A teenager hailing from the Hamilton, Ontario area of Canada has been arrested for allegedly taking part in a SIM swapping incident that stole as much as $46 million in crypto funds. The victim, who is unnamed at the time of writing, is situated in the United States.
SIM Swapping Is a Big Problem
The arrest occurred following a joint investigation led by the United States Secret Service Electronic Crimes Task Force and the Federal Bureau of Investigation (FBI), which began in March of 2020. Hamilton law enforcement issued the following statement on the situation:
The victim had been targeted by a SIM swap attack, a method of hijacking valuable accounts by manipulating cellular network employees to duplicate phone numbers so threat actors can intercept two-factor authorization requests. As a result of the SIM swap attack, approximately $46 million CAD worth of cryptocurrency was stolen from the victim. This is currently the biggest cryptocurrency theft reported from one person.
SIM swapping is a very dangerous and common method of attack amongst crypto hackers. Typically, it involves gaining control of one’s cell phone SIM card. This is done in one of two ways. The hacker will usually research the victim enough that they are able to garner sensitive or private information about them (such as their birthdate and social security number). They can then call their cell phone provider and ask for a phone transfer, typically to a device in the hacker’s possession.
When they present all the private information they have about the person, the employee at the phone company becomes convinced they are talking to the real individual. They then engage in the transfer and unknowingly put more power in the hacker’s hands.
The other way is much simpler, and typically involves providing the employee with a small bribe of sorts to complete the phone transfer. Either way, SIM swapping has been around for some time, and it doesn’t seem to be disappearing anytime soon.
Hamilton police say the hacker is now in custody after being charged with stealing funds exceeding $5,000. As the perpetrator is still a minor, the person is not being named under the Youth Criminal Justice Act.
Finding the Person Responsible
Law enforcement also says that it was a gaming username that led to the person’s capture. Their statement mentions:
The joint investigation revealed that some of the stolen cryptocurrency was used to purchase an online username that was considered rare in the gaming community. This transaction led investigators to uncover the account holder of the rare username.
At press time, more than $7 million of the stolen funds have been recovered. The matter will now be in the court’s hands, and it will be up to the judge to decide how the rest of the recovery process will take place.