Poland and the FBI struck a blow against a group that stole cryptocurrencies via SIM-swapping.
The Central Cybercrime Bureau of Poland (CBZC), in cooperation with the FBI and the U.S. Homeland Security Investigations (HSI), conducted a large-scale operation resulting in the detention of four suspected members of an organized criminal group. The main specialization of the perpetrators was SIM-swap attacks—substituting SIM cards to gain access to victims' cryptocurrency accounts.
The detainees are charged with creating a criminal organization, unauthorized access to computer systems, theft of digital assets, and subsequent laundering of the stolen funds. All four have been remanded in custody pending trial. The maximum penalty they face is up to 25 years in prison.
How the scheme worked: from social engineering to exchange account takeover
The group's scheme was meticulously planned. They initially obtained access to confidential data not through technical hacking, but through social engineering methods. Using specialized phishing software, the criminals extracted corporate passwords and data from employees of companies working with telecom operators.
Armed with these "keys," the group launched the main phase of the attack—SIM swapping. The perpetrators cloned or intercepted control over victims' phone numbers. Gaining access to SMS and email, they reset passwords, bypassed two-factor authentication, and took over accounts on cryptocurrency exchanges.
After that, digital assets were instantly withdrawn. The scheme exploits one of the most vulnerable points in the infrastructure: despite regular security warnings, many services still allow account recovery via phone number.
Scale and international cooperation
According to the FBI, losses from SIM-swap attacks in the U.S. alone exceeded $68 million in 2021, and this is just the tip of the iceberg. During the investigation, Polish law enforcement uncovered an extensive financial network through which the stolen funds flowed. Laundering was carried out through personal bank accounts in Poland and abroad, payment services, and multi-currency crypto wallets. The amount of laundered funds is estimated at tens of millions of zlotys—several million dollars.
Notably, the investigation is overseen by the Regional Prosecutor's Office in Krakow with the involvement of the FBI and HSI. This directly indicates that the victims or the criminals' infrastructure are located outside Poland. International crimes in the crypto industry increasingly require joint efforts from agencies in different countries.
Unconfirmed information has appeared on social media that one of the accused may be linked to the well-known pseudonym Merry. However, the police have not confirmed this information. The case remains open, and further arrests are likely ahead.
Expert opinion: This case is yet another reminder that SMS-based authentication security is long outdated. To protect crypto assets, I strongly recommend using hardware wallets (cold storage) and authenticator apps (TOTP), as well as disabling the option to recover access via phone number on all critical services.