US prosecutors have charged two men from Massachusetts for allegedly conducting SIM-swapping attacks in order to steal cryptocurrency from high-value targets.
Eric Meiggs, 21, and Declan Harrington, 20, are the defendants in the case, the US Department of Justice (DoJ) said on Thursday.
The pair are being charged with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse and one count of aggravated identity theft, according to an 11-page indictment.
TechRepublic: How a hacker at IBM uses disguises and devices to steal private information
The DoJ claims that Meiggs and Harrington targeted executives of cryptocurrency companies and others considered believed to own large amounts of cryptocurrency, as well as owners of valuable social media account handles.
The victims were subject to SIM-swapping attacks, in which threat actors will attempt to take over mobile phone numbers without consent or permission. This is often achieved through social engineering and calling up providers directly in order to request that numbers are transferred and reassigned to a different SIM.
The window for conducting a successful SIM-swap is small as it usually doesn’t take long for a victim to realize they are no longer receiving calls or messages — although there may also be delays in numbers to be returned back to their owners.
CNET: Memes could be our secret weapon against pesky bots
During this time, attackers can use the stolen phone number to request password changes for valuable social media, email, and financial accounts and thereby bypass two-factor authentication (2FA) as they are able to obtain 2FA verification codes.
Once a SIM-swap has been performed, this information can be used to hijack accounts, rifle through emails, and potentially access online wallets storing cryptocurrency, offering the opportunity for funds to be transferred to wallets in an attacker’s control.
Meiggs and Harrington allegedly targeted at least 10 individuals and plundered their cryptocurrency wallets. In some cases, this was achieved through SIM-swapping and locking victims out of their Gmail and Yahoo email accounts.
Prosecutors claim that over $550,000 in cryptocurrency was stolen from these victims alone. In addition, it is alleged that two social media accounts with valuable handles were hijacked.
See also: European police arrest Dark Web counterfeit currency traders
The indictment says that in order to take over a valuable Instagram handle, Meiggs threatened the family members of one victim — including the life of his wife — leading to the targeted individual complying with a demand to surrender the handle. The other holder of a valuable Instagram account gave up possession in return for his phone number, which had been SIM-swapped.
The duo has been charged in Boston’s District Court and if found guilty could face decades behind bars.
Back in August, a British teenager was sentenced to 20 months in prison for offering himself as a hacker-for-hire, including as a supplier of stolen personally identifiable information (PII) suitable for use in SIM-swapping attacks.
Interested in SIM-swapping? ZDNet’s Matthew Miller recounts how his own SIM-swap horror story led to the account hijacking, Bitcoin charges, and the loss of decades’ worth of data.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0