Poland and the FBI have disrupted a group that was stealing cryptocurrencies through SIM swapping.
The Central Cybercrime Bureau of Poland (CBZC), in cooperation with the FBI and the U.S. Homeland Security Investigations (HSI), has conducted a large-scale operation resulting in the detention of four alleged members of an organized criminal group. Their primary tool was SIM swap attacks — a method that allows intercepting control over victims' phone numbers to gain access to their cryptocurrency assets.
The investigation established that the perpetrators operated according to a well-honed scheme. They gained initial access to critical infrastructure not through technical hacking, but via social engineering methods. Using psychological manipulation and specialized software, the criminals obtained confidential data from employees of telecommunications companies. Having gained access to work systems, the group initiated SIM swaps: cloning or intercepting the phone numbers of their targets.
Control over SMS and email opened doors for the fraudsters to cryptocurrency exchanges. They reset passwords, bypassed two-factor authentication, and took over accounts. Stolen assets were quickly funneled through an extensive network, including personal bank accounts in Poland and abroad, payment services, and multi-currency crypto wallets. According to prosecutors, the scale of money laundering amounts to tens of millions of zlotys — equivalent to several million dollars.
Global Nature of the Threat
This case is not an isolated incident but part of a global problem. The FBI previously estimated damages from SIM swap attacks in the U.S. alone for 2021 at over $68 million. Similar schemes are also being recorded in other jurisdictions. For example, one high-profile case involved the theft of approximately $400 million from the bankrupt FTX exchange in 2022.
The fact that U.S. agencies joined the investigation points to the international nature of the crime. Victims or infrastructure are located outside Poland. Modern crypto crime increasingly requires cross-border law enforcement cooperation, and this case is a clear confirmation of that.
The CBZC has not yet disclosed the names of the detained individuals, citing the ongoing investigation. Unconfirmed data circulates online about a possible connection of one of the accused to the well-known pseudonym Merry, but there is no official confirmation of this information. The case remains open, and new arrests are not ruled out.
Cryptalist Analysis: This case once again highlights the critical vulnerability embedded in the very architecture of mobile communications. As long as telecom operators and crypto services allow account recovery via phone number, SIM swapping will remain one of the most effective and dangerous attack vectors. For investors, this is a signal: relying solely on SMS authentication is no longer acceptable. Using hardware security keys (e.g., YubiKey) or authenticator apps is no longer a recommendation but a strict necessity.