International police say 10 suspects have been arrested for fraudulently accessing the phones of celebrities to steal about $100 million cryptocurrency as well as personal data throughout 2020.
The sting included eight arrests in the United Kingdom as well as one in Malta and another in Belgium, according to Europol. The U.S. Secret Service, Department of Homeland Security and FBI were all involved in the operation, the U.K.’s National Crime Agency (NCA) said Wednesday.
As of Wednesday morning, it was unclear who the victims were, but the NCA said they included “well-known influencers, sports stars, musicians, and their families.” Neither Europol nor the NCA named the suspects.
Victims’ phones were targeted via SIM swapping, police said. Unlike a direct hack on a person’s device, SIM swapping — also known as SIM hijacking — typically involves a little help from other humans. Scammers often take over a person’s digital profile by deactivating the SIM card on the victim’s phone and swapping the phone number to their own.
“This is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques,” the NAC said.
With a victim’s phone number now connected to a criminal’s device, it’s possible to break into all sorts of online profiles and accounts.
SIM swapping enabled the criminal network “to steal money, cryptocurrencies and personal information, including contacts synced with online accounts,” Europol said. “They also hijacked social media accounts to post content and send messages masquerading as the victim.”
Paul Creffield, head of operations in the NCA’s National Cyber Crime Unit, noted that SIM-swapping gangs typically pull in people with different specialties.
“SIM swapping requires significant organization by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome,” Creffield said.
The U.S. Federal Trade Commission says there are ways to either stop SIM-swapping directly, or at least limit the damage that can happen when scammers have already completed a swap. An extra layer of security on a person’s mobile phone account, such as a PIN number, can make it tougher for outsiders to obtain access, the agency says. The FTC also recommends using extra layers of security — such as multi-factor authentication that employs something other than text messages — on all important online accounts.
In some cases, law enforcement was able to intervene before any fraud happened, the NCA said.
“NCA and US investigators notified individuals when they had been targeted and where possible, prior to the criminals managing to cause any damage,” the U.K. agency said. “The victims were then advised on how to prevent the impending attack.”
Police typically announce multiple major SIM-swapping stings every year. In March 2020, Europol said it had busted a network of at least 26 scammers. The U.S. Department of Justice made two arrests in November 2019 and indicted seven people in May 2019.