SIM card swapper sent to jail for over $20M 2FA cryptocurrency heist

SIM card swapper sent to jail for over $20M 2FA cryptocurrency heist

A Florida man who was part of a cybercriminal gang that went after cryptocurrency wallets has been convicted for his role in a cyber heist that reportedly netted participants more than $20,000,000.

The crooks, including a 25-year-old Nicholas Truglia, took over various online accounts belonging to the victim using a trick known in the trade as SIM card exchangealso known as number porting.

Migrate your phone number

As you know, if you ever lost a phone or damaged a SIM card, the cell phone numbers are not burned into the phone itself, but are programmed into the subscriber identity module (SIM) that you insert into your phone (or perhaps, these days, install electronically in the form of a so-called for example).

So a scammer who can talk nice, bribe or coax using a fake ID, or bully your cell phone provider into issuing “you” (i.e. them) a new card SIM…

…can get out of the mobile phone store [a] with your number in their phone, and [b] with your SIM card invalidated and therefore unable to connect to the network to receive calls or connect.

Simply put, your phone shuts down and theirs starts receiving your calls and texts, including but not limited to two-factor authentication (2FA) codes that might be sent to your phone under a secure connection. or a password reset.

The SIM-swap problem, that the right to reissue replacement SIM cards is vested in too many different people at too many different seniority levels in too many mobile companies to reliably control), is why the US public service no longer recommends 2FA-based SMS for general use, and has deprecated it for government personnel.

Bring the cryptocurrencies

In this case, it appears that a member of the cybergang tracked down the login credentials for the victim’s accounts, shared them with many other participants, and then instructed Truglia to act as a receiver of crypto-funds. money taken from the victim.

Truglia then apparently returned the stolen funds to numerous other cryptocurrency wallets belonging to the other participants, keeping an unknown part as his part of the deal.

The US Department of Justice (DOJ) notes that “[the] Participants in the scheme stole more than $20 million of the victim’s cryptocurrency, with the defendant retaining at least approximately $673,000 of the stolen funds.

Truglia received an 18-month prison sentence plus three years of supervised release for following her, immediately lost $983,010.72 and was ordered to repay the exorbitant sum of $20,379,007.

Quite how he will do this without the cooperation of the others in the scam, who seem to have split most of that $20 million among themselves, and what happens if he fails to convince them to do so , is not mentioned in the DOJ report.

What to do?

  • Limit the amount of cryptocurrency you keep online and directly accessible. so called cold wallets that are not remotely accessible will protect you from password theft and 2FA scams where remote criminals gain direct access to your accounts.
  • Consider moving away from SMS-based 2FA if you haven’t already. One-time login codes based on text messages are better than no 2FA at all, but they clearly suffer from the weakness that a scammer who decides to target you can attack your account without attacking you directlyand therefore in a way that you cannot reliably defend against.
  • Use a password manager if you can. We don’t know how the criminals acquired the victim’s passwords in this case, but a password manager at least makes it unlikely that you’ll end up with passwords an attacker could guess or easily find. from public information about you, such as your dog’s name or your child’s birthday.
  • Be careful if your phone crashes unexpectedly. After a SIM swap, your phone will show no connection to your mobile carrier. If you have friends on the same network who are always online, that suggests it’s probably you who are offline and not the entire network. Consider contacting your telephone company for advice. If you can, go to a phone shop in person, with ID, to find out if your account has been hacked.

#SIM #card #swapper #jail #20M #2FA #cryptocurrency #heist

Leave a Comment

Your email address will not be published. Required fields are marked *