Two Charged Over Crypto Theft via SIM Swapping, Death Threats

Two men from Massachusetts were arrested and charged by the Boston U.S. District Court with stealing high-value social media accounts and hundreds of thousands worth of cryptocurrency from at least ten victims by using SIM swapping, death threats, and hacking.

Eric Meiggs and Declan Harrington, the two defendants, were charged with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse, and one count of aggravated identity theft in an 11-count indictment unsealed today.

Results of SIM swapping attacks

A SIM swapping (aka SIM hijacking) attack is the process through which malicious actors take control of a target's mobile phone number without the victim's authorization.

This is done by convincing their target's' mobile phone service providers to reassign their phone number to an attacker-controlled SIM card either via social engineering or by bribing employees of the provider to do it.

These types of attacks allow crooks to take control of one's phone number, later to be used for bypassing SMS-based multi-factor authentication (MFA), for stealing credentials, and taking control of their targets' accounts for online services.

"Armed with your login credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts," the FTC says. "And they could change the passwords and lock you out of your accounts."

Death threats, hacking, and stolen cryptocurrency

The two defendants allegedly went after cryptocurrency companies' executives and several other targets that had important quantities of cryptocurrency in their Coinbase or Block.io wallets, as well as after victims who controlled high-value Instagram and Tumblr accounts.

"Meiggs and Harrington allegedly conspired to hack into, and take control over, these victims’ online accounts so they could obtain things of value, such as cryptocurrency," the Department of Justice release says.

"They used an illegal practice known as 'SIM-swapping' and other techniques to access, take control of, and in some cases steal cryptocurrency from, the accounts."

From an Arizona resident who "publicly communicated with cryptocurrency experts online," they were supposedly able to steal $200,000 worth of cryptocurrency in one go, while $100,000 were swiped from a victim from California who was friends with another target who "operated a blockchain-based business." 

Meiggs also purportedly threatened to kill one of their victim's wife in an attempt to tale control of the target's Instagram account name.

Death threats
Death threats made to steal a victim's Instagram handle

Another $165,000 in cryptocurrency was stolen from an Illinois cryptocurrency project leader, and $35,000 worth of cryptocurrency got looted from the Block.io cryptocurency wallet of a Nevada victim who "owned a Bitcoin Automated Teller Machine network."

In total, the two reportedly managed or tried to steal over $500,000 from at least 10 identified victims from all over the U.S, while Meiggs presumably took control of two targets' social media accounts.

These are some of the tactics and methods purportedly used by the two defendants during the attacks according to the unsealed indictment:

• Identifying potential victims who likely had significant amounts of cryptocurrency, for example, executives of cryptocurrency companies.
• Researching the potential victims using online tools.
• Engaging in "SIM swapping" in order to take control of victims' cell phone numbers.
• Leveraging their control over victims' cell phones to obtain unauthorized access to the victims' online accounts, including email accounts, social media accounts, and cryptocurrency accounts.
• Using their access to victims' accounts, to take control of, and steal things of value from the victims' online accounts, including their account handles and their cryptocurrency.
• Selling or otherwise transferring victims' log-in credentials, account handles, and cryptocurrency to others in exchange for money or other things of value.
• Using victims' hacked online accounts to communicate with the victims' friends and family in order to ask for money and cryptocurrency.
• Communicating with co-conspirators via online social media and chat platforms.
• Using multiple online accounts to hide their identities and evade detection by law enforcement.

Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Andrew E. Lelling for the District of Massachusetts, Special Agent in Charge Joseph R. Bonavolonta of the FBI’s Boston Field Office and Special Agent in Charge Kristina O’Connell of IRS Criminal Investigations (IRS-CI) were the ones who announced the charges of in the Eastern District of Michigan.

If convicted on a charge of conspiracy to commit wire fraud, each of the defendants faces a statutory maximum penalty of 20 years in prison. 

Each of the charges of wire fraud carries a statutory maximum penalty of 20 years in prison, while a conviction of aggravated identity theft in support of wire fraud carries an additional statutory maximum penalty of 2 years in prison which should be served consecutively to any sentence imposed on the underlying count of wire fraud.

SIM swapping protection

The U.S. Federal Trade Commission (FTC) issued guidance on how to protect against SIM swapping attacks in October, listing the following list of protection measures:

• Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
• Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
• Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
• Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

The Federal Bureau of Investigation (FBI) also issued a SIM swapping alert in March after observing an escalation in the number of SIM jacking attacks.

The FTC also provides detailed info on how to secure personal information on your phone and on how to keep personal information secure online.

Victims or anyone observing SIM swapping attack activity can report it to the FBI at tips.fbi.gov or by calling 415-553-7400.

Related Articles:

US sanctions crypto exchanges used by Russian darknet market, banks

US charges two more suspects with DraftKing account hacks

US offers up to $15 million for tips on ALPHV ransomware gang

KuCoin charged with AML violations that let cybercriminals launder billions

$700 cybercrime software turns Raspberry Pi into an evasive fraud tool