Skip to content
Naked Security Naked Security

SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m

Guilty party got 18 months, also has to pay back $20m he probably hasn't got, which could land him in more hot water.

A Florida man who was part of a cybercrime gang who went after cryptocoin wallets has been sentenced for his part in a cyberheist that allegedly netted the participants more than $20,000,000.

The scammers, including one Nicholas Truglia, 25, got control of various online accounts belonging to the victim by using a trick known in the trade as SIM swapping, also known as number porting.

Migrating your phone number

As you’ll know if ever you’ve lost a phone, or damaged a SIM card, mobile phone numbers aren’t burned into the phone itself, but are programmed into the subscriber identity module (SIM) chip that you insert into your phone (or perhaps, these days, that you install electronically in the form of a so-called eSIM).

So, a crook who can sweet-talk, or bribe, or convince using fake ID, or otherwise browbeat your mobile phone provider into issuing “you” (meaning them) a new SIM card…

…can walk out of the mobile phone shop [a] with your number in their phone, and [b] with your SIM card invalidated and thus unable to connect to the network to receive calls or get online.

Simply put, your phone goes dead, and theirs starts receiving your calls and text messages, notably including any two-factor authentication (2FA) codes that might get sent to your phone as part of a secure login or a password reset.

The SIM-swap problem, namely that the right to reissue replacement SIM cards is vested in too many different people at too many different seniority levels in too many mobile phone companies to control reliably), is why the US public service no longer recommends SMS-based 2FA for general use, and has disapproved it for government staff.

Bring on the cryptocoins

In this case, it seems that someone in the cybergang went after login details for the victim’s accounts, shared them with numerous other participants, and then got Truglia to act as a receiver for cryptocurrency funds drained from the victim.

Truglia then apparently disbursed the stolen funds back out to numerous other cryptocoin wallets owned by the other participants, keeping an unknown cut as his share of the deal.

The US Department of Justice (DOJ) notes that “[the] Scheme Participants stole over $20 million worth of the Victim’s cryptocurrency, with the defendant keeping at least approximately $673,000 worth of the stolen funds.”

Truglia received an 18 month prison term plus three years of supervised release to follow it, forfeited $983,010.72 right away, and has been ordered to pay back a whopping $20,379,007.

Quite how he will do that without the co-operation of the others in the scam, who seem to have divided most of that $20 million between themselves, and what happens if he doesn’t manage to convince them to do so, is not mentioned in the DOJ’s report.

What to do?

  • Limit the amount of cryptocoinage you keep online and directly accessible. So-called cold wallets that can’t be accessed remotely will protect you from password and 2FA-stealing scams where remote criminals access your accounts directly.
  • Consider switching away from SMS-based 2FA if you haven’t already. One-time login codes based on text messages are better than no 2FA at all, but they clearly suffer from the weakness that a scammer who decides to target you can attack your account without attacking you directly, and thus in a way that you yourself can’t reliably defend against.
  • Use a password manager if you can. We don’t know how the criminals acquired the victim’s passwords in this case, but a password manager at least makes it unlikely that you will end up with passwords that an attacker could guess, or figure out easily from public informtion about you, such as your dog’s name or your child’s birthday.
  • Watch out if your phone goes dead unexpectedly. After a SIM swap, your phone won’t show any connection to your mobile provider. If you have friends on the same network who are still online, this suggests that it’s probably you who is offline and not the whole network. Consider contacting your phone company for advice. If you can, visit a phone shop in person, with ID, to find out if your account has been taken over.

1 Comment

The damage caused by these people is horrendous!!!

But I want to focus on how this pandemic of hacking businesses data, where THE BUSINESS is deemed as the criminal by Governments around the world, is totally out of hand!

Data Protection legislation is NEVER EVER going to stop the hackers and so if a business, no matter what size or stature, has put in place the most advanced cyber protection in the world THEY WILL STILL GET HACKED and lose data for which THEY will be punished!!!

Ask any cyber expert and they will tell you that they cannot provide 100% security!!

So WHY are they being punished and it is NOT the fines handed down by the regulators but the impact of social media on a business that will almost certainly close a company down in many cases!!

SO when the Authorities do catch and prosecute these despicable people who then receive a measly few months in prison, and will be out again very soon to enjoy the spoils of their ill gotten gains, one cannot help thinking there is something extremely worrying about the mindset of politicians and judiciary across the world!

The crime lords will almost certainly evade capture but without the highly intelligent front line hackers who instigate and commit the actual crime they would get nowhere!

I am certain that facing a 20yr prison sentence may focus the minds of these hackers to the point where they would back away and refuse to get involved!

I am sure it is not that easy but something really has to be done as the punishment is absolutely NOT fitting the crime at the moment and until it does then it is just going to get worse and worse!!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!