A manager at an unnamed telecoms company in the USA has pleaded guilty to receiving payment from fraudsters in exchange for giving them access to customer accounts. The prosecutors’ press release says Jonathan Katz, also known as ‘Luna’, a 42 year old living in Marlton, New Jersey, was responsible for:
…swap[ping] the SIM numbers associated with the customers’ phone numbers into mobile devices controlled by another individual, enabling this other individual to control the customers’ phones and access the customers’ electronic accounts — including email, social media, and cryptocurrency accounts. In exchange for the swaps, Katz was paid in Bitcoin, which was traced back to Katz’s cryptocurrency account.
An unnamed co-conspirator agreed to pay USD1,000 in bitcoin for each customer account that Katz hijacked. A court filing also refers to the co-conspirator agreeing to pay an unspecified percentage of the criminal profits generated by accessing the mobile devices of their victims.
Five victims are mentioned in an earlier court filing made after Katz’s arrest in December 2021. These five accounts were accessed by Katz between May 11 and May 19 of that year. The victims were resident in a variety of different states spread across the USA, implying Katz worked for a national provider of mobile communications.
Katz was no criminal genius. The bitcoin payment for his crimes was received in a cryptocurrency account held in his own name and opened using valid identity documents belonging to him. Leading police forces have mastered the ability to follow the digital trail of breadcrumbs for cryptocurrency transfers, irrespective of those transfers being pseudonymous in nature. Whilst the technological basis of cryptocurrency does not require ownership to be associated with an identifiable individual, spending money in the real world tends to involve using an exchange that has to know who its customers are.
No mention has been made of the amounts stolen from victims using Katz’s access rights. His sentencing hearing is scheduled for July 16. The maximum possible prison sentence is 5 years. Katz may also receive a fine up to the greater of USD250,000 or double the amount that was stolen.
The same essential themes keep recurring with SIM swap crimes. Contrary to silly press stories about sophisticated hackers, it is easier to just bribe telco insiders to facilitate crime. The payment of Katz in bitcoin and the mention of the victims’ cryptocurrency accounts in the press release fits an established pattern where SIM swappers select targets believed to have large cryptocurrency holdings. Fearmongering about every phone user being at threat ignores the economic realities of crime. No criminal pays USD1,000 just to see if a randomly-chosen victim has more than USD100 in their bank account.
The most effective way to tackle SIM swap fraud would be based on the intelligent evaluation of risk. Greater controls should be applied to phone accounts belonging to individuals who identify themselves as being potential targets because they store a lot of wealth in forms that are easy to access online. Better still, cryptocurrency businesses that know how much every customer holds in their accounts should not permit the richest customers to rely upon weak general-purpose methods of authentication like one time passwords sent by SMS.
