A person’s mobile phone number is a highly personal, sensitive identifier that is often tied to a range of online accounts. Online service providers use phone numbers as part of authentication and verification procedures and may send multifactor authentication (MFA) codes over text messages. Some service providers allow users who’ve forgotten their password to set a new one via a link sent by text message to their phone. The use of short message service (SMS) for authentication or verification can be risky because phone numbers can be stolen. In a type of attack known as a subscriber identity module (SIM) swap or hijack, a person’s phone number is illegally transferred to another SIM card or to a new SIM. This is typically accomplished by impersonating the victim and tricking a telecommunications company into transferring the number. The cybercrime landscape recently has seen a rise in this sophisticated form of social engineering, which can occur over phone, online or in person. Once in possession of the phone number, the attackers move quickly, attempting to access accounts often within just minutes before the victim reclaims their number.
Stealing cryptocurrency such as bitcoin is a common SIM hijacking objective. Due to the nature of cryptocurrency, transactions are usually irreversible, and large thefts of cryptocurrency have been accomplished with lightning speed and little chance for recovery. This “easy money” has increasingly drawn young individuals into SIM hijacking schemes, and services offering SIM swapping are pervasive across underground forums and Telegram channels. SIM swapping has been used for other aims as well. In January 2024, the U.S. Securities and Exchange Commission (SEC) saw its account on X, formerly known as Twitter, taken over after a successful SIM hijacking. The attackers posted a tweet falsely saying that the agency had approved bitcoin exchange-traded funds (EFTs), a mainstream investment product long desired by the cryptocurrency community.
Telecommunications companies have tried to thwart SIM swapping by increasing identification requirements and adding new security controls around accounts, such as personal identification numbers (PINs) that must be relayed before account changes take place. But despite new defensive measures, SIM hijacking remains a tangible threat. It’s exacerbated by the availability of personal information leaked from data breaches and other sources, making it easier for fraudsters to attempt to assume the identity of someone else. Awareness of SIM swapping has grown markedly over the past few years, largely due to extensive media attention and comprehensive investigations by security researchers into notorious cybercriminal groups and intrusion sects such as LAPSUS$ and The Com (other names for large groups of dispersed threat actors include Scattered Spider). This crime has also culminated in arrests. On Jan. 11, 2024, the U.S. Department of Justice announced the indictment of Noah Michael Urban, 19, who is alleged to have stolen at least US $800,000 in cryptocurrency via SIM hijacking. Also in January 2024, federal prosecutors in Washington, D.C., charged three people with running a SIM-swapping ring, which in one case they allege led to the theft of US $400 million in virtual currency from a single company. The group is alleged to have created fake identity documents in order to do in-person SIM swaps at mobile provider retail outlets including AT&T, Verizon and T-Mobile.
In this post, we delve into the complexities of SIM swapping, explore its operational mechanics and shed light on markets and services that have evolved around this illicit practice. Also, we suggest some tips for hardening one’s personal and online security posture to prevent or limit the damaging effects of a successful SIM swap.
How it Works
Step 1: Obtain information on target victim or company
Prior to performing SIM swapping, the initial hurdle for threat actors is the acquisition of a victim’s personal information. This task can be accomplished through a myriad of tactics including phishing, SMS phishing aka smishing, social media profile analysis, insider collaboration, use of special tools or purchasing stolen data from underground forums. Regardless of the approach, the goal remains consistent: gather key personal details such as the victim's address, date of birth (DOB), full name, mobile phone number, Social Security number (SSN) and answers to security questions carriers use for account verification.
A variety of underground services and platforms can assist actors with this task. In late October 2023, we observed a threat actor advertise access to the IntelX aka IntelligenceX platform for a monthly fee of US $250. IntelX is a search engine and data analytics platform that is adept at retrieving a broad spectrum of data, including public personal information and data from leaks. The platform's accessibility was promoted heavily across multiple channels linked to SIM-swapping activity. The prevalent mentions of IntelX in these channels underscores its likely crucial role in aiding threat actors to collate information on potential targets, including for doxxing purposes. Doxxing is the term for releasing personal and private information about someone without their consent. Threat actors use doxxing to punish other threat actors, and thus compromise their online anonymity, raising the chances of harassment or law enforcement attention.
[Image: Fig1 - This image depicts a screenshot of an advertisement promoting doxxing services in a SIM swapping-related channel on Telegram captured Nov. 25, 2023.]
Another tactic among threat actors engaged in SIM swapping involves the deception of mobile carrier employees and, at times, cryptocurrency users, luring them to phishing websites that replicate login pages of their respective companies or cryptocurrency platforms. Our monitoring of Telegram channels unveiled a multitude of scenarios that aspiring SIM swappers can use. A notable example involves an actor posing as an employee of the target company’s information technology (IT) department, contacting employees of the company under the pretext of discussing a filed ticket. In another sophisticated scenario, the perpetrator adapts the guise of a support employee from a cryptocurrency company (see screenshot of a social engineering script below). The actor approaches the victim with a fabricated story of ongoing attempted logins to their account from multiple locations, creating a sense of urgency and concern. In both scenarios, the objective is to persuade the employee or individual user to visit a fraudulent website that mimics the legitimate login page. This website, often hosted at a specific IP address, is designed to capture the login credentials of unsuspecting victims.
[Image: Fig2 - This image depicts an example of a social engineering script commonly shared in a SIM-swapping channel on Telegram.]
Unit 221B’s Chief Research Officer Allison Nixon shed light on the intricacies of using this tactic, as it often is marked by a coordinated effort among multiple threat actors. One individual typically engages with the mobile carrier or company employee over the phone, while another manages the phishing kit, ensuring it remains active just long enough to avoid detection by security firms. In some instances, this operation may involve a third participant whose role is to use the harvested stolen credentials to immediately access the employee’s accounts. This actor also may face the task of making their device pass “posture checks” — a security measure some companies employ to ensure logins are executed from company-issued devices. In our observation of communication channels frequently used by individuals engaged in SIM swapping, we identified mentions of the difficulty in passing posture checks, which ensures only devices that meet a certain security standard are allowed access. These explicit requests for assistance circumventing security measures not only demonstrate the technical barriers these actors face, but also underscore the collaborative nature of these criminal endeavors.
Purchasing or phishing login credentials for telecommunications employees is often an objective of threat actors in order to open a gateway to internal company systems. This unauthorized access often is leveraged as a service in the cybercrime community, available for hire to other actors seeking to execute SIM swaps. Once inside the mobile carrier's network, threat actors typically broadcast their newfound capabilities on SIM-swapping forums. Although such access generally is short-lived, it grants the ability to target any customer within the carrier's entire database and perform a SIM swap. The threat of SIM swapping potentially can target anyone, however, it is evident that those who possess significant digital assets — particularly in the cryptocurrency and technology sectors — are at a heightened risk. High-profile victims frequently are identified through data previously compromised in breaches at investment firms, banks or other financial institutions. Additionally, threat actors may employ methods such as monitoring activity on social media platforms to select their targets.
Step 2: Perform swap
If an actor opts not to use a SIM-swapping service, they must execute the swap themselves. The actor contacts the victim's mobile phone carrier posing as the victim and may claim their SIM card is lost or damaged or that they require a different size card due to a new phone. The actor answers security questions using the previously collected personal information as authentication. Mobile operators serve large numbers of customers and have large customer service staff, so threat actors often persistently test security procedures, looking for weaknesses in personnel and systems that can be capitalized upon in order to accomplish a swap. The carrier then deactivates the victim’s SIM card and activates a new one in the possession of the threat actor. The victim's phone number, including all calls and texts — which are crucial for 2FA or password recovery — is redirected to the threat actor’s device.
In some instances, actors might also leverage an insider at the mobile carrier company. This can involve bribing or blackmailing the employee or exploiting current or former employees who knowingly abuse their access to customer data and the company’s network to conduct a SIM swap. Telegram channels often feature individuals that claim to have or be insiders at mobile companies capable of executing SIM swaps. Our research revealed cases where a Telegram user was selling insider contact information or seeking insider contacts.
Individuals have been prosecuted for helping threat actors conduct unauthorized SIM swaps. On March 13, 2024, the U.S. Department of Justice announced one such case against a 42-year-old man from Burlington County, New Jersey. Jonathan Katz, who worked for an unnamed telecommunications company, pleaded guilty in U.S. federal court in New Jersey to five counts of intentionally accessing a protected computer. According to the criminal information (an additional criminal complaint is here), Katz was paid US $5,000 in bitcoin to use his access to the telecommunications company’s systems to conduct SIM swaps affecting five victims between May 11, 2021, and May 19, 2021. The person who recruited Katz also allegedly offered him a percentage of the profits earned from accessing those mobile devices.
Step 3: Aftermath
After successfully executing a SIM swap, the threat actor gains the ability to reset passwords and access the victim’s personal accounts, including email, bank and social media platforms. A primary focus for many actors is to find credentials for cryptocurrency exchange accounts, private keys and reseed codes for cryptocurrency wallets with the ultimate intent of stealing cryptocurrency. Digital currencies such as bitcoin and Ethereum hold substantial value, making them lucrative targets. The ease and relative anonymity with which these cryptocurrencies can be transferred to other accounts or exchanged for different currencies adds to their appeal for illicit activity. The irreversible nature of cryptocurrency transactions also amplifies the risk. Once a threat actor transfers cryptocurrency from the victim’s account to their own, it is impossible to reverse the transaction through a central authority such as a bank. By the time the victim realizes their mobile service is disrupted — a result of their legitimate SIM card being deactivated — the threat actor likely already caused significant financial harm. This aspect of cryptocurrency, combined with the methods used in SIM swapping, underscores the high stakes and potential for considerable financial losses from this type of cybercrime.
Rise in SIM Swapping and Associated Services
Throughout 2023, we observed an increase in the advertisement of SIM-swapping services targeting multiple carriers across underground forums, Telegram and Discord. Telegram emerged as the primary hub for these offerings, though numerous promotions also were spotted on underground forums. The following are some examples of offers in the underground, although we’ve removed the nicknames of specific actors.
In February 2023, we observed a threat actor offering SIM-swapping services for AT&T, T-Mobile and Verizon users, charging US $2,500 for a single SIM swap. The actor claimed to leverage an insider from an undisclosed company in the U.S. In March 2023, another threat actor offered SIM-swapping services for AT&T, O2, Sprint, T-Mobile and Verizon covering both the U.K. and U.S. markets. The actor allegedly focused on cryptocurrency accounts with service fees starting at US $5,000 per account. A third threat actor also offered SIM swapping for AT&T, Sprint, T-Mobile and Verizon in the U.S. with fees starting at US $2,000 per account.
In 2023, we also observed a rarer type of access offering that could be used to accomplish the same ends as SIM hijacking but by different means. The threat actor offered access to a Signaling System 7 (SS7) administration panel for a telecommunications provider in southeastern Europe. Mobile operators collect information about devices connected to their network in a database known as a Home Location Register. Carriers use the SS7 protocol to exchange messages about devices that allow for the correct routing of calls wherever a person is in the world. However, unauthorized access to an SS7 may allow an attacker to reroute text messages to other devices, which is why access to SS7 should be closely guarded. We could not confirm whether this threat actor’s offer could indeed result in successfully diverting a phone number. However, SS7 is known to suffer from some weaknesses such as a lack of built-in authentication. Attackers with unauthorized access to SS7 systems have carried out successful attacks.
In addition to SIM-swapping services, our research also revealed a variety of related sub-services threat actors use. This included access to the IntelX platform, doxxing services and numerous posts for insider contacts at mobile carriers. We also identified services that provide access to phishing pages skillfully designed to replicate login pages of major mobile carriers and well-known cryptocurrency platforms. The actor sm3934 advertised one such service on SIM swapping-related Telegram channels.
[Image: Fig3 - This image depicts a screenshot of an advertisement for live phishing panels promoted in SIM swapping-related channels on Telegram captured Nov. 25, 2023.]
We also observed a noteworthy trend of the proliferation of "mentoring" services actors advertised. These individuals offer to teach the art of conducting successful SIM-swapping attacks typically for a fee. The availability and popularity of such services points to an increasing desire particularly among younger users willing to understand and engage in SIM swapping, often driven by the allure of quick financial rewards.
Regulators Step in
On Nov. 16, 2023, the U.S. Federal Communications Commission (FCC) announced new regulations aimed at bolstering consumer protection against SIM-swapping attacks. Mobile carriers now are required to adopt robust and secure authentication processes prior to transferring a customer’s phone number to a different device or service provider. Additionally, mobile companies are obligated to immediately notify customers of any SIM change requests made on their accounts. The rules also compel carriers to implement enhanced measures specifically designed to safeguard customers from both SIM swapping and port-out fraud attempts. This decisive action by the FCC is a direct response to the increase in consumer complaints, which have highlighted the severe distress and significant financial damage inflicted by SIM-swapping attacks the past few years.
Security recommendations
It’s not possible to completely prevent SIM hijacking attacks as elements of the attack are simply out of the control of the victim. But there are steps individuals can take to become more resilient against SIM hijacking and limit its effects if an unauthorized number port occurs.
- Many telecommunication operators offer a security control that involves adding a PIN to the account that must be relayed to an employee when requesting a number port. This is a good control. However, beware that this PIN could be targeted in phishing attempts, so it should be carefully safeguarded and only divulged to legitimate telecom employees.
- Some mobile providers will allow customers to only permit number ports if they are physically in a retail store, which reduces the chance that personally identifiable data can be replayed in social engineering attacks over the phone. However, threat actors — including some affiliated with The Com — have specialized in creating fraudulent identity documents in order to perform “walk-ins,” or in-store number ports with fraudulent IDs.
- Avoid associating phone numbers with sensitive online accounts. Some service providers may have a setting to not allow password resets over SMS.
- Cryptocurrency accounts should not be configured to allow MFA over SMS. If a phone number is required for a cryptocurrency account, those with high balances should set up a different phone number that is solely dedicated to that account and not used for other services or given out to people.
- Use an authenticator application rather than MFA for receiving the code over SMS.
- Try to limit the amount of personal information shared online that cybercriminals could leverage to assume your identity when calling service providers. Do not boast of cryptocurrency holdings on social media, as that could attract attackers.
- If you are a victim of a SIM-swap attack, alert accounts containing sensitive information, contact mobile carriers to have access switched back to the correct phone number and change passwords on all accounts.
- At an organizational level, telecommunications companies should monitor employees who become insider threats. Employees with access to sensitive systems should be warned they may be approached by threat actors to participate in SIM hijackings in exchange for payment.
- Mobile operators should ensure that a person who is requesting a SIM swap or number port in fact currently controls the phone number. This can be accomplished by sending a one-time code over SMS, although again, this could be subject to sophisticated phishing and social engineering attempts.