A major international operation: Poland and the FBI strike a network of SIM swappers
The specialized Polish police cybercrime unit (CBZC), in cooperation with the FBI and the U.S. Homeland Security Investigations (HSI), conducted a large-scale operation. As a result, four members of an organized criminal group involved in cryptocurrency theft were detained. The main tool used by the perpetrators was a classic, but no less dangerous, SIM-swap attack.
The detainees face charges on a range of serious offenses: forming a criminal organization, unauthorized access to computer systems for theft, and laundering of criminally obtained funds. By court order, all four have been remanded in custody pending trial. The maximum penalty they face is 25 years in prison.
The Deception Technique: From Social Engineering to Account Takeover
The scheme developed by the group is telling. The attackers did not hack complex exchange algorithms. Their attack began with the "human factor." Using social engineering methods and specialized malware, they gained access to the corporate email of employees at companies affiliated with telecom operators.
Once they obtained the necessary credentials, the criminals initiated a SIM-swap — transferring the victim's number to their own SIM card. As soon as control of the number passed to the attackers, they gained access to all SMS messages and calls. This allowed them to easily reset passwords, bypass two-factor authentication (2FA) tied to the phone number, and gain full control over cryptocurrency wallets and exchange accounts. This entire scheme brilliantly illustrates the main vulnerability: the dependence of digital asset security on unreliable telecommunications protocols.
According to the FBI, losses from SIM-swap attacks in the U.S. alone exceeded $68 million in 2021. And this is just the tip of the iceberg.
International Connections and the Scale of Money Laundering
The stolen funds did not remain in a single account. The criminals built an extensive financial network for money laundering. They used personal bank accounts in Poland and abroad, payment services, and multi-currency cryptocurrency mixers. According to investigators, the volume of laundered funds amounts to tens of millions of zlotys, equivalent to several million dollars.
This case is not an isolated incident. Similar prosecutions are actively underway in the U.S. as well. Recall, for instance, the theft of approximately $400 million from the bankrupt FTX exchange in 2022, which was also carried out using a SIM-swap. The involvement of the FBI and HSI in the Polish investigation clearly indicates that victims or infrastructure are located outside Poland. This case is yet another confirmation that cryptocurrency crime knows no borders, and close coordination between law enforcement agencies of different countries is necessary to combat it.
CBZC, established only in 2022, has not yet disclosed the names of the detainees, citing investigative secrecy. Unconfirmed rumors circulate on social media about a connection between one of the suspects and the well-known pseudonym Merry, but there is no official confirmation of this. It is clear that this case is only the first act, and further arrests and high-profile revelations lie ahead.
Cryptalist Analysis: This case is a stark reminder for all market participants. Relying solely on SMS authentication is unforgivable negligence. I recommend that everyone, without exception, use hardware security keys (e.g., YubiKey) or authenticator apps (Google Authenticator, Authy) and completely disable SMS-based 2FA. The industry must move towards more secure standards; otherwise, such attacks will repeat again and again, undermining trust in the very idea of decentralized finance.