A police operation involving the forces of multiple European countries culminated last week in seven arrests and the seizure of a massive haul of equipment from an illegal simbox farm in Latvia. Investigators from Austria, Estonia and Finland worked with their Latvian peers to locate and shut down a gang whose business model involved renting out the SIMs to facilitate crimes committed by other criminals. This ‘cybercrime-as-a-service’ involved 1,200 simboxes, 40,000 active SIM cards, hundreds of thousands of SIM cards which had not been activated, five servers and two websites which were used to sell the services they offered. Users of the service were able to originate traffic from phone numbers belonging to more than 70 different countries. More than 49 million online accounts were created using the SIMs made available by this gang. The crimes enabled by these SIMs included:
- ‘Hi dad’ scam messages sent from WhatsApp accounts created using the SIMs;
- Investment frauds where victims were initially contacted by phone;
- Phone numbers for inbound calls presented on fake websites for banks and fake retail businesses;
- The creation of fake accounts that were used to commit fraud on second-hand marketplaces;
- Extortion;
- Distribution of child pornography; and
- Frauds that involved impersonation of the police.
Five Latvians were among those arrested; the nationalities of the other two arrestees were not disclosed. However, Europol’s press release about the operation mentioned a telltale sign about the kind of gangsters running this criminal operation.
…the perpetrators used the telephone numbers to convince their mostly Russian-speaking victims of their legitimacy.
Another clue about the kinds of people behind this operation comes from the police remarking that one of the suspects was already under investigation in Estonia for arson and extortion.
Austrian investigators linked the SIMs to more than 1,700 separate fraud cases in their country, with a total value of EUR4.5mn (USD5.25mn). The SIMs were also linked to 1,500 frauds in Latvia, with a combined value of EUR420,000 (USD490,000). The authorities froze bank accounts associated with the suspects that collectively hold EUR431,000 (USD503,000) and online wallets holding cryptocurrency currently valued at USD333,000. They also seized four luxury cars.
It is worth comparing the information provided by the police who conducted this investigation with the much more heavily publicized news that the US Secret Service had discovered 300 simboxes in New York during September. US authorities initially stated that the New York gang had obtained 100,000 SIMs but this was later revised to 300,000 SIMs. Nothing was said about any arrests in New York or elsewhere. And nothing was said about the crimes committed using the New York SIMs except:
- there were threats to the kinds of people that the US Secret Service is responsible for protecting i.e. senior government officials or their families;
- wild speculation that the simbox operation might have been used to disrupt the United Nations General Assembly meeting occurring at that time; and
- wild speculation that the simbox operation could be used by foreign enemies to ‘cripple’ comms networks across New York.
As I observed in a previous article, there were various reasons to be circumspect about the claims made about the potential uses of the New York simboxes, such as whether bad actors backed by the Chinese or Russian state were intending to engage in a clumsy denial-of-service attack on New York’s mobile phone networks. The way in which European authorities have reported on the simboxes seized in Latvia demonstrates just how frivolous much of the US reporting has been.
The raid in Latvia was the culmination of cooperative work by law enforcement agencies from different countries that gathered evidence of a series of crimes, linked those crimes to the SIMs, determined the location of those SIMs, and then were able to explain the danger posed to the public without any guesswork or hyperbole. The methodical work of the European police forces contrasts sharply with the approach taken in New York.
The US raid increasingly appears to be an accident caused by the US Secret Service trying to protect one or several important individuals from potentially harmful communications made using a SIM or several SIMs in the New York simboxes. This could easily occur if the New York SIMs were also being rented out to other criminals. As a consequence of a mission that began with protecting specific individuals, the Secret Service stumbled upon a much larger criminal enterprise than they had anticipated. These simboxes were used to commit crimes that sit outside of the Secret Service’s jurisdiction. The Secret Service then scrambled to justify the lack of collaboration with other law enforcement agencies in the USA, and to spare the blushes of those agencies that should have already traced illegal calls and SMS messages to those SIMs. Unfortunately, their chosen method of distraction involved spouting a lot of hyperventilating hooey about foreigners planning to shut down networks and disrupt the United Nations.
Organized criminal gangs do not shut down phone networks. They exploit them. They want the networks to be up and running so they can send communications across them. That means they take the risk that those communications will be traced back to their origin. They obtain very many SIM cards so each one can be used sparingly, thus reducing the chances of anyone identifying a criminal pattern or a common origin for multiple illegal activities committed over phone networks. These basic facts about organized crime appear to be barely understood by some so-called ‘experts’ in the USA. There has been a fat load of empty talk from some of these empty vessels about how well the USA is tracing harmful calls to their source but the difference in results is plain. Austrian investigators linked actual frauds to SIMs housed in a foreign country. They did it with the help of their peers from other jurisdictions. The SIMs in New York were probably used for the same kinds of crime as those found in Latvia, but nobody traced those crimes to New York before the Secret Service felt they needed to intervene because some VIPs were threatened. Law enforcement in one region did the work necessary to protect very many ordinary people from crime; law enforcement in the other succeeded in protecting a few members of the American elite with the unintended consequence that they also protected many other Americans.
What makes the empty gassing of US authorities even worse is the insertion of xenophobic paranoia into a story that should really be about the lack of competence, or the lack of diligence of the people Americans trust to tackle organized crime. It may well be the case that the simboxes in New York were ultimately controlled by criminals living in a different country. Those criminals may even have ties to governments. However, it is nonsense to suggest that these criminals were planning to use 300 simboxes to take down mobile phone networks scaled to serve an area with over 20 million inhabitants. Nobody suggested the 1,200 simboxes found by Latvia’s police might be used to disrupt mobile networks scaled to serve the fewer than 2 million inhabitants of Latvia. Russia borders Latvia. Russia’s cyberforces have repeatedly attacked the networks of their neighbors, often using criminal intermediaries as their cybermercenaries, and network disruption is an important element of Russia’s strategy for defeating Ukraine. A scenario involving widespread disruption of communications networks in Latvia is far more plausible than equivalent scenarios in the USA, but it was not even discussed as a possibility by Latvia’s police.
Latvia was an independent country before it was invaded in World War 2 and forcibly absorbed into the Soviet Union. It regained its independence in 1991 during the collapse of the Soviet Union but remained a target for those nationalist fanatics who want to resurrect Greater Russia. That is the faction that Putin serves through his invasions of Chechnya, Georgia and Ukraine. Those nationalists will claim they need to intervene in foreign countries to protect their Russian-speaking populations, but they do not dwell on the history of how the Soviet Union manufactured loyalty by moving Russian speakers into conquered territories with a different native language. Nor do they dwell on the fact that Putin’s rapacious government is a partner to the criminals who defraud Russian speakers living outside of Russia.
It is to the credit of Europe’s law enforcement agencies that they concentrated on the facts surrounding this particular simbox operation in Latvia instead of hypothesizing about threats to national security. In contrast, some present-day ‘experts’ seemingly want us to believe that rogue nations are prioritizing the invasion of New York by mobile phone ahead of the invasion of countries like Latvia. These ‘experts’ seem to know very little about the ways criminals use networks or about international relations. Their priorities are askew. The less influence they have over cross-border strategies for protecting comms networks and their customers, the safer we will all be.
The work done by all the law enforcement agencies in the Latvian bust was impressive. It shows what can be accomplished when real cooperation occurs, and it may signal that European police forces are becoming more efficient at working across borders to identify and shut down criminals who exploit networks. Given the need for cooperation with the private sector, I wish they had commented on whether any assistance was provided by telcos in Latvia or elsewhere. They noted that the criminals had amassed several hundred thousand SIM cards from almost 80 countries but this does not clarify which telcos and which countries need to do a better job of controlling the supply of SIMs.
Restrictions can be tightened but motivated criminals will always be able to obtain SIM cards. A SIM card only needs to be used once in order to create a WhatsApp account that may then send thousands of ‘Hi Dad’ and ‘Hey Mom’ messages. There is no intelligence — artificial or otherwise — that can detect a pattern of fraudulent activity from the very first occasion that a SIM is used. Cooperation between law enforcement and telcos should involve fine tuning of controls over the supply of SIMs so new restrictions have the most impact. We should aim to balance convenience for genuine consumers with the need for better security by imposing constraints where they will be most effective. Knowing which telco’s SIMs have most commonly been used for crime would also help other telcos to fine tune the ways they analyze data. Sharpening the analysis of data would also reduce the number of times a SIM can be exploited by criminals before it is deactivated, and speed the process of locating simbox operations that disguise their existence by using very large numbers of SIMs only sporadically.
Look below for video footage of the raid shared by the Latvian police. Keep scrolling for still images from the raid.
