Tech

SIM Swapping Victims Who Lost Millions Are Pressuring Telcos to Protect Their Customers

A person inserts a SIM card into a cell phone.

In the last year, hundreds—perhaps thousands—of people have had their phone numbers hijacked by hackers looking to steal their unique Instagram usernames or their cryptocurrency. Using a technique known as SIM swapping—a process by which criminals take control of a target’s phone number—hackers have been able to steal millions of dollars from bitcoin and other digital currencies investors.

Now, a small group of victims who lost millions to these cybercriminals is trying to fight back.

Videos by VICE

On Tuesday, the group led by tech entrepreneur Robert Ross launched an initiative to raise awareness about the scam, provide resources to victims, and attempt to prevent future heists by putting pressure on cell phone providers, who have been sluggish at stopping hackers.

“This is a major problem that’s growing fast,” Ross, who lost $1 million from his Gemini and Coinbase accounts last year in a SIM swapping hack, told Motherboard in a phone call. “I really believe this is being enabled by the carriers.”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

Ross is calling the initiative called StopSIMCrime. He announced it on Tuesday in a press release and website.

The site is intended to be a central hub for victims of SIM swapping, as well as for people worried about becoming targets. There’s an FAQ page that explains what SIM swapping is, and how to prevent it or at least make it harder for the criminals. Other pages have links to news articles, as well as documents from criminal and civil cases against SIM swapping criminals.

The site also helps victims connect with the Regional Enforcement Allied Computer Team or REACT, a task force in Silicon Valley that’s led some of the most high-profile cases against SIM swappers, such as the arrest of Joel Ortiz, Xzavyer Narvaez, and Nicholas Truglia—all accused of SIM swapping victims to steal several millions of dollars from their online cryptocurrency wallets.

In a call on Tuesday, Ross said he got the idea for the site and the initiative when he himself became a victim in October of last year. It was a Friday evening when his phone went off and he saw three notifications from Authy, the app that provides two-factor authentication.

Ross said the notifications alerted him that there was a new device registered on his account, that there was a new connection to his cryptocurrency account on Gemini, and another one that asked him to authorize a withdrawal. Then, his Gmail got logged out. When Ross saw that his cell phone had lost cellular service—a sign that hackers had taken control over his phone number—he realized he was being attacked.

“I immediately said to myself oh my god I’m under attack,” Ross told me. “I freaked out and I didn’t really know what to do.”

1546972032124-Screen-Shot-2019-01-08-at-125946-PM
A screenshot of Ross’ cellphone when hackers took control of his number and hacked into his Gemini account. Image: Robert Ross

As a result of the hack, hackers stole $1 million, “a majority of my life savings,” as he put it. At the time, Ross said he had never heard of SIM swapping or SIM hijacking (the hack is also sometimes called port out scam). So the first major challenge became to figure out what to do regain control of his digital life, and then to remediate the damages the hackers had caused.

As Ross told me, and as I can myself attest having spoken with several victims, there’s very little documentation and advice online on what to do if criminals take control of your phone number and then leverage it to steal your money, be it dollars or Bitcoin. That’s what Ross wants to change with StopSIMCrime.org.

For now, his initiative has somewhat vague goals such as pushing for new legislation and helping people sue their carriers. Michael Terpin, another victim of SIM swapping who has helped Ross in the last few weeks, sued AT&T last year asking for more than $200 million in damages.

Ross hopes that more victims will do the same against their own carriers.

“We want to combine resources even if we can’t combine lawsuits,” he said, referring to the fact that carriers have rules against customers doing class action lawsuits against their providers.

AT&T, T-Mobile, Verizon, and Sprint did not respond to a request for comment.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.