07
Aug 18

Florida Man Arrested in SIM Swap Conspiracy

Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims.

On July 18, 2018, Pasco County authorities arrested Ricky Joseph Handschumacher, an employee of the city of Port Richey, Fla, charging him with grand theft and money laundering. Investigators allege Handschumacher was part of a group of at least nine individuals scattered across multiple states who for the past two years have drained bank accounts via an increasingly common scheme involving mobile phone “SIM swaps.”

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

In some cases, fraudulent SIM swaps succeed thanks to lax authentication procedures at mobile phone stores. In other instances, mobile store employees work directly with cyber criminals to help conduct unauthorized SIM swaps, as appears to be the case with the crime gang that allegedly included Handschumacher.

A WORRIED MOM

According to court documents, investigators first learned of the group’s activities in February 2018, when a Michigan woman called police after she overheard her son talking on the phone and pretending to be an AT&T employee. Officers responding to the report searched the residence and found multiple cell phones and SIM cards, as well as files on the kid’s computer that included “an extensive list of names and phone numbers of people from around the world.”

The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, the mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint — saying he’d obtained yet another mobile phone.

Once again, law enforcement officers were invited to search the kid’s residence, and this time found two bags of SIM cards and numerous driver’s licenses and passports. Investigators said they used those phony documents to locate and contact several victims; two of the victims each reported losing approximately $150,000 in cryptocurrencies after their phones were cloned; the third told investigators her account was drained of $50,000.

CS1 later told investigators he routinely conducted the phone cloning and cashouts in conjunction with eight other individuals, including Handschumacher, who allegedly used the handle “coinmission” in the group’s daily chats via Discord and Telegram. Search warrants revealed that in mid-May 2018 the group worked in tandem to steal 57 bitcoins from one victim — then valued at almost $470,000 — and agreed to divide the spoils among members.

GRAND PLANS

Investigators soon obtained search warrants to monitor the group’s Discord server chat conversations, and observed Handschumacher allegedly bragging in these chats about using the proceeds of his alleged crimes to purchase land, a house, a vehicle and a “quad vehicle.” Interestingly, Handschumacher’s public Facebook page remains public, and is replete with pictures that he posted of recent new vehicle aquisitions, including a pickup truck and multiple all-terrain vehicles and jet skis.

The Pasco County Sheriff’s office says their surveillance of the Discord server revealed that the group routinely paid employees at cellular phone companies to assist in their attacks, and that they even discussed a plan to hack accounts belonging to the CEO of cryptocurrency exchange Gemini Trust Company. The complaint doesn’t mention the CEO by name, but the current CEO is bitcoin billionaire Tyler Winklevoss, who co-founded the exchange along with his twin brother Cameron.

“Handschumacher and another co-conspirator talk about compromising the CEO of Gemini and posted his name, date of birth, Skype username and email address into the conversation,” the complaint reads. “Handschumacher and the co-conspirators discuss compromising the CEO’s Skype account and T-Mobile account. The co-conspirator states he will call his ‘guy’ at T-Mobile to ask about the CEO’s account.”

Court documents state that the group used Coinbase.com and multiple other cryptocurrency exchanges to launder the proceeds of their thefts in a bid to obfuscate the source of the stolen funds. Subpoenas to Coinbase revealed Handschumacher had a total of 82 bitcoins sold from or sent to his account, and that virtually all of the funds were received via outside sources (as opposed to being purchased through Coinbase).

Neither Handschumacher nor his attorney responded to requests for comment. The complaint against Handschumacher says that following his arrest he confessed to his involvement in the group, and that he admitted to using his cell phone to launder cryptocurrency in amounts greater than $100,000.

But on July 23, Handschumacher’s attorney entered a plea of “not guilty” on behalf of his client, who is now facing charges of grand larceny, money laundering, and accessing a computer or electronic device without authorization.

Handschumacher’s arrest comes on the heels of an apparent law enforcement crackdown on individuals involved in SIM swap schemes. As first reported by Motherboard.com earlier this month, on July 12, police in California arrested Joel Ortiz — a 20-year-old college student accused of being part of a group of criminals who hacked dozens of cellphone numbers to steal more than $5 million in cryptocurrency.

The Motherboard story notes that Ortiz allegedly was an active member of OGusers[dot]com, a marketplace for Twitter and Instagram usernames that SIM swapping hackers use to sell stolen accounts — usually one- to six-letter usernames. Short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising sums of money for them.

Sources familiar with the investigation tell KrebsOnSecurity that Handschumacher also was a member of OGUsers, although it remains unclear how active he may have been there.

WHAT YOU CAN DO

All four major U.S. mobile phone companies allow customers to set personal identification numbers (PINs) on their accounts to help combat SIM swaps, as well as another type of phone hijacking known as a number port-out scam. But these precautions may serve as little protection against crooked insiders working at mobile phone retail locations. On May 18, KrebsOnSecurity published a story about a Boston man who had his three-letter Instagram username hijacked after attackers executed a SIM swap against his T-Mobile account. According to T-Mobile, that attack was carried out with the help of a rogue company employee.

SIM swap scams illustrate a crucial weak point of multi-factor authentication methods that rely on a one-time code sent either via text message or an automated phone call. If an online account that you value offers more robust forms of multi-factor authentication — such as one-time codes generated by an app, or better yet hardware-based security keys — please consider taking full advantage of those options.

If, however, SMS-based authentication is the only option available, this is still far better than simply relying on a username and password to protect the account. If you haven’t done so lately, head on over to twofactorauth.org, which maintains probably the most comprehensive list of which sites support multi-factor authentication, indexing each by type of site (email, gaming, finance, etc) and the type of added authentication offered (SMS, phone call, software/hardware token, etc.).

Tags: , , , , , , , , , ,

87 comments

  1. (…if only I could read this on my phone [Android LG3] without panning and pinching and expanding….I really like your posts, but wish you would get a more responsive theme….)

    • myphoneisbetterthanyourphone

      your phone sucks. or your browser sucks.

      brian’s site looks fine on my phone.

    • This crime is independent of phone brand or carrier. If you are at the point of bribing carrier employees, no one is safe.

      Now if your email passwords are stored in the cloud, that could be a different story. Same goes for password recovery schemes or really any security using SMS.

  2. Pasco County Sheriff’s Office? PCSO is one of the featured departments on “Live PD” every Friday and Saturday night. Until now I thought that they were nothing more than a collection of traffic cops and domestic disturbance mediators.

  3. Rick H, try using the Reader Mode in the Firefox browser.

  4. Having your mom call the cops on you, oof.

    • twinmustangranchdressing

      My Mother the Narc

      (that’s a pun for readers of a certain age)

    • Actually, props to that mom! She did the absolutely right thing and helped stop all of this from happening. While it was probably very hard for her to do, she did what was right.

      Thankfully these main actors and the Discord participants will be headed to their new homes at the Federal Bureau of Prisons!

    • Yeah thats brutal. I would think she would try and find out what hes doing first.

      • I doubt he just woke up one morning and decided to be a thief. He’s probably been stealing and ripping off his family for years. Why else would his mom be so quick to call the cops on him?

  5. Brian, I was just wondering if the Handschumacher case will reveal the cell numbers that he and his group compromised? It would be interesting to know if my T-Mobile account was among those. My T-Mobile number was ported-out to Verizon last September. I quickly realized something was not right and went to a local T-Mobile store. They were less than helpful, only saying that my number was now “with Verizon”. I left T-Mobile and went to a local Verizon store. If not for the diligence of Verizon (no thanks to T-Mobile), I might have fared much worse. It took me 2 hours on the phone in a Verizon store, but they sorted it out with their Security people and I was able to recover my number. I have since followed your advice on additional security measures and have had no further problems. Many thanks for your advice!

    • Frustrated and angry

      Similar comment re T-Mobile. After my SIM was hijacked, they admitted my account was falsely authenticated with a driver’s license (obviously fake). Hard to believe a license is an approved authentication protocol at T-Mobile – they should be ashamed. They told me they know the name of the employee but will not even tell me the State in which his store is located, much less admit any guilt. I’d like to know if it was near where I Iive. T-Mobile has been perfectly horrible and uncooperative. So frustrating.

      • We can thank the FCC for requiring that in store authentication be done via photo ID. Technically in the CPNI rules it’s the only allowed option. Unfortunately, there are not many other solid options as dual factor via the device is out considering many people are in a store due to a device failure.

  6. I have a note in my Verizon account that any changes need to be made by me in the store with an ID.

    • Which only protects you against honest employees or those that aren’t susceptible to convincing social engineering (“I KNOW what my instructions say but this is an EMERGENCY and I REALLY need this to happen!”)

  7. The Sunshine State

    A 25-years old pathetic fool who’s mom turned him in to authorities and now completely ruined his life over SIM cards and cryptocurrencies

    Only in the Sunshine state !

  8. Angelo Castellano

    In addition to a longer PIN, my account requires all SIM cards to be delivered to the address on file.

    • Readership1 (previously just Reader)

      These guys had people working in stores who they’d pay to make account changes.

      Whatever you think you have for security is useless against a dishonest employee.

      Even if they had no one taking bribes, it isn’t that hard to walk into a store, show fake ID and get a PIN removed or address changed.

      There is no universal account safeguard.

      Fortunately, most people are honest and decent. That’s why the system generally works.

      • Readership1 (previously just Reader)

        P.S. I do applaud you for making the effort to deter a criminal account takeover. We should all do that.

  9. ” Handschumacher allegedly bragging in these chats about using the proceeds of his alleged crimes to purchase land, a house, a vehicle and a “quad vehicle.” ”

    In this case, I have no problem with civil asset forfeiture. I hope the cops enjoy their new truck and quad ATV.

    • I would guess youre a cop or somehow related to law enforcement.The victims should be the 1st people compensated.The num-nuts at the sheriffs office already have enough quads and jet-skis.

      • I agree that the victims should be the 1st people compensated, but that’s not the way the law works in most cases. The cops grab everything they can (which I disagree with in many cases , but not in this case). A judge might preside over the sale of the house and land for victim compensation, if the victims are lucky.

        \most certainly not a cop

  10. comment on his fb page

    wanted to post a link on his page to this article so his friends know what hes doing. but Im unable to.

  11. 25 yrs old and dumb as a rock. what an ass hat. hope he gets jail time for this. and loses all his toys.

  12. Elizabeth Doxtator-Morenberg

    What was the penalty for CS#1 for the first time his mom called the cops on him? Did he get a slap on the wrist, or were his electronics confiscated by law enforcement?

    • My guess is he is (was) a minor, in which case it would be easier to use him as an informant than to try to prosecute him.

      • That’s a pretty good guess. I think being underaged was used against him and hopefully, the FBI or DHS turned him into a confidential human source (CHS) and then got access to their Discord and main leaders like that.

    • Based on the bit about having a phone, I’d expect there was something about preventing access to phones/technology – that was a fairly typical thing decades ago.

      Perhaps community service…

      I would hope such agreements to be some form of suspended sentence/probation where violating them can reimpose penalties.

  13. “If, however, SMS-based authentication is the only option available, this is still far better than simply relying on a username and password to protect the account.”

    This is false.

    Removing phone based password reset option and “security questions” from account generally only improves the security. For example, in order to make your gmail account more secure you need to enable google authenticator token AND remove phone number on file. Google allows you to download one time access codes as a last resort to recover account if your auth token gets lost. Print them out and store in safe.

    Of course that does not work if the account is with the company that allows simple social engineering to reset you account password.

    • Ware, your advice is for Google properties. My advice was intended more broadly. Please don’t discourage people from taking advantage of the best security options are available.

      • Personally, I encourage people to set up a Google Voice phone number. If you have a US number, you can get one for free. Since your Google account can be protected by two hardware devices and you can protect against port outs and there’s no SIM (this is Google Voice, not Project Fi), you can then use this number anywhere that doesn’t offer better than SMS security.

        Ideally this should protect you from most cellular network attacks…

    • Readership1 (previously just Reader)

      By your logic, there’s no point in using deadbolts to lock your house doors, because a thief could use an axe or bust a window. Clearly, that’s absurd.

      One uses the deadbolts to slow down the thief, giving you time to react or call or help. Deadbolts also deter a break-in attempt entirely by making your house a less attractive target.

      There is no foolproof method of IT security. But you can and should take reasonable measures to make your gadgets and accounts less susceptible to intruders and less attractive targets.

  14. Stupid criminals

    All I’m saying is if he had all that $ and was bragging about all the stuff he’s bought..then why didn’t he have his own place to conduct his criminal activity? He’s smart enough to launder all that $ but not smart enough to not let his mommy catch him in the act. omg some ppls kids!!

    • You may be confusing the person who was arrested with the person who informed on the individual who was arrested. The informant was likely a minor.

  15. those very hackers are stopping me comment hear

    defo uk networks

  16. Readership1 (previously just Reader)

    AT&T does not having any real security for prepaid customers. Just a 4 digit “passcode.”

    Not a password, not a security code.

    I wrote that a week ago, here:
    https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/#comment-471368

    • Sprint once allowed PINs larger than 4 digits. These have been deprecated and lately they are now stricly enforcing the 4 digit limit.

      Ridiculously, they still allow unlimited attempts to access accounts using PIN online.

      I set a 5 digit PIN back when it was allowed. Now that they limit it to 4 digits it means I cannot access my accound online.

      Fortunately, no one else can, either.

      No matter. Nothing vital needs doing online.

      I haven’t checked lately too see if it still happens but Sprint also sent all your account info, including the PIN and PII, in cleartext email if you emailed them or used their contact page online. This is “industry standard security” according to Sprint’s upper management.

  17. I dont undestood where is the crime? Did he killed someone?
    Or what ? I dont think its should be criminal case!

    • He laundered money you fool…or let me guess this is
      Probably something you enjoy doing too that’s why you see no problem….

    • Stealing is a crime. (The last time I checked : -)
      Kyp are you a Troll?

    • Yo Kyp,

      So what do you think about this guy then? All he wanted to do was help is family.

      New York Congressman Chris Collins indicted on insider trading charges

      https://youtu.be/8SvWLHbbJfk

      Circumstantial evidence along with witness testimony proves most criminal cases beyond a reasonable doubt. “Follow the money” usually works.

  18. I use 2FA whenever possible and I try to avoid using SMS for 2FA if possible. When SMS is the only 2FA option I use a Google Voice number. I’m not sure this actually works but I’m hoping it will be harder to take over than a real cell phone.

    I am interested in comments about this use of Google Voice for 2FA SMS purposes.

  19. It’s ridiculous how far someone will go to get money illegaly …get a job

  20. All I’m saying is if he had all that $ and was bragging about all the stuff he’s bought

  21. I went through the options on my investment accounts just now. Most have 2FA available but not all have physical key but only Schwab sends you one. Vanguard makes you buy your own.

    Even at Vanguard, if you don’t have your key there is an option to go back to SMS. This seems to defeat the entire purpose, if a bad guy can do an end run around the physical key.

    does anyone know if ordinary investment accounts ( not just Bitcoin) have been compromised?

    It would be “interesting” to hear Schwab, Vanguard etc response to intrusions that occur in accounts without a physical key security. Will they then claim it was the customer’s responsibility ot have installed the highest level of security?

    • Readership1 (previously just Reader)

      Fp,

      It doesn’t matter what they claim.
      What is relevant are that banking laws and regulations don’t put any responsibility on the customer to secure their accounts.

      Security is the bank’s job. It’s why people use banks. If they choose to allow customers to access accounts online, the banks remain responsible for security.

      I advise clients to only use banks who mail written statements at no additional cost and to question any bank errors in writing, as that’s the only way to protect their rights. Customers have the right to choose banks that will close electronic access on written request, as well.

    • Schwab will give you a fob if you ask (presumably, balance limits might apply).

      You can also get one from Wells Fargo for $25. You must do this in person, and it seems that there is one person on duty in any three random branches that knows anything about it and can set it up for you.

  22. I think he should get the good lawel !!
    I dont see this as criminal case!
    Even to accuse anyone with money loundring then you need good evidence to proof this !!

    • Kyp, money laundering isn’t the primary issue – straight-up theft (grand larceny is theft over a specific dollar amount) is the primary charge.

      The money laundering charge is just due to the way they were trying to cash-out the cybercurrency they stole.

      If you don’t see theft as worthy of prosecution, we don’t have anything to discuss further.

    • Are we all being serious right now? Home boy was straight picked up and raided by homeland security. And you think this isn’t criminal? Someone stealing THOUSANDS of dollars isn’t criminal? Oh, that’s just because it didn’t happen to you, huh? Cause I’m sure If it was your accounts being drained you’d prosecute to the fullest, press charges like hell. He was knowingly draining people of money and there’s obvious evidence because they weren’t smart enough to cover it up. They “tried” and it even says that but everything points back to them. And get a job? If you’re sitting here saying stealing from MANY people, all across the web, and doing it ILLEGALLY isn’t criminal to you then i guess you were probably part of it too, or you’re just a thief yourself in your own way like them.

  23. Its very complex case, i think need more and better evidence to proof his criminal guilt !
    Yes stealing is not lawful but the good lawyer can make it better.
    We live in the world when white not a white and black not exacly black, and this case is gray it means not clear wether the person had bad attentions.
    Since law is not about justice but just the matter of evidence and facts.
    The law is not about how s right or wrong its more likely game!
    And when you dont commit straight up crimes like murder or stealing in publickly then its very difficult to proof anything

  24. So…my understanding was that Telegram was anonymous and untraceable to a specific user…?

  25. So .. @jpp Telegram offers lots of clever protection… until you seize and examine the endpoint device (handset) where messages are in clear – so the user can read them.
    Also, there was a discussion board area, where the messages are in clear. Often (depending on situation) the logs can also be made available that give time/date and IP address – that can be matched to device activity (& geolocation data) giving a pretty irrefutable trail.
    Once investigators have the name of the ‘mastermind’ they can deploy many tools to understand what’s going on.

  26. Seems to me the problem here are the phone companie’s lax security when it comes to sim swaps.

  27. Brian, I have been reading you for several months. Thanks for all your work love to read you. I have one comment/suggestion. I recently changed gsm operator here in EU. What I noticed was that here in order to initiate swap or port oration first you need to send sms from your current phone/operator to get a OTP. Without this code no one can swap your SIM or port you number. I know this may not cover all the cases out there, but it looks like easy to implement solution for a gsm operator that reduces the risk dramatically. You may want to suggest it to your friends at the US mobile companies.

  28. KYP, your a troll. Please go back under the bridge.

    • I think i am missundestood here!! Im not making point that stealing is not crime !!!
      Im talking about evidence Since its cryptocurrency and no names involved in transactions then guy has the way to win this court case since people have rights still.
      We are not talk abput what is right or wrong but we know that court dont care about this they care about LAW AND EVIDENCE. This guy can still get to way with it

  29. I love to dance. I was never professionally trained, mind you. But I love to strip naked and dance all over the surface of the moon and planet pluto. i can’t stop and i won’t stop.

  30. I want to post the link to this article on his page so badly so all his friends know what a criminal asshat he really is.