Police in Santa Clara in California have arrested a 19-year-old male who is accused of hijacking phone numbers through ‘SIM swapping’, a technique wherein financial and social media accounts tied to those numbers are targeted.
Santa Clara County’s ‘REACT task force’ have arrested Xzavyer Clemente Narvaez after the authority revealed it’s targeting cybercriminals involved in “the takeovers of cell phone, email and financial accounts resulting in the theft of cryptocurrency.”
A SIM swap as a method of exploit wherein a victim’s mobile phone service including data is redirected from a SIM card that has been hijacked by an attacker without the knowledge of the victim.
Symptoms include losing service altogether to see their incoming calls and text messages diverted to the attacker’s device instead. This is particularly alarming in an age wherein one-time passwords (OTPs linked to financial accounts are frequently tied and sent to mobile numbers which can then be used by hackers to access victims’ monetary accounts.
Narvaez has been accused of using the method to gain significant monetary gains through large sums of bitcoin and other cryptocurrencies. The teenager used the proceeds of his cybercriminal activity to purchase various luxury items including a $200,000 McLaren supercar. One victim of Narvaez, interviewed by investigators, reported being robbed of $150,000 in cryptocurrencies as a result of the hijack of his phone number.
“On 7/18/18, investigators received information from an AT&T investigator regarding unauthorized SIM swaps conducted through an AT&T authorized retailer. He reported that approximately 28 SIM swaps were conducted using the same employee ID number over an approximately two-week time period in November 2017,” prosecutors alleged in a charge sheet.
They also used data gathered from a number of tech companies to triangulate Narvaez’s phone in specific places near his home at the same time when his victims raised complaints about seeing their phones hijacked.
Narvaez now faces four counts of altering and damaging computer data with intent to defraud or obtain money, or other value; four counts of using personal identifying information without authorization; and grand theft of personal property of a value of over nine hundred and fifty thousand dollars.
Image credit: Pexels.