The United States Secret Service seized 300 simboxes and 100,000 SIM cards in New York last week. Most of the media has uncritically repeated what the Secret Service said about the bust (because they do not know better) and many professionals have also repeated what the Secret Service said about the bust (even though they should know better). This is troubling because several claims made by the Secret Service were very odd indeed. Just like any other government agency, it is vital that a free press and knowledgeable experts holds them to account and questions the accuracy of claims that appear dubious.
1. Did They Foil a Pinpoint Attack on Senior Government Officials or a Widespread Denial of Service Attack on Networks?
One of the Secret Service claims that the press most feverishly repeated was that New York phone networks could have been ‘crippled’ by the load created by all those simboxes working in unison. There is one glaring problem with that assertion: it is not the job of the US Secret Service to protect infrastructure or the public in general. Its role is to perform criminal investigations and provide protection to political leaders and their families. Their announcement justified their intervention in this case by asserting there were threats to senior officials. However, no criminal or nation-state actor needs to spend millions of dollars on the hardware required to sustain 60,000 calls in parallel if their primary goal is to attack a few dozen VIPs. Or to put it another way, a plot to bring down New York’s networks would hurt a lot more people than just the tiny elite that the Secret Service is supposed to protect.
Another problem is that 300 simboxes, perhaps each with the capacity to execute 256 communications in parallel, is enough to generate enormous amounts of spam, but is not enough to overload multiple mobile networks that have been designed to serve the 20 million inhabitants living within the New York metropolitan region which the Secret Service said was in danger. Somebody spent way too much money if they only wanted to execute swatting or spearphishing attacks on politicians, and far too little if they intended to disrupt the phone calls of an entire city. This suggests the main objectives of the people that purchased and installed all this equipment lay somewhere between the two extremes described by the Secret Service. For example, perhaps there were some swatting calls routed through some of these devices, only for the majority of SIMs to be handling conventional scam calls or messages.
2. Blaming Foreigners versus Blaming Americans
There is bipartisan agreement across the political class, law enforcement agencies, and the big US comms providers, that scams inflicted on Americans must be blamed on foreigners. The Secret Service sustained that narrative with vague references to a foreign nation-state being linked to the simboxes in New York. No mention was made of anybody within the USA being held responsible for anything. The involvement of the Secret Service reveals serious problems with the preferred narrative of American politicians and business leaders.
The heightened use of simboxes by scammers since the latter half of 2024 means there must be many people inside the USA who are involved in these crimes. That should not be difficult to imagine given there have been businesses headquartered in the USA which ran fraudulent simbox operations outside the USA.
Somebody rented the apartments where the simboxes were found. Somebody paid the electricity bills for these simboxes. Somebody assembled the racks, neatly placed the simboxes upon the shelves, and individually inserted the SIM cards in each slot. Somebody acquired 100,000 SIM cards. These people made so much progress with assembling all this hardware that the Secret Service claimed the operation was a threat to national security, not just a threat to consumers who are already sick and tired of scams. Why is nobody intervening and arresting the people committing these crimes on American soil before these operations become a threat to national security?
I wrote in 2024 about a distinct lack of willingness to punish US mobile network operators for the growing number of scam calls traced to simboxes on their networks. This resulted in a conversation with my boss at the time, who wanted me to soften the article because he received a complaint from one of those operators. The US Federal Communications Commission (FCC) normally loves to issue press releases about scam-related activity that generates big news headlines, even if the FCC has done nothing about it, presumably because they want to appear proactive. They have been eerily silent about the simboxes in New York.
3. Where Were the KYC Controls?
Legitimate businesses do not find it easy to obtain 100,000 SIM cards. Nor should they. As mentioned above, there are Americans with experience of paying stooges living outside of the USA to obtain SIM cards for use in simbox fraud. The same methods could also be used to obtain SIM cards within the USA. What lessons have been learned from American criminals to prevent their tactics being repeated within the USA?
Another way to obtain SIMs for crime involves the collusion of telco insiders. We know that big US mobile operators have tried to hide the extent of frauds enabled by lax internal controls over their own staff. There have been very few prosecutions of telco insiders relative to the amount of crime that Americans suffer, although the few prosecutions that have occurred tend to receive a lot of publicity. Presumably the intention is to distract from the potential scale of insider collusion in crime.
The Secret Service shared a photograph of hundreds of SIM cards carrying the branding of MobileX, a Californian MVNO (pictured). MobileX does not report how many customers it has because it is so small. The best information in the public domain is that the CEO of MobileX gave an interview at the beginning of the year which claimed his company had “tens of thousands” of customers. The implication is that the USA has seemingly legitimate telcos where a very large portion of their supposed customer base is actually comprised of SIMs in simboxes.
The FCC has repeatedly misled the press and public by suggesting it enforces KYC rules when there are no actual KYC rules. For example, in February they attempted to justify a proposed fine for one telco with a press release that stated:
“Providers are required to know their customers and secure their networks to deter fraudulent and malicious calls,” said Patrick Webre, Acting Chief of the Enforcement Bureau.
And that:
Under FCC rules, all voice service providers… are obligated to know their customers and exercise due diligence before allowing them to originate calls.
This disinformation from the FCC has prompted many US telecom industry representatives to push back. For example, the Voice on the Net Coalition (VON), lobbyists for some big cloud-based providers including Google and Microsoft, met with the FCC during August and complained:
First, VON is concerned about the lack of clarity around the Know Your Customer (KYC) obligations and the potential for significant fines for violations of what is obviously a vague standard.
One of the few regulatory insiders to admit the US has a problem with its KYC rules is former FCC Commissioner Nathan Simington. While Simington was at the FCC, he questioned the rationale for a proposed fine for Lingo Telecom in May 2024 because:
All voice providers nationwide are surely taking note of the FCC’s actions today, but it’s not actually clear what their obligations now are. Must they immediately implement KYC and, if so, to what standard?… These are completely open questions because the FCC has never engaged in a rulemaking on this matter, delegating it instead to an industry group and to industry standards. The problem for our action today is that Lingo probably complied with industry standards. We might deplore the laxity of these standards, but Lingo might well respond that they were in line with actions that had been repeatedly blessed by the FCC.
4. Does the Secret Service Understand What a SIM Server Is?
The Secret Service repeatedly referred to ‘SIM servers’ being found in New York. This was the language they used:
This protective intelligence investigation led to the discovery of more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites.
I suspect that nobody has explained to the Secret Service what a SIM server actually is, and how it differs from other devices used by criminals that contain SIMs. As any technologist will appreciate, the reason to use a server is to provide data to a separate client. One reason to do this is to permit a physical separation of the data — in this case data stored on SIM cards — with other machines that will use that data. This means criminals can make calls and send messages from remotely located devices while retaining all their SIMs in one central hub. This not only reduces the cost of running their operation but also makes it more flexible.
One significant advantage for criminals that adopt a client-server architecture for simbox crime is that it will allow them to defeat some basic fraud detection controls. Simboxes should be easy to detect because they never move from place to place, unlike a typical mobile phone user. Looking for the anomalous geographic concentration of traffic is one of the simplest fraud detection controls that every mobile operator should implement. Criminals will try to defeat this control by creating the illusion that a phone user is moving from place to place. A SIM in the central SIM server is connected to a device in location A, then location B, then location C, making it appear as if somebody is carrying a phone that contains the SIM between those places although the actual SIM has never moved.
It follows that if the Secret Service really found a lot of SIM servers in New York then those SIMs could have been used to instigate calls and messages from devices located elsewhere, but no mention has been made of other devices in other locations. The Secret Service warned of an attack on New York, and on attendees of the United Nations meetings occurring in New York, but SIMs in SIM servers could just as well be used to attack networks in other US cities. They could also be used to make scam calls and send scam messages that victimize ordinary people in different countries. Rather than showing the US is under attack from foreign adversaries, the use of SIM servers could just as well suggest that a criminal operation is being run by Americans to steal from foreign phone users and businesses.
On the other hand, if there were no SIM servers found in New York, it is even harder to forgive a mobile operator for failing to detect the geographic concentration of SIMs and promptly deactivate them before they can cause further harm.
5. Jurisdiction and Competence
By this stage, the astute reader will be thinking of pertinent questions that deserve to be asked of all the organizations that should have protected the public before the Secret Service got involved. The statement from the Secret Service should be read with this in mind. The vague phrasing and many varied claims about the potential for public harm signals that the Secret Service knew their intervention would tread on the toes of other law enforcement agencies. Local police are responsible for tackling crime in New York. The Federal Bureau of Investigation (FBI) is responsible for crimes that cross state borders.
It can be argued that simbox crime is too specialized to expect regular police or FBI agents to tackle it. That is a fair argument, but it follows that the Secret Service also lacks the relevant specialist knowledge. Maybe telcos need to be held responsible for finding and stopping these crimes. Is anyone pushing them to do that? Questions need to be asked about the adequacy of the consumer protection obligations imposed on telcos by the FCC. Is anyone going to do that?
6. Why Publicize This Case?
No mention was made of any arrests. So why has it been publicized? The press are never going to turn away a juicy story that will drive traffic to their websites but nobody is commenting on the peculiarity of the Secret Service — there is a clue in their name — telling the public about these simboxes. Nobody is detailing the action that will be urgently taken to prevent simbox crime in future.
By showing their hand, the US has revealed to organized crime and foreign states the absence of basic communications network security controls. In effect, they told the rest of the world that you can get away with bringing together this many SIMs in this many simboxes so long as you ensure they are not used to attack a government official.
7. US Credibility Is Crumbling in Other Countries
The Secret Service followed the common US playbook by referring to the foreign origin of threats. That may be persuasive for a US audience. It will not impress foreign countries that have already implemented much more robust controls over the supply of SIMs. Many telecoms professionals who live and work in countries that the current US President describes as ‘shitholes’ will now be laughing at the US telcos which are unable, or unwilling, to detect simboxes on their network.
To take one example, I have observed that elements of the US press have recently been ramping up criticism of Nigeria for not doing enough to tackle scams. There are undoubtedly many scammers working in Nigeria, and many of their victims will live in other countries. However, Nigeria is also a country with a government that took robust action to stop the supply of SIM cards to bad actors. MTN Nigeria, the largest mobile operator in the country, received an NGN330bn (USD1.7bn) fine in 2016 because they had not promptly disconnected unregistered SIMs. The final penalty was substantially reduced from the USD5.2bn fine which the law initially required. A fine of USD1,000 per unregistered SIM card is pretty stiff in a country where the average revenue for each SIM card is just USD5 per year. Do US authorities intend to impose a similar level of punishment on the telcos which supplied the SIMs found in New York?
Nigeria has since taken further steps to stop SIM-related crimes. Nigerians have needed to provide their national identity numbers to obtain a new SIM card since February 2024. Will the US be introducing similar controls over the supply of SIM cards? Or is it just easier to keep complaining that ‘shithole countries’ never do enough to appease American businesses and American politicians? That strategy may satisfy Americans who live in a bubble, but it will soon wear thin with countries which now know how little the US has done to tackle networked crime within its own borders.



