20
Nov 20

Convicted SIM Swapper Gets 3 Years in Jail

A 21-year-old Irishman who pleaded guilty to charges of helping to steal millions of dollars in cryptocurrencies from victims has been sentenced to just under three years in prison. The defendant is part of an alleged conspiracy involving at least eight others in the United States who stand accused of theft via SIM swapping, a crime that involves convincing mobile phone company employees to transfer ownership of the target’s phone number to a device the attackers control.

Conor Freeman of Dublin took part in the theft of more than two million dollars worth of cryptocurrency from different victims throughout 2018. Freeman was named as a member of a group of alleged SIM swappers called “The Community” charged last year with wire fraud in connection with SIM swapping attacks that netted in excess of $2.4 million.

Among the eight others accused are three former wireless phone company employees who allegedly helped the gang hijack mobile numbers tied to their targets. Prosecutors say the men would identify people likely to have significant cryptocurrency holdings, then pay their phone company cohorts to transfer the victim’s mobile service to a new SIM card — the smart chip in each phone that ties a customer’s device to their number.

A fraudulent SIM swap allows the bad guys to intercept a target’s incoming phone calls and text messages. This is dangerous because a great many sites and services still allow customers to reset their passwords simply by clicking on a link sent via SMS. From there, attackers can gain access to any accounts that allow password resets via SMS or automated calls, from email and social media profiles to virtual currency trading platforms.

Like other accused members of The Community, Freeman was an active member of OGUsers, a forum that caters to people selling access to hijacked social media and other online accounts. But unlike others in the group, Freeman used his real name (username: Conor), and disclosed his hometown and date of birth to others on the forum. At least twice in the past few years OGUsers was hacked, and its database of profiles and user messages posted online.

According to a report in The Irish Times, Freeman spent approximately €130,000, which he had converted into cash from the stolen cryptocurrency. Conor posted on OGUsers that he spent approximately $14,000 on a Rolex watch. The rest was handed over to the police in the form of an electronic wallet that held the equivalent of more than $2 million.

The Irish Times says the judge in the case insisted the three-year sentence was warranted in order to deter the defendant and to prevent others from following in his footsteps. The judge said stealing money of this order is serious because no one can know the effect it will have on the victim, noting that one victim’s life savings were taken and the proceeds of the sale of his house were stolen.

One way to protect your accounts against SIM swappers is to remove your phone number as a primary or secondary authentication mechanism wherever possible. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.

It’s also important for people to use something other than text messages for two-factor authentication on their email accounts when stronger authentication options are available. Consider instead using a mobile app like Authy, Duo, or Google Authenticator to generate the one-time code. Or better yet, a physical security key if that’s an option.

25 comments

  1. The Sunshine State

    It’s always stupid males in the early twenties.

    • I’ve never heard of women being involved. Are they just better at not being caught?

      • Women never have to get their hands dirty, they just latch on to the guy and enjoy the spoils. If/when he gets jammed up, play the innocent girlfriend “Oh your honor, I had no idea!” and move on to the next one.

  2. guess “freeman” isnt free anymore LOL!

  3. He better be glad it wasn’t in a repressed country like Saudi Arabia. It’s hard to code with no hands.

    This is another example where law hasn’t caught up to technology. It also shows the disparity in how we treat crimes. If this idiot robbed a store and got caught, he’d be facing decades.

  4. Thanks for another good article Cyberhero Krebs!

    This is why I love my folks at the particular MetroPCS store that I’ve been patronizing for years – I can trust them and I’m grateful for that…

    • Going into the store is great, when the store is actually open…

      Went to Metro a few months ago, no one was there, and it was after 12:00 pm!

      It might be a revolving door because of the hours.

  5. He pleaded guilty and took a deal wherin he would not be extradicted to the United States. Had that happened he would be looking at up to 100 years in Federal Prison. Nevertheless, twenty years from now, he could still be arrested when trying to visit Orlando with his future kids. He will never know. All that grief for one poxy wrist watch.

  6. That is so true. Pretty much any dumb service you sign up these days wants your phone number. And no, quite a few will still use it for a password reset. Argghhhh!

    Or the one as moronic as PayPal would take both SMS and OTOP and then still allow SMS to be used to get into your account 🙂 and good luck finding anything in the PayPal settings.

  7. My approach is to have the least amount of information on my as possible. Trusting your cell phone to secure millions of dollars is just ignorance.

  8. In the good old days Paypal had this physical security key device which I held in my hand and it would randomly bring up a pin code whenever I wanted to do something on Paypal. I do not understand why they discontinued this service. It was simple and it worked.

  9. “But unlike others in the group, Freeman used his real name (username: Conor), and disclosed his hometown and date of birth to others on the forum.”

    Smart lad. Networking pays.

  10. western jails not bad, 3 years good work out keeping healthy not bad.

    i been in jail my freinds been in jail i would say not bad for men.
    i did work out i got out like arnold swachernegger….
    boxing work out running pushupss..pull ups.
    jail can keep your health good no drugs no alchol.
    3 years is nothing t be honest for young guy every person can take 5 years easy jail time.

    • Irish prisons aren’t the best. They’re largely safe, but you may be in an overcrowded prison, without proper facilities. It was only a few years ago that prisoners in Irelands Mountjoy prison had to ‘slop out’ buckets of waste each morning.

    • In the States in mosts places you get good time which cuts your sentence by a third, and if you are a trustee working in many places that cuts your sentence by half. I don’t know if Ireland has similar good behavior incentives, but if it does that is 1-1/2 years in the Big House…

      • The Irish prison system isn’t based off forced labour, so you can’t work your sentence off like you do in the USA. Sentences are shortened, and “for good behaviour” is an alright analogy if you want to compare it to the USA, although it’s based in reform and reoffend risk rather than how polite you are to the head of the prison.

  11. One of my email accounts has become a honey pot for criminal phishing actors. I’m getting 40-50 emails a month and forwarding them to respective admins/abuse addresses hoping that these accounts and domains are being deactivated.
    Remarkable thing is that 60+ % of the crap is coming from godaddy subdomains which tells me that godaddy has minimal, or none, controls in place to prevent bots from creating phishing domains and accounts.

  12. 2FA is great till you loose the 2…

  13. Thanks for the information

  14. Burglary, theft or theft from a shop in Ireland isn’t managed almost that cruelly. Dislike America.

Leave a comment