SIM-Swap Operation: Polish special services and the FBI bust a cryptocurrency theft group
Poland's Central Cybercrime Bureau (CBZC), with support from the FBI and the U.S. Homeland Security Investigations (HSI), has conducted a large-scale operation. As a result, four members of an organized group specializing in stealing digital assets through SIM-swap attacks have been detained. The detainees have been charged with creating a criminal organization, unauthorized access to computer systems, and money laundering. They face up to 25 years in prison.
How the Cryptocurrency Theft Scheme Worked
Analysis of the investigation materials shows that the perpetrators did not directly hack IT infrastructure. They gained initial access through social engineering methods—psychological manipulation of employees at companies cooperating with telecom operators. Using specialized malware, they gained access to corporate email.
Next came the key stage—SIM swapping. The criminals cloned or intercepted control over victims' phone numbers. With access to SMS and email, they reset passwords, bypassed two-factor authentication, and took over accounts on cryptocurrency exchanges. Funds were then withdrawn from wallets. This scheme exploits a fundamental vulnerability: many services still allow account recovery via phone number, making them easy targets for such attacks.
International Trail and Scale of Damage
Stolen funds were quickly distributed across a sprawling financial network. Investigators estimate the scale of money laundering at tens of millions of zlotys (millions of dollars). Personal bank accounts in Poland and abroad, payment services, and multi-currency crypto wallets were used. This is comparable to other major European cryptocurrency money laundering networks dismantled over the past year.
Importantly, the case is being overseen by the Regional Prosecutor's Office in Krakow, and the involvement of the FBI and HSI indicates that victims or infrastructure are located outside Poland. International cooperation is becoming a mandatory condition for combating cross-border cybercrime in the crypto industry, and this case is a clear example of that.
The CBZC, established in 2022, has not yet disclosed the names of the detainees, citing the ongoing investigation. Unofficial sources have floated an unconfirmed theory linking one of the individuals to the well-known pseudonym Merry. The agency does not comment on this information but notes that the case remains open and further arrests are possible.
Expert comment: This case is yet another reminder that SMS and phone number-based security is critically unreliable. To protect crypto assets, I strongly recommend using hardware wallets (cold storage) and authenticator apps rather than SIM-based verification. The industry must more actively adopt passkey standards and biometrics to render such attacks useless.