The U.S. Department of Justice today announced charges against nine individuals, 6 of which are members of a hacking group called “The Community” and other 3 are former employees of mobile phone providers who allegedly helped them steal roughly $2.5 million worth of the cryptocurrency using a method known as “SIM Swapping.”
According to the 15-count indictment unsealed today, five Americans and an Irishman related to The Community hacking group are charged with conspiracy to commit wire fraud, as well as wire fraud and aggravated identity theft.
Another three Americans, who reportedly are the former employees of mobile phone providers, are charged in a criminal complaint with the wire fraud.
SIM Swapping, or SIM Hijacking, is a type of identity theft that typically involves fraudulently porting of the same number to a new SIM card belonging to the attacker.
In SIM swapping, attackers social engineer a victim’s mobile phone provider by convincing it that they are the actual owner of the phone number they want to swap by providing required personal information on the target, eventually tricking the telecoms to port the target’s phone number over to a SIM card belonging to the attackers.
The defendants executed the attacks successfully—thanks to the three charged former mobile phone service provider employees who reportedly helped “The Community” to “steal the identities of subscribers to their employers’ services in exchange for bribes.”
Here’s the list of defendants charged in the indictment:
- Conor Freeman, 20, of Dublin, Ireland
- Ricky Handschumacher, 25 of Pasco County, Florida
- Colton Jurisic, 20 of, Dubuque, Iowa
- Reyad Gafar Abbas, 19, of Rochester, New York
- Garrett Endicott, 21, of Warrensburg, Missouri
- Ryan Stevenson, 26, of West Haven, Connecticut
- Jarratt White, 22 of Tucson, Arizona (former mobile phone provider employee)
- Robert Jack, 22 of Tucson, Arizona (former mobile phone provider employee)
- Fendley Joseph, 28, of Murrietta, California (former mobile phone provider employee)
On successful SIM swapping, ‘The Community’ attackers used their victims’ phone numbers to reset passwords and gain access to their online accounts—including email, cloud storage, and cryptocurrency exchange accounts and wallets—using verification codes and two-factor authentication codes received on those numbers.
In total, the defendants executed seven SIM swapping attacks to steal victims’ funds from their cryptocurrency exchange wallets, transferring approximately $2.5 million worth of cryptocurrency to wallets controlled by the hacking group.
“Mobile phones today are not only a means of communication but also a means of identification,” U.S. Attorney Matthew Schneider said. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”
If convicted on the charge of conspiracy to commit wire fraud, each defendant faces a maximum penalty of 20 years in prison. Meanwhile, an aggravated identity theft charge carries a maximum sentence of 2 years in prison.
Earlier this year, a 20-year-old college student in New York was sentenced to 10 years in prison in what constituted the jurisdiction’s first SIM-swapping prosecution. He stole over $5 million in cryptocurrency from around 40 victims by hijacking their phone numbers.