There has been a marked rise in cryptocurrency related crime over the past few years. A 20-year old student from Boston has been arrested over a $5 Million cryptocurrency scam which he achieved via SIM-jacking. The primary accused, Joel Ortiz has been arrested but his unnamed accomplices are still at large. Together, they scammed 40 people using the SIM jacking technique.
Ortiz was arrested by the Californian police force at the Los Angeles International Airport. Reportedly, he was escaping the country and flying to Europe. Following his arrest, he has now been charged with 28 cases - which include 13 counts of hacking, 13 counts of identity theft and 2 charges of grand theft. Ortiz has been jailed and a hearing is set to take place on the 9th of August. His bail bond has been evaluated at $1 Million.
Reports highlight that while cryptocurrency crime has been surging over the past few years, this is the first time that SIM Jacking technique was used in a cryptocurrency related crime. In the past this technique has been used by fraudsters to get credit card passwords and reset emails.
This involves tricking the SIM operators to believe that the user has lost his SIM and getting the number transferred to a new SIM card. Once the perpetrator gets access to the SIM with the phone number of the victim, they can make use of it to reset the passwords and break through their accounts. What is quite surprising about SIM jacking is that it is a simple method which involves social engineering and tricking the company that issued the SIM to believe that the owner has actually lost the SIM. A motherboard report highlights this as:
"SIM swapping consists of tricking a provider like AT&T or T-Mobile into transferring the target’s phone number to a SIM card controlled by the criminal. Once they get the phone number, fraudsters can leverage it to reset the victims’ passwords and break into their online accounts (cryptocurrency accounts are common targets.) In some cases, this works even if the accounts are protected by two-factor authentication."
Several of the people that Ortiz, along with his accomplices had scammed were the attendees of Consensus Conference in New York City in May. One of the victims lost close to $1.5 Million - out of which almost $1 Million was gained via ICO investments. Reports from Motherboard further point out that Ortiz gained access of the victim’s phone number by the means of SIM Jacking, following which he reset his Gmail password and then his cryptocurrency exchange password.
Considering that Ortiz now had his phone number, even if the victim had set up a 2Factor Authentication security layer involving a One Time Password, he would have been able to bypass that as well. One of the safest ways to keep your cryptocurrency account safe is to set up a 2Factor Authentication system which does not involve OTPs but uses authenticator applications.