This Is How Two Young American SIM Swappers Operated

• Two SIM swappers in the US have been arrested after one tried to trap the other.
• The men managed to phish telecommunication provider employee accounts and did the swapping on their own.
• They are now facing a wide spectrum forfeiture order that includes money, cryptocurrency, and property.

Two young men from the United States have been arrested and charged with fifteen counts of identity theft and conspiracy by the District Court of Maryland. Jordan K. Milleson and Kyell A. Bryan, who are 21 and 19 years old, respectively, have taken the “easy money” way of SIM swapping, phishing, vishing, and even swatting. The hacking and scamming activities took place between September 2017 and February 2020, while prosecutors managed to track the two men down when Bryan attempted to rat on Milleson following a dispute between them.

To perform the SIM swapping (which is to port the phone numbers of other people to a blank SIM card for 2FA protection bypassing purposes), the two men used a telco’s administration tools themselves. For this, they had to first phish the company employee, and they did that through phishing emails that appeared legitimate, as well as vishing them by impersonating representatives of legitimate businesses.

At least two telecommunication companies fell victim to this tactic, but they were not named in the indictment. KrebsOnSecurity dug in previously leaked messages of Bryan’s account on OGusers and found that the man was seeking advice on how to create a T-Mobile employee phishing page.

The swatting part - which is to call the authorities and provide false information that would trigger a SWAT team raid - took place through VoIP calls to protect the caller’s identity. This happened at least once when Bryan called the police and told them that Milleson had shot his father at home.

Related: These Were the Most Imitated Brands in Phishing Campaigns During Q3 2020

Milleson and Bryan’s goal was to gain access to cryptocurrency accounts that used the aforementioned phone numbers for the two-factor authentication step. It is difficult to estimate how successful they were on this in numbers, but the indictment requires them to forfeit $16,847.47 and all Bitcoin or other digital currency that can be traced and linked with the charged offenses.

The defendants are to lose any other property they hold if the court finds that they moved the crypto beyond its jurisdiction, hid it, or transferred it to a third person, sold it, or if its value has substantially diminished by now.

This case underlines that criminals cannot trust each other, crime doesn’t pay in the long run, SMS-based 2FA is not secure enough, and that telco admin tools aren’t protected sufficiently (MFA) against hackers who may hold valid credentials.