Poland and the FBI have disrupted the activities of a group that stole cryptocurrencies through SIM-swapping.
The Central Cybercrime Bureau of Poland (CBZC), together with the FBI and the U.S. Homeland Security Investigations (HSI), conducted a large-scale operation to detain four members of an organized criminal group specializing in cryptocurrency theft. The perpetrators used a classic but still effective SIM-swap scheme, allowing them to intercept control over victims' phone numbers.
The detainees are charged with creating a criminal organization, illegal access to computer systems, and money laundering. Currently, all four are in custody and face up to 25 years in prison. The investigation, coordinated by the Regional Prosecutor's Office in Krakow, is ongoing, and further arrests are not ruled out.
How the theft scheme worked
According to the investigation, which I analyzed, the group operated using a multi-stage but well-established scheme. Initial access to the IT systems of companies cooperating with telecom operators was obtained not through technical hacking, but through social engineering methods. Using phishing and psychological manipulation, the criminals gained access to employees' work emails and specialized software.
Having obtained the necessary data, the group launched SIM-swap attacks: cloning or intercepting victims' phone numbers. Gaining control over SMS and email, the attackers reset passwords, bypassed two-factor authentication, and took over accounts on cryptocurrency exchanges. After that, digital assets were transferred to controlled wallets. This scheme once again demonstrates a fundamental vulnerability: many services still allow account recovery via phone number, making them easy targets.
Money laundering and international cooperation
The stolen funds were quickly distributed across an extensive financial network, including personal bank accounts in Poland and abroad, payment services, and multi-currency crypto wallets. Investigators estimate the scale of money laundering at tens of millions of zlotys, comparable to other European crypto money laundering networks dismantled over the past year.
Notably, the FBI and HSI became involved in the case. This is a direct indication that the victims or infrastructure are located outside Poland. This case is a vivid example of how international crimes in the crypto industry require coordinated efforts from law enforcement agencies in different countries. Similar cooperation has been observed in the arrests of organizers of major SIM-swap schemes in the U.S.
The CBZC, established in 2022, has not yet disclosed the names of the detainees, citing the ongoing investigation. Unconfirmed information has appeared online about a connection between one of the accused and the well-known pseudonym Merry, but there is no official confirmation of this.
Expert opinion: This operation is yet another reminder of the critical importance of abandoning SMS authentication in favor of hardware keys or biometrics. As long as crypto services and telecom operators fail to address this systemic vulnerability, SIM-swap will remain one of the most effective and profitable tools in cybercriminals' arsenals. The industry needs to move toward stricter security standards, or we will see more high-profile thefts.