In brief: A 20-year-old college student has been arrested and charged with hijacking more than 40 phones and stealing $5 million in cryptocurrencies. He used a technique called "SIM swapping" to gain access to the numbers and then ran port out scams.
On July 12, Boston resident Joel Ortiz was arrested in California for allegedly being involved in a cell phone hacking ring. According to court documents obtained by Motherboard, he faces 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft.
Ortiz allegedly targeted people who were attending the cryptocurrency/blockchain conference Consensus in New York back in May of this year. He and some unnamed accomplices used social engineering to trick cellular providers into transferring victims' phone numbers to SIM cards that they controlled. This technique is known as SIM swapping or hijacking.
Once the hackers have control of the phone numbers, they use them to gain access to social media and other online accounts and reset the passwords locking the rightful owner out. This is known as a "port out scam," and it is effective even against two-factor authentication since the crooks have the phone number.
Ortiz was apprehended at the Los Angeles International Airport reportedly headed to Europe. Once in custody, he confessed that he and his cohorts had access to millions of dollars worth of cryptocurrency.
According to police, Ortiz belonged to a website called OGUsers, which traffics in stolen Instagram and Twitter accounts. In addition, to the cryptocurrencies he took from his victims, he would have also sold their social media accounts for Bitcoin.
Ortiz currently sits in jail unable to post his one million dollar bail without his ill-gotten gains. He has a plea hearing scheduled for August 9. His lawyers declined to comment on his plea or defense.
It is easy to prevent yourself from becoming a victim of SIM swapping by adding a PIN to your smartphone account. The procedure to do this varies from carrier to carrier, but Clark has a good write up on how to get it done. Additionally, Motherboard suggests setting up a spoken password with your provider so it can easily verify your identity during calls.