iStockphoto
Early one Friday evening in autumn, Rob Ross, a San Francisco entrepreneur, was scrolling through emails on his computer, attempting to tie up loose ends ahead of the weekend when he received a trio of alarming messages on the screen of his mobile phone.
“Please approve this withdrawal request from your Gemini account,” the first message read. Gemini is a cryptocurrency exchange.
“Tap to get your Gemini security code,” read a second.
And, finally, a third: “A new device called Chrome has been registered.”
At 5:47 p.m. Pacific time on Oct. 26, Ross had become the victim of a so-called SIM swap, in which a perpetrator is able to gain remote control of a person’s SIM, or subscriber identity module, card — at times, reportedly, by bribing someone with access to it — granting the perpetrator access to personal data, including email, phone numbers and passwords.
Ross didn’t know it at the time, but his entire life savings of $1 million had just been pilfered.
Many mobile devices in the U.S. have physical SIM cards intended to securely contain a customer’s account information.
Up until 2018, SIM swap cases had been almost unheard of. In fact, Erin West, deputy district attorney for Santa Clara County in California, where the majority of the SIM swap cases are being heard, said she has filed five cases since June 2018, and not a single one before then. The scams have given rise to a number of lawsuits.
“We started seeing it in March [2018], and, the more we investigated, the more we realized it was becoming a problem in the crypto industry,” said West. “It gives criminals a new way to get into funds.”
These funds are swindled through a person’s crypto exchange app, and as the price of bitcoin skyrocketed in late 2017 and early 2018, that gave scam artists extra incentive to illegally take control of a victims smartphone.
Major U.S. exchanges haven’t revealed the number of users who trade through a phone app, but, at Apple’s AAPL, +0.75% App Store, the Coinbase app has more than 650,000 reviews, which could be a reflection of downloads.
Rob Ross’s cellphone screen at the time he became aware of the hack.
Read: Here are the biggest hacks and scams in cryptocurrency history
In what’s perhaps become the highest-profile case, Michael Terpin, co-founder of BitAnelgs and chief executive of Transform Group, a public-relations firm focused on blockchain, sued AT&T T, +0.82% for more than $200 million over a SIM swap that occurred in January 2018, affecting more than $20 million in cryptocurrency, claiming the telecom giant had been negligent.
In court documents filed Dec. 31, 2018, Terpin claimed AT&T admitted to him on Feb. 4, 2018, that a sales associate at a Connecticut store violated procedures by failing to ask an alleged hacker for a six-digit code and by “bypassing its requirement that the hacker have a scannable ID to obtain a replacement SIM card for Mr. Terpin’s wireless number.”
In an email to MarketWatch, AT&T said: “We disagree with the allegations in the complaint.”
The company has said it looks forward to presenting its case in court.
The alleged perpetrator in the Connecticut case, Nicholas Truglia, is accused of similar incidents occurring toward the end of 2018, according to court documents filed by the state of California.
Ross’s case was different in that the funds sitting in his two digital currency accounts — at Coinbase and Gemini — were in U.S. dollars, and the hacker was able to transfer the funds in Ross’s account into cryptocurrency before switching them to the perpetrator’s own cryptocurrency wallet.
Though SIM swap crime has only recently emerged, law enforcement is making inroads. On Feb. 1, Joel Ortiz became the first person to be convicted of a SIM swap theft when he pleaded no contest in Santa Clara County to stealing $5 million in cryptocurrency from more than 40 people. He was sentenced to 10 years in prison.
And this may just be the start: “We are prosecuting five separate defendants with hundreds of victims,” said West, adding there are many other investigations related to crypto-related SIM thefts still ongoing.
The deputy district attorney is working closely with the Regional Enforcement Allied Computer Team, or REACT, a California-based computer-crime task force. Samy Tarazi, a sergeant with the Santa Clara County sheriff’s office and a REACT adviser, said law enforcement is dealing with more than 800 victims, the majority of whom were targeted for cryptocurrency theft.
While the value of a single bitcoin BTCUSD, +1.02% , the best-known cryptocurrency, has fallen by more than 70% since the beginning of 2018 — now fetching around $3,500 — two years ago one was worth less than $400, underlining how lucrative crypto theft can still be.
“It’s absolutely crazy,” said West. “People are losing millions of dollars.”
Read: Crypto exchange customers can’t access $190 million after CEO dies with sole password
Providing critical information for the U.S. trading day. Subscribe to MarketWatch's free Need to Know newsletter. Sign up here.