Guilty Plea in SIM Swapping Scam to Steal CryptocurrencyProsecutors: Yearslong Scheme Resulted in Theft of $530,000
A Massachusetts man has pleaded guilty to running a yearslong scam that used SIM swapping and other hacking techniques to steal more than $530,000 worth of cryptocurrency, the U.S. Justice Department has announced.
Eric Meiggs pleaded guilty to seven counts, including conspiracy, wire fraud, computer fraud and abuse, and aggravated identity theft, prosecutors say.
Meiggs, 23, and co-conspirator Declan Harrington, 22, stole money using SIM swapping, and they also took over the social media and email accounts of several victims and threatened their families in an attempt to extort more virtual currency, prosecutors alleged in the pair’s indictment. Meiggs and Harrington were arrested in November 2019 (see: DOJ: Pair Used SIM Swapping Scam to Steal Cryptocurrency).
Meiggs, who is scheduled to be sentenced on Sept. 15, faces a mandatory minimum penalty of two years in prison. Harrington is charged as a co-conspirator under the joint 11-count indictment.
SIM swapping involves convincing a mobile operator's customer service employee to move a cell phone number to a different SIM card or port it to another carrier.
Once they swapped SIM cards, Meiggs and Harrington would pose as one of the victims and contact the online service providers and request a password reset be sent to the compromised phone number, prosecutors say.
"The cybercriminals then reset the victim’s account login credentials and used those credentials to access the victim’s account without authorization," prosecutors say.
According to the indictment, Meiggs and Harrington targeted at least 10 victims in the U.S. Most of those targeted were executives who worked for blockchain companies or cryptocurrency exchanges or published guides and advice about virtual currencies and digital wallets, prosecutors say.
Starting in November 2017 and continuing until their arrest in 2019, Meiggs and Harrington allegedly used various hacking techniques to compromise victims' email accounts, including Yahoo Mail and Gmail, as well as social media accounts, including those for Facebook, Twitter and Instagram, according to the 2019 indictment.
The duo allegedly used compromised accounts and credentials to hack into one victim's Coinbase digital wallet to steal about $200,000 in virtual currency, prosecutors say.
In another case, they used a victim's compromised Facebook account to send messages to several of his contacts. Once the messages had been sent, Meiggs and Harrington were able to convince one of the contacts to transfer about $100,000 in cryptocurrency to an account that they controlled, the U.S. Justice Department notes.
In yet another incident, one of the men allegedly called a victim and threatened to kill his wife if he didn't divulge the password for his Instagram account, according to the indictment.
Other SIM Swap Incidents
In October 2019, the FBI issued a warning that cybercriminals were using new techniques, including SIM swapping, to bypass multifactor authentication (see: FBI: Cybercriminals Are Bypassing Multifactor Authentication).
Over the last few years, more SIM swapping cases have come to light. In May 2019, for example, the Justice Department charged nine men in connection with a scheme that led to the theft of $2.4 million in cryptocurrency (see: Alleged SIM Swappers Charged Over Cryptocurrency Thefts).
In September 2019, Twitter acknowledged that CEO Jack Dorsey's personal Twitter account was compromised and used to send out racist messages. In that case, some security analysts suggested that the attackers may have used a SIM swapping technique to compromise the account (see: Hey Jack, How Was Your Account Hacked?).