Investigators have arrested and charged a 20-year-old college student with multiple counts of hacking and identity theft. Prosecutors accuse him of being part of a gang which stole $5 million of cryptocurrency by hijacking mobile phone numbers.
Caught by the Fuzz
Following his arrest at LAX airport while on his way to Europe, Joel Ortiz was apparently quick to come clean. He told investigators that he and his “co-conspirators” controlled millions of dollars in cryptocurrency.
Ortiz, originally from Boston, allegedly hijacked over 40 phone numbers using a technique known as SIM swapping. It is the first known case against a person using this kind of attack — also known as a ‘port out scam’.
The Weakest Link
Considering the scale of the potential consequences, the scam is supposedly rather easy to perform. It involves calling the service provider and convincing them that you have lost your SIM card. Once they have confirmed your identity, they will transfer the number to another SIM card (which you already own).
This potentially lays the liability for these attacks squarely at the feet of the service providers, as security procedures for confirming identity should not be bypass-able using a few pieces of personal information easily obtained online.
Breaking and Entering
Once the criminal has access to your phone number, it is very easy to start accessing accounts. Even those services with two-factor authentication often allow password reset/recovery through a mobile device.
Ortiz allegedly targeted several people at the Consensus bitcoin conference in New York in May, stealing more than $1.5 million from one cryptocurrency entrepreneur.
Prosecutors say he also called one victim’s wife from a stolen number and messaged his daughter and her friends asking for bitcoin. This was one of the mistakes which led to his undoing.
The Web Unravels
Through a series of warrants, detectives identified two IMEI numbers used with the stolen number. This allowed them to link the devices with Ortiz email accounts and show that he had moved over $1 million dollars worth of cryptocurrency through various exchanges.
The investigators were also able to show that Ortiz had hacked around 40 numbers through AT&T in the period between November 2017 and June 2018.
Ortiz “co-conspirators” have yet to be named, but his arrest has sparked panic in the SIM-swapping community.
Members of the OGUSERS message-board posted a thread asking: “Who do you think is next?” The site is often used as a marketplace for social media accounts stolen using the same scam.