A hacker has revealed how he stole half a million dollars of cryptocurrency with one surprisingly simple trick.
A hacker calling himself ‘Daniel’ told cryptocurrency news site Trijo that he utilises a “SIM swap scam” to get around two-factor authentication.
The scam works like this: the hacker rings up your telecommunications company and claims they have lost their/your SIM card.
They then request that a victim’s phone number is redirected to their phone number.
The practice enables them to take over a victim’s cryptocurrency accounts by intercepting two-factor authentication texts or stealing passwords stored in email accounts.
Millions stolen each year
Tens of millions of dollars in cryptocurrency is stolen using SIM swap scams each year.
Although telecommunications companies have protocols in place to stop this happening, Daniel reveals they are easily circumvented.
“There are always ways to convince. For example, that you call and pretend to work at Tele2 (a Swedish telecom company) and ask them to help you forward a number”, he explains.”It does not take many calls before you have learned to pretend”.
Once the number has been redirected, the hacker can also use the ‘Forgot your password’ option in Gmail or Outlook.
It is now possible to get a verification code via a voice call to your phone – a feature designed to assist visually impaired people.
Daniel reveals many people keep copies of their private encryption keys in their email accounts, allowing him to log into their wallets and take their cryptocurrency.
He’s also uncovered crypto exchange passwords that allow him to log in to exchanges to transfer crypto assets to his own wallet.
‘It’s your own fault’
Like many thieves, he justifies his actions to himself by blaming the victims for not using better security practices.
“Well, you don’t feel anything. You never meet the person plus everything is anonymous so you can’t get guilty feelings for it”, says Daniel.
Hijacking phone numbers to steal cryptocurrency is an increasing problem.
In Michigan earlier this month, nine people were charged in an alleged conspiracy to hijack SIM cards to steal around $2.4 million worth of crypto.
The hacking ring was spread across the US and Ireland and called itself ‘The Community’.
Three mobile phone company operators were also charged with accepting bribes as part of the legal action.
Man jailed for stealing $5 million
And earlier this year a 20-year-old Californian man called Joel Oritz became the first person jailed for SIM hijacking. He pled guilty to stealing more than $5 million from 40 people by hijacking their SIM cards to steal sensitive data.
Last year US entrepreneur and cryptocurrency investor Michael Terpin launched legal action seeking $200 million in punitive damages against AT&T for negligence for allowing hackers to hijack his account and steal $23.8 million worth of cryptocurrency.
His complaint read in part: “What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”
Last week the California Superior Court ordered 21-year-old scammer Nicholas Truglia to pay Terpin $75.8 million in compensatory and punitive damages.
Fighting back against SIM crime
Another of Truglia’s victims was tech entrepreneur Robert Ross, who lost $1 million in the scam. In January this year, he teamed up with several other victims to launch a site called ‘Stop SIM crime’ to raise awareness of the phenomenon.
“This is is a major problem that’s growing fast,” Ross said. “I really believe this is being enabled by the carriers.”
Fortunately, SIM swapping scams are relatively easy to protect against.
Never use a mobile phone number for two-factor authentication – use Google Authentication or Authy instead.
And always store your cryptocurrency off exchanges using a hardware wallet such as a Ledger or Trezor.
You can now also insure your cryptocurrency against hacks.