SIM-Swap attack started at an AT&T store in Boston
Gregg Bennett remembers all too well the date — it was April 15, 2019, and a rare sunny day in Seattle — when he was sitting on a park bench talking with his son and his phone shut down mid-conversation.
“We were talking about some of our business things and all of a sudden my phone absolutely goes dead,” he told Cybercrime Magazine as he recounted the beginning of a harrowing story that began with a disabled phone and ended up with the disappearance of nearly $1 million worth of cryptocurrency funds.
It was only when his email went dead and early enquiries with AT&T revealed that his secret access code had recently been changed without his knowledge that Bennett — an angel investor with Bennett Enterprises whose 16 years of experience include supporting over 30 startup companies and chairing including SCATE Ventures and Data Skrive — realized there was something far more sinister going on.
A hacker, it turns out, had taken control of Bennett’s SIM card, allowing them to take over his digital identity — and control the numerous cryptocurrency accounts that he and his son had used for speculative investments in Bitcoin and other cryptocurrencies.
“I have been active in a number of crypto-related forums and conferences, and I recognized that these folks who do those things are targets,” he recalls. “But I really didn’t understand what SIM swapping was at the time; I just knew my phone was out of whack.”
By the time he recovered access to his phone, the damage was done: Bennett couldn’t access any of his crypto exchange accounts — Bittrex, Binance, KuCoin, Coinbase, and others — and emails to alert the exchanges of the hack went unheeded until long after his accounts had been emptied.
After the Washington Department of Financial Institutions investigated the theft and blamed Bittrex for lapses in account controls, Bennett sued the firm to recover what — with Bitcoin prices sitting at over $5,100 on the day of the theft — added up to nearly $1 million in losses.
“I learned a number of hard lessons through this process,” Bennett explained as he recounted the way hackers exploited legitimate account-recovery processes to worm their way into the heart of his investment purse.
Exploiting the system
Subsequent investigations revealed that someone had walked into an AT&T store in Boston, pretending to be Bennett, and got a staff member — “subsequent investigations absolutely [corroborated] the fact it was an inside job,” Bennett said — to port his number to a new phone and SIM card.
Ultimately, the assistance of agencies such as the FBI and the Santa Clara Regional Enforcement Allied Computer Team (REACT) helped identify the perpetrator of the theft — “a 17-year-old with an accomplice, who was very good on a computer and somehow was able to convince somebody at AT&T to give up my credentials,” Bennett said.
“They were actually very good and very efficient,” he admitted. “I’ve got to give him some credit for how good they were.”
The perpetrator tried to extort Bennett by restoring one of his four email accounts to open up a communications channel — and promising to restore access to his accounts for an additional 50 Bitcoin.
“I didn’t really respond to any of [the fraudster’s emails],” Bennett said, “because it really is a slippery slope here of how you respond.”
A settlement with the perpetrators ultimately led to Bennett — one of many victims — being promised the return of between 20 and 40 percent of his Bitcoin, although “to this date,” he said, “I have not received that compensation back.”
The fact that Bitcoin is worth much more today than in the past could even put Bennett’s cryptocurrency investment portfolio well into the black — but in the end, he says, “it wasn’t a loss of money that was the worst part of this whole thing.”
“The worst part of it was a complete loss of identity for a period of time — and when they took over their identity, they took over everything” even including his Starbucks and Costco accounts.
“They see everything that everybody sends you email about, and they have a goldmine for figuring out how to torment you,” Bennett said. “Figuring that out, and recovering my email addresses, caused me more stress than the loss of money.”
SIM swapping — in which perpetrators work with malicious insiders to cancel a victim’s mobile-phone account, then redirect the number to their own SIM card so they can exploit SMS-based forgotten-password methods — has become an increasingly profitable problem that EUROPOL has called “a significant concern and huge potential danger and risk.”
Last month, the culmination of a year-long international police investigation led to the arrest of eight cybercriminals who had together used SIM swapping to steal over $100 million worth of cryptocurrency from thousands of victims.
Because victims quickly realize their phone isn’t working, SIM-swapping criminals move fast to exploit the window of a few hours — but as Bennett and so many others have found, that can be more than enough time for criminals to take over their online identities.
“I don’t think SMS is enough security if you have a lot of money in these accounts,” he said.
Being targeted by SIM swappers doesn’t happen to just anybody, however: the recent cybercriminal ring targeted many high-profile celebrities and businesspeople, while Bennett believes he was targeted because of his involvement with cryptocurrency startups — and his potential inclusion on widely-available lists of crypto conference attendees.
“You have to be a target, and to be a target you’ve got to be in the crypto space,” he said. “But people go to conferences all the time.”
By David Braue, March 5, 2021, Published on CyberCrime Magazine