When you sign up for an announcement, be it Google, Twitter, or even some crypto asset exchanges, the service providers often prompt you to input your personal phone number as a way to add an extra layer of security.
Although this medium of account protection works for most, hackers have begun to find ways to exploit this measure. And interestingly, due to the state of the cryptocurrency market and how its infrastructure works, these bad actors have begun to specifically target Bitcoin/digital asset holders.
What Is SIM Swapping?
According to a recent report from technology and cybersecurity publication ZDNet, over ten members of the cryptocurrency and blockchain community has been hit by SIM (referring to the SIM card that handhelds use to connect to networks), swapping attempts over recent weeks.
Firstly, for those unaware, SIM swapping (jacking) is a form of attack during which an actor uses social engineering tactics — namely ringing up AT&T and other telecom companies under a false identity and malicious premises — to switch the victim’s phone number to their own device. In doing this, the attacker can use the phone number of their victims to hijack accounts or access pertinent bits of information meant to be under lock and key.
U.S. Crypto Users Under Attack
Most of the time, hackers stray away from anything to do with the regulated financial system, as suspicious transactions can be flagged and traced by authorities. But with digital assets, especially a privacy-enabling digital coin like Monero, and their respective exchanges, hackers can withdraw cryptocurrencies from a hacked account at much less risk than withdrawing hacked PayPal funds to a States-based bank account, for instance.
In a matter of a few hours, an attacker can take over one’s phone number, access a victim’s email account, forcefully break into cryptocurrency exchange accounts, withdraw Bitcoin or what have you into their own addresses, and then blend the coins for privacy.
The large attack surface provided by how telecom operators, email accounts, and digital asset exchanges work today has resulted in there being a massive SIM swapping target on the back of cryptocurrency’s biggest names.
Alternatively, this attack method can be used to break into social accounts, like one’s Twitter or Telegram, which are where deals happen, key tidbits of information are exchanged, and personal conversations take place. Attackers have surely taken note.
Three weeks back, Sean Coonce, part of BitGo’s engineering team, was SIM swapped. In the attack, he lost over $100,000 worth of crypto assets and fiat holdings from his personal Coinbase account. And in the days that followed, other workers and influencers in the crypto industry made similar reports.
Although most didn’t report the loss of their holdings, Ethereum proponent Chris Robison, ConsenSys alumnus Ameen Soleimani, MolochDAO team member Cassandra Shi, and many others reported that they temporarily lost access to their texts and calls for no apparent reason.
My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I'm equal parts embarrassed, hurt, and deeply remorseful.
In an effort to raise awareness about the attack, I wrote about it here: https://t.co/ZnbB0AN6Gd
— Sean Coonce (@cooncesean) May 20, 2019
While the frequency of these attacks, for the time being, has slowed, it is important to note that all users attacked in this recent spree were based in the United States and were clients of T-Mobile and the Bitcoin-friendly AT&T (funny, huh). It is unclear whether this SIM jacking trend has coincided with the return in the Bitcoin price, which is up by almost 100% in the past two months.
Don’t Worry All Too Much
Despite these recent attacks, SIM swappers often don’t get away with their crimes, or at least not for long. Earlier this month, the U.S. Department of Justice (DoJ) managed to arrest and charge nine individuals — a SIM jacker group that called themselves “The Community” — for conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.
Surprise, surprise, the nine was participating in SIM swapping, which allowed them to steal over $2.4 million worth of cryptocurrency over a purported seven attacks. Lone attackers, including a man who stole $5 million worth of cryptocurrency, have also been caught.