A brief series of cyber attacks recently led to the theft of an astoundingly large amount of cryptocurrency. The perpetrator, Joel Ortiz, broke into his victims’ cryptocurrency accounts and withdrew funds. He also used their social media accounts to make threats and demand Bitcoin payments. Ortiz was arrested when one of his victims reported the attack. By then, Ortiz had stolen from just 40 victims but had obtained over $5 million dollars.
The attacks involved SIM hijacking, a form of identity theft. The hijacker pretends to be their victim, then contacts the victim’s cell phone provider and asks for a new SIM card. Essentially, the hijacker redirects the victim’s incoming phone calls and texts to the SIM card they just obtained.
Since many accounts use phone numbers to reset passwords, this technique enables the hijackers to gain access to various accounts. In this case:
“Ortiz took control of the entrepreneur’s cellphone number, reset [the victim’s] Gmail password and then gained access to his cryptocurrency accounts. The entrepreneur ran to the AT&T store to get his number back, but it was too late.”
Vice’s Motherboard broke the story and called it “the first reported crime of its kind.” The story has gone viral, but in actual fact, SIM hijacking has been used to steal crypto before.
Last fall, the New York Times reported a theft of $1500 worth of crypto in this manner. Around the same time, a Medium blogger claimed to have lost $9000 in this way. However, this time, the sum of money is certainly bigger: Ortiz targeted prominent crypto investors.
By some reports, SIM hijacking has been on the rise since 2013. Until recently, SIM hijackers usually targeted bank accounts and PayPal accounts. Now, crypto exchanges and online wallets provide an opportunity to move large amounts of funds. Social media accounts are also stolen: Ortiz had previously used the technique to hijack social media accounts and sell them for crypto.
The security measure which enabled these attacks—that is, the practice of using phone numbers to send verification codes and reset passwords—has been widely condemned. Many better alternatives exist, but ultimately it is up to each web site to support those methods, and none are widespread.
Centralized exchanges and wallets, which the attacker withdrew money from, are the other weak link. These sites are vulnerable to large scale attacks as well as small-scale attacks like this one. In the end, there is no substitute for cold storage.
The post SIM Hijacking Spree Ravages 40 Cryptocurrency Investors, Over $5M Stolen appeared first on UNHASHED.