American law enforcement just took down a significant SIM hijacking ring. Federal agents have charged nine men with wire fraud and identity theft charges for participating in The Community, a group that transferred phone numbers to SIM cards in their possession, used those to take control of online accounts (particularly those with two-factor authentication) and promptly stole cryptocurrency. The group has been accused of perpetrating seven attacks that stole more than $2.4 million in digital currencies from targets.
Like with some of these schemes, The Community had help from the inside. Three of the charged men (Robert Jack, Fendley Joseph and Jarratt White) worked at wireless carriers, and allegedly took bribes in return for helping the others swipe customer identities. In other cases, Community members would pose as the victims in customer service conversations and swap numbers to SIM cards themselves.
The penalties could be stiff. The fraud and theft charges each carry a maximum 20-year prison sentence. There are also charges for aggravated identity theft in support of wire fraud, although their two-year maximum sentence would be served alongside the actual wire fraud charge.
SIM hijacking charges are still relatively novel -- the first sentences have only recently started trickling out. These latest indictments won't likely serve as deterrents, but they could represent benchmarks for future cases if there are any convictions. They certainly act as reminders to internet users -- you can't assume your accounts are secure simply because you use two-factor sign-ins.