Notorious Brit SIM Swapper Gets 5 Years in US Prison

Joseph O’Connor, the infamous cyber fraudster also known as ‘PlugwalkJoe’, was given a five-year prison sentence by a New York court last week. He had already pled guilty to a string of crimes including conducting a SIM swap attack to steal cryptocurrency then worth USD794,000 from a New York business, though his most notorious exploits involve the hijacked social media accounts of some of the most famous people in the world. 24 year old O’Connor, who is from Liverpool in the UK, was arrested in Spain in 2021 and extradited to the USA earlier this year. After trying to evade the law, O’Connor ultimately pled guilty to his crimes.

Many will treat his punishment as confirmation that the US legal system is cracking down on comms frauds but the five-year sentence is modest compared to a maximum potential penalty of 70 years for the crimes O’Connor committed. Too much emphasis is placed on the potential for young men like O’Connor to reform and too little on providing a deterrent to other boys who are attracted to the twin prospect of becoming an infamous hacker whilst also making lots of money from their bedrooms. Add the time and resources devoted to finding O’Connor and pursuing justice, including the long-winded process of obtaining an extradition, and it becomes questionable why a US court thinks crimes of this severity deserve only a few years in prison if he obtains an early release. A London court recently handed down a 13-year sentence to a man convicted of aiding similar crimes by providing a comms spoofing service.

The most profitable crime committed by O’Connor and his accomplices followed the well-established pattern of criminals performing a SIM swap on targets chosen because of their cryptocurrency holdings. The US Department of Justice press release explains:

Between approximately March 2019 and May 2019, O’CONNOR and his co-conspirators perpetrated a scheme to use SIM swaps to conduct cyber intrusions in order to steal a large amount of cryptocurrency from a Manhattan-based cryptocurrency company (“Company-1”), which, at all relevant times, provided wallet infrastructure and related software to cryptocurrency exchanges around the world.

As part of the scheme, O’CONNOR and his co-conspirators successfully perpetrated SIM swap attacks targeting at least three Company-1 executives. Following a successful SIM swap attack targeting one of the executives on or about April 30, 2019, O’CONNOR and his co-conspirators successfully gained unauthorized access to multiple Company-1 accounts and computer systems. On or about May 1, 2019, through their unauthorized access, O’CONNOR and his co-conspirators stole and fraudulently diverted cryptocurrency of various types (the “Stolen Cryptocurrency”) from cryptocurrency wallets maintained by Company-1 on behalf of two of its clients. The Stolen Cryptocurrency was worth at least approximately $794,000 at the time of the theft and is currently worth more than $1.6 million.

After stealing and fraudulently diverting the Stolen Cryptocurrency, O’CONNOR and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services. Ultimately, a portion of the Stolen Cryptocurrency was deposited into a cryptocurrency exchange account controlled by O’CONNOR.

This is the crime that led to the court proceedings occurring in New York, the home of the cryptocurrency business that O’Connor attacked. It is a sign of the warped priorities that the legal system applies to cybercrimes that much more despicable and dangerous behavior gets treated like an afterthought.

Lastly, O’CONNOR stalked and threatened a minor victim (“Victim-3”) in June and July 2020. In June 2020, O’CONNOR orchestrated a series of swatting attacks on Victim-3. A “swatting” attack occurs when an individual makes a false emergency call to a public authority in order to cause a law enforcement response that may put the victim or others in danger. On June 25, 2020, O’CONNOR called a local police department and falsely claimed that Victim-3 was making threats to shoot people. O’CONNOR provided an address that he believed was Victim-3’s address, which would have the result of causing a law enforcement response. That same day, O’CONNOR placed another call to the same police department and stated that he was planning to kill multiple people at the same address. In response to that call, the police department dispatched every on-duty officer to that address in reference to an armed and dangerous individual. O’CONNOR sent other swatting messages that same day to a high school, a restaurant, and a sheriff’s department in the same area. In those messages, O’CONNOR represented himself as either Victim-3 or as a resident at the address he believed was Victim-3’s. The following month, O’CONNOR called multiple family members of Victim-3 and threatened to kill them.

Not enough seriousness is attached to crimes where somebody’s life is put in danger because phone calls are used to impersonate them. Would we still think a five-year prison sentence would be appropriate if the police had responded by using deadly force whilst apprehending O’Connor’s target? Swatting occurs precisely because the fraudster is aware that attempted arrests can lead to fatalities, especially when the police are scared. But only a portion of this sentence relates to O’Connor hiding behind the supposed anonymity of a phone call whilst deliberately putting another person at serious risk.

It is hard to judge how much effort would have been put into catching O’Connor if he had not been part of a crime that embarrassed some of the world’s most powerful people, including Joe Biden, Barack Obama and Elon Musk. Theirs were amongst 130 social media accounts that were hijacked by socially engineering Twitter’s bumbling staff. The whole world knows about this fraud because it was broadcast on Twitter using the accounts of the world’s most-followed people, so it is telling that law enforcement bodies that are normally hungry for publicity chose to be coy about the victims of this particular crime.

In early July 2020, O’CONNOR’s co-conspirators used social engineering techniques to obtain unauthorized access to administrative tools used by Twitter to maintain its operations. Those co-conspirators were able to use the tools to transfer control of certain Twitter accounts from their rightful owners to various unauthorized users. In some instances, the co-conspirators took control themselves and used that control to launch a scheme to defraud other Twitter users. In other instances, the co-conspirators sold access to Twitter accounts to others. O’CONNOR communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world. A number of Twitter accounts targeted by O’CONNOR were subsequently transferred away from their rightful owners. O’CONNOR agreed to purchase unauthorized access to one Twitter account for $10,000.

O’Connor also admitted to using a SIM swap to gain control of a prominent TikTok account, which he used to push his own messages whilst threatening the true owner with the release of private information. This attempted extortion mirrored an earlier attack he executed on a different public figure, whose Snapchat account was compromised using a SIM swap.

Many Brits and Americans have begun to feel a degree of unease about the integrity of governing institutions, and believe this is connected to increased corruption and criminality at the top of the food chain. But it is not our rulers who are teaching teenage boys how to conduct SIM swaps, how to trick call center employees, how to extort money from celebrities, how to launder cryptocurrency, and how to stalk girls online. These kids are learning how to do that from each other, using comms services that should be making the world better, but which are actually making it more frightening.

Communication is not just about making money; it is about the human experience of engaging with one another. Societies that underestimate the importance of trustworthy communication should expect the abuse of comms services to continually grow worse, no matter how much money is thrown at technological methods of cleaning up networks. No amount of disinfectant can keep a surface clean if we tolerate people who routinely spread dirt. Societies can only be healthy if everybody believes actions have consequences. Men like O’Connor convince themselves that their crime sprees will never lead to punishment. A five-year prison sentence will not attract enough media attention to cut through to the parents and teachers who need to instill some genuine fear of the legal system amongst wayward boys before they start doing real harm. Society must do more to deter each new generation of young male cybercrooks and cyberbullies. Otherwise their numbers will rise because of the speed with which they can train and indoctrinate new recruits to the cybercriminal fraternity.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.