that should be linked to your account.  They don't actually need to know what model of phone it is, or where in the world it is.  If your account says your phone number is assigned to a new SIM, your phone stops ringing and the new phone starts.

The group used SIM swapping to intercept SMS messages intended for the true owner of the phone and route those messages to a phone controlled by the criminals.  This allowed them to access many apps and ask for password resets, which often confirm the request is intended for the correct user by sending a "Two Factor Authentication" request in the form of an SMS message.  Some crypto currency exchanges use an even stronger method, of requiring confirmation both by an SMS to the phone and by email. Unfortunately, if the criminals have SIM-swapped the phone, they also may have used it to gain control of the email used by the victim as well!  

Europol correctly describes the primary method of SIM-swapping when they say in the press release above, "This is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques."

How do Phone Company Insiders enable these scams? In a case that was curiously released to the public simultaneously with those above, we get a US-based example.

The simultaneous announcement by the FBI of charges against a Verizon Customer Service employee, Stephen DeFiore of Brandon, Florida is curiously timed, given that his charges thus far were based on crimes from 2018.  According to Stephen's LinkedIn, he worked from 2014 to 2017 as a Verizon Customer Service Rep in  Rochester, New York, and afterwards in Bradon, Florida:



On February 8, 2021, the US Attorney in the Eastern District of Louisiana announced charges against Stephen Daniel Defiore "for his role in a SIM Swap scam that targeted at least nineteen people, including a New Orleans-area physician."  It goes on to say "From August 2017 until November 2018, DEFIORE worked as a sales representative for Phone Company A. In that capacity, DEFIORE had access to the accounts of Phone Company A's customers, including the ability to switch the subscriber identification module (SIM) card linked to a customer's phone number to a different phone number.  Between October 20, 2018 and November 9, 2018, DEFIORE accepted multiple bribes, typically in the amount of approximately $500 per day, to perform SIM swaps of Phone Company A customers identified by a co-conspirator."

DEFIORE would receive a message telling him a customer's phone number, their four-digit PIN, and a SIM card number to which the phone number was to be swapped.  Defiore received his payments via CashApp to his account: $Beefy123.  H

The New Orleans doctor lost his Binance, Bittrex, Coinbase, Gemini, Poloniex, ItBit, and Neo Wallet accounts.  In this case, Defiore swapped his SIM card address to one that was actually in an Apple iPhone 8 with the IMEI (Interrnationa Mobile Equipment Identity number) 356703087816582, which was in the possession of Richard Li. 

His co-conspirator in the US, Richard Li, was actually charged by the Department of Justice on 09JUN2020.  Li is why the UK case mentions California, rather than Louisiana or Florida.  Richard Yuan Li was a 20 year old college student in San Diego, California, living in a dorm room in Argo Hall on the campus of UCSD (The University of California San Diego). He registered the cell phone to which the SIM swap occurred using his own "me.com" email address, which began with "ryli" (Richard Yuan Li).

According to the charges against Li, he participated in at least 28 SIM swaps between 11OCT2018 and 06DEC2018. In the case of the Louisiana doctor, even after the doctor regained his cell phone, he was contacted by Li who said he had accessed nude photos on the doctor's gmail account that was also linked to the phone and that he demanded 100 Bitcoins or he would release the photos.

My favorite photo of the US SIM swapper.  (Sorry, couldn't resist!)  Master criminal? Or dumb kid who happened to work at a phone store and couldn't resist the temptation of $500 per day.  You decide.


This case would not be the first linking UK criminals with US Phone company employees.  In 2019, a hacking group calling itself "The Community" paid bribes to three phone company employees, Jarratt White and Robert Jack, both 22 year-olds working at phone stores in Tucson, Arizona, and Fendley Joseph, a 28 year-old in Murrietta, California, to carry out SIM swaps for their group.  Ireland-based hacker Conor Freeman, aged 20, was charged in that case for seven SIM-swaps that led to the theft of $2,416,352 worth of cryptocurrency.  It is unknown at this time if the current cases are further work of "The Community" or its former members.  The Community wasn't a place online, just the name of their group.  Most of their members were participants on the OG Users forum. For example Jarratt White, who worked at an AT&T store, used the handle ".O." on Telegram and received payments via LocalBitcoins and PayPal, where his email "jarrattw@gmail.com" was linked.  AT&T confirmed that WHITE had performed 29 unauthorized SIM swaps.  Robert JACK, also an AT&T contractor who worked in their store in Tucson, also performed 12 SIM swap.  Fendley JOSEPH worked at a Verizon store in Murrietta and also communicated with The Community members via Telegram. He was also identified by his PayPal account where he received $3,500 in bribes (fendleyvzw@gmail.com) 

Ireland's Conor Freeman was ultimately not extradited to the US, although he was arrested by the Garda at his home in Glenageary Court, Dun Laoghaire in May 2019, based on the US charges.  The failure to extradite was another example of the US Attorney's boasts of maximum sentence backfiring.  They often will make public threats at the time of arrest such as "if the maximum sentence is given, they will face 108 years in prison!"  Then when the actual sentence is handed out, they get six years.  Or two.  The threat, however, is enough that European courts say "what a cruel and unusual sentence!" and argue that sentencing a SIM swapper to a greater sentence than a rapist or murdered is ludicrous.  





No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.