Police in the Canadian city of Hamilton have arrested an unnamed child aged 17 or younger after he or she spent cryptocurrency known to have been stolen during a SIM swap attack. The original SIM swap attack occurred in March 2020 and was worth approximately CAD46mn (USD36mn). The victim was a resident of the USA and police described the crime as “the biggest cryptocurrency theft reported from one person”. The arrestee faces charges of theft and of possessing property obtained by crime.
The arrestee was described as a ‘youth’ by the police but no other details have been provided about him or her. Canada’s Youth Criminal Justice Act generally prohibits the publication of information that could be used to identify offenders aged between 12 and 17. The arrestee was found by police after he or she spent some of the stolen cryptocurrency on purchasing a username for online gaming. Hamilton Police consequently made multiple seizures of cryptocurrency whose total value exceeds CAD7mn (USD5.5mn).
The Hamilton Police press release is succinct. Nevertheless, what little we know about this crime corresponds to a pattern established across many other SIM swap attacks. Victims with significant holdings in cryptocurrency are targeted by tech-savvy boys and young men who are still in their teens or early 20’s. The thief does online research to obtain a phone number for their victim, then takes control of the victim’s phone account in order to intercept all the one time passwords sent to that number for the purpose of two-factor authentication. With a bit of luck, or some additional knowledge, the criminal then gains control of the victim’s cryptocurrency wallet and removes its content, whilst expecting to escape without punishment because of the pseudonymous nature of cryptocurrency transactions.
This pattern is so well established that it should be easy to identify multiple ways to disrupt it.
- Providers of cryptocurrency services should not rely on sending messages to a customer’s phone number for the second authentication factor. It is reasonable to demand that everyone who has thousands invested in online cryptocurrency accounts protects themselves by spending a few minutes installing authentication apps on their smartphones.
- It is inadequate to arrest boys and then give them lenient sentences because they supposedly did not understand the consequences of their actions, or believed their crime was victimless. These young criminals are copying from each other. Kids should be taught in school that there is no difference between stealing online or stealing something physical. If they still engage in an enormous theft then the severity of the punishment should match the scale of the crime in order to deter other would-be thieves.
- Dispelling the disinformation that surrounds cryptocurrency would also help to discourage crime. Cryptocurrency transactions are pseudonymous, not anonymous. The user’s actions can be tracked and monitored over time even if the user’s real-life identity is unknown. Real-life identities generally have to be revealed when people make purchases in real life (or even when purchasing online gaming identities). Stolen cryptocurrency is of little value to criminals who dare not use it to buy anything they want.
- Telcos could do more to interfere with the methods used by SIM swappers. One simple but effective improvement is to provide an API that other businesses can use to check if there have been any recent changes to the SIM associated with a phone number. Reputable businesses can then put a moratorium on transactions authenticated using SIMs that may have recently been swapped.
We should not find it so hard to discourage and prevent children from stealing tens of millions of dollars. That these SIM swap cryptocurrency heists keep occurring is an indictment of the extent to which everybody involved – victims, parents, schools, police, justice systems, governments, telcos and cryptocurrency firms – prefer to place the blame on others instead of taking more responsibility for their own failings.