August 22, 2018

Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting “SIM swappers,” individuals who specialize in stealing wireless phone numbers and hijacking online financial and social media accounts tied to those numbers.

Xzavyer Clemente Narvaez was arrested Aug. 17, 2018 by investigators working with Santa Clara County’s “REACT task force,” which says it’s targeting those involved in “the takeovers of cell phone, email and financial accounts resulting in the theft of cryptocurrency.”

Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car. Investigators said they interviewed several alleged victims of Narvaez, including one man who reported being robbed of $150,000 in virtual currencies after his phone number was hijacked.

A fraudulent SIM swap occurs when a victim’s cell phone service is redirected from a SIM card under the control of the victim to one under the control of the suspect, without the knowledge or authorization of the victim account holder.

When a victim experiences a fraudulent SIM swap, their phone suddenly has no service and all incoming calls and text messages are sent to the attacker’s device. This includes any one-time codes sent via text message or automated phone call that many companies use to supplement passwords for their online accounts.

Narvaez came to law enforcement’s attention following the arrest of Joel Ortiz, a gifted 20-year-old college student from Boston who was charged in July 2018 with using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

A redacted “statement of facts” in the case obtained by KrebsOnSecurity says records obtained from Google revealed that a cellular device used by Ortiz to commit SIM swaps had at one point been used to access the Google account identified as Xzavyer.Narvaez@gmail.com.

That statement refers frequently to the term IMEI; this is the International Mobile Equipment Identity number, which is a unique identification number or serial number that all mobile phones and smartphones have.

Prosecutors used data gathered from a large number of tech companies to put Narvaez’s phone in specific places near his home in Tracy, Calif. at the time his alleged victims reported having their phones hijacked. His alleged re-use of the same mobile device for multiple SIM hijacks ultimately gave him away:

“On 7/18/18, investigators received information from an AT&T investigator regarding unauthorized SIM swaps conducted through an AT&T authorized retailer. He reported that approximately 28 SIM swaps were conducted using the same employee ID number over an approximately two-week time period in November 2017. Records were obtained that included a list of IMEI numbers used to take over the victims’ cell phone numbers.”

“AT&T provided call detail records pertaining to the IMEI numbers listed to conduct the SIM swaps. One of those IMEI numbers, ending in 3218, was used to take over the cell phone of a resident of Illinois. I contacted the victim who verified that some of his accounts had been “hacked” in late 2017 but said he did not suffer any financial loss. Sgt. Tarazi analyzed the AT&T location data pertaining to that account takeover. That data indicated that on 7/27/17, when the victim from Illinois lost access to his accounts, the IMEI (ending in 3218) of the cell phone controlling the victim’s cell phone number was located in Tracy, California.”

“The specific tower is located approximately 0.6 miles away from the address 360 Yosemite Drive in Tracy. Several “NELOS” records (GPS coordinates logged by AT&T to estimate the location of devices on their network) indicate the phone was within 1000 meters of 360 Yosemite Drive in Tracy. AT&T also provided call detail records pertaining to Narvaez’ cell phone account, which was linked to him through financial services account records. Sgt. Tarazi examined those records and determined that Narvaez’ own cell phone was connected to the same tower and sector during approximately the same time frame that the suspect device (ending in 3218) was connected to the victim’s account.”

Apple responded to requests with records pertaining to customer accounts linked to that same suspect IMEI number. Those records identified three California residents whose Apple accounts were linked to that same IMEI number.

A snippet from a redacted “statement of facts” filed by prosecutors in the Narvaez case.

Verizon provided call detail records pertaining to the IMEI number ending in 3218. From the statement of facts:

These records that this phone had in fact been used to access the two Verizon numbers listed above, and at the same time was connected to a Verizon celltower located approximately 1.3 miles away from 360 Yosemite Drive in Tracy, CA. This cell tower was the closest Verizon tower to 360 Yosemite Drive.

“Records obtained from DMV indicated the 2018 McLaren was purchased from a car dealership in Southern California. Sale records obtained from the dealership indicated the payment for the vehicle was made by Tiffany Ross, primarily using bitcoin, accepted by the merchant processor BitPay on behalf of the dealership. The remainder of the price of the vehicle was financed through the trade-in of a 2012 Audi R8. The buyer/s listed email address was a Gmail address. Records also indicated the Audi R8 had been purchased in June 2017 by Xzavyer Narvaez. The entire balance for that vehicle was paid using bitcoin.”

“A different Gmail address was listed under the buyer’s contact information. Google provided records indicating both e-mail addresses used to pay for the vehicles belonged to Xzavyer Narvaez.”

“BitPay provided records that identified the Bitcoin transactions in which the vehicles were purchased. Investigator Berry utilized the Bitcoin blockchain, which is the distributed public ledger of all historical transactions on the Bitcoin network, to trace the flow of the bitcoins used to purchase the McLaren back to an address attributed to the cryptocurrency exchanger Bittrex.”

“Bittrex verified that funds from Bittrex to the output address identified in the blockchain that led to the purchase of the McLaren came from Narvaez’ account, and verified the address utilized for the deposit of bitcoin into that account. The Bitcoin blockchain currently indicates that Narvaez’ Bittrex deposit address has had more than 157 bitcoin flow through it, in 208 transactions, between 7/12/18 and 3/12/18. Based on the current market value of a bitcoin, 157 bitcoins are currently worth approximately S1,000,000.”

Narvaez faces four counts of using personal identifying information without authorization; four counts of altering and damaging computer data with intent to defraud or obtain money, or other value; and grand theft of personal property of a value over nine hundred and fifty thousand dollars. He is expected to issue a plea on Sept. 26, 2018. A copy of the charges against him is here (PDF).

Federal authorities also have been active in targeting SIM swappers of late. One day after Narvaez was apprehended, police in Florida arrested a 25-year-old man accused of being part of a group of about nine people that allegedly stole hundreds of thousands of dollars in virtual currencies from SIM swap victims. That case drew on collaboration with Homeland Security Investigations, which acted on a tip from a concerned mom in Michigan who overheard her son impersonating an AT&T employee and found bags of SIM cards in his room.

All of the major wireless companies let customers protect their accounts from SIM swapping by selecting a personal identification number (PIN) that is supposed to be required when account changes are requested in person or over the phone. But one big part of the problem is that many of these SIM swappers are working directly with retail mobile store employees who know how to bypass these protections.

If you’re concerned about the threat from SIM hijacking, experts say it might be time to disconnect your mobile phone number from important accounts. We discussed options for doing just that in last week’s column, Hanging Up on Mobile in the Name of Security.


57 thoughts on “Alleged SIM Swapper Arrested in California

  1. Dredd

    It’s high time we make an example of these F*** sticks and execute a couple of them.

    1. fluffy

      I don’t think we should kill them. There’s worse things you can do to a person.

  2. Greg

    I wonder why the Feds are leaving such prosecutions to state and local governments. Such crimes smack of interstate and international crime.

  3. John

    More evidence that people need to move to 2FA with Google Authenticator, Authy, or a Yubikey or other physical 2fa device. Phone numbers were never intended to be a proof of identity, and SIM swapping and CID spoofing are just two examples of how vulnerable we are when we use a phone number to verify something.

    1. R

      In the current (de) reg climate, as long as the BisquickDonut (AKA unindicted co-conspiritor 1) reigns, the Feds will not (openly at least) formulate biting regs and penalties in law for this stuff. I think you’re on your own right now. However, it is inevitable this will become more and more important to preserve the broader financial services sector and not a mere sideshow. I am concerned dorks working at kiosks and cel provider shops, at low salaries/commissions will be unable to resist a windfall in return for abetting this stuff. maybe a security clearance or something will have to be imposed.

  4. The Sunshine State

    The article states ““The specific tower is located approximately 0.6 miles away from the address 360 Yosemite Drive in Tracy. Several “NELOS” records (GPS coordinates logged by AT&T to estimate the location of devices on their network) indicate the phone was within 1000 meters of 360 Yosemite Drive in Tracy”

    Did the Federal authorities use a “Sting Ray” device with cooperation with AT&T?

    1. Nigel

      Most of the information can be gathered from the mobile operators themselves.

      Mobile devices are constantly reporting what it can see. Based upon that information (cell id, signal strength etc) the network then determines what cell to hand the device over to.

      If the device is in a town centre it may be reporting back call measurement data on 8 or more cells. Using that data it is simply a matter of triangulation.

      Most networks provide this data to the emergency service.

    2. somguy

      That’s really only required if the ISP’s aren’t handing over all the data already.
      If the ISP’s hand it over (as it looks like Verizon did) than they have all they need already.

      And, something like this they can ask or get a warrant for ISP to see if there’s a common user on all these sim swap times, rather than mass capturing everyone on the tower. Which is the proper way legal, constitutional way to do it, rather than capture everyone.

      So no, unlikely they used a stingray.

  5. suicide

    rip my nigga xzavyer his $8000 minecraft accounts will never be touched again ):

  6. DelilahtheSober

    I have various different burner phones in my possession at any given time – not with the intent to commit any crime, but because I don’t necessarily want my primary cell phone number associated with rewards programs, etc. You can buy a cheap used phone on eBay and then buy a month’s worth of prepaid time from some obscure cell phone service company (Ting comes to mind, but there are dozens of them).

    I also use this as my means of “testing out” different prepaid cell phone company services before I recommend them to older friends or relatives who are not tech-savvy. This way I also know what carriers work best in my area (urban Los Angeles) as far as reception and signal quality.

    1. timeless

      If they’re on at the same time in the same place, then someone w/ a warrant could use fairly rudimentary analysis to determine they both correspond to you.

      If you turn one off and move a bit and then turn another on, and repeat this process, someone could also perform analysis and determine you’re probably doing just that.

      Anonymizing yourself is actually fairly difficult. Especially from a “nation state” or an entity which is able to expend considerable resources to do analysis.

      OTOH, it is worth it to set up proper 2FA (hardware devices preferred, soft tokens or Google Voice as fallbacks). And it’s definitely worth it to use a proper password manager with unique passwords per service. There’s no reason to make yourself easy to impersonate. Sure, some victims may eventually be made whole, but the time it takes and the frustration involved is almost certainly considerable.

  7. DelilahtheSober

    And I’m not sure if this is helpful info or not, but after reading one of Krebs’ posts I called Verizon and talked to them. I explained about sim card transfer fraud and I said “I want to be identified internally in your databases as a customer who will never transfer my phone number to some other service. If I ever get tired of Verizon, I will just shut off my prepaid service, but I will never ever transfer the number to some other company. If someone makes this request regarding this phone number and this account, you may consider it to be a fraudulent attempt.”

    The CSR had me on hold for about five minutes from start to finish while he confirmed that this was possible and finally said “It’s done.”

    1. R

      Excellent. I will be following up on my own provider mañana. Gods for you.

    2. Robert

      In theory and in fact, this should work. However. A dishonest employee may be able to “override” your wishes to prevent a swap. Or, hackers may be able to work their magic on cell phone accounts like they do to banks to make cash outs via hacking the bank’s software and changing parameters.

      Sorry to be the fly in the oinment but until phone companies (or any company) can isolate such a request from their servers and employees, I will be pessimistic about this working.

      I am in favor of legislation from Washington concerning at least some cyber crimes. Automatic 20 year prison term for any employee who aids and abets in the commission of a crime (like we have read about so many times).

      No plea bargaining for financial crimes. Help us and we won’t send you to a prison where you most likely will be abused and worse. Don’t help us and kiss your a** goodbye. Either way, same prison term. Minimums like 20 years is a good start, no parole.

      Have employees sign yet another form when they are hired, this one alerts them to the prison sentence. May take a while but crimes like this will go down, at least as inside jobs.

      1. DelilahtheSober

        I would agree with you, however it’s better to be proactive and do something – in my case, 1. I do have a pin “security code” and 2. I made the phone call to Verizon as described to provide a secondary protection for my cell phone number and account. There is no 100% guarantee with anything in life.

        1. somguy

          As long as the verizon kid making $7.50 an hour at any mall kiosk across the US has access to bypass all of these protections (which they do), when some guy walks up and offers $100 to sim swap, someone is likely to do it.

          Remember, these sim swaps can ONLY happen if they social engineer verizon service reps on the phone OR offer minimum wage kids at verizon stores/kiosks a BS story or far more likely some money. If one guy says no, they will just find a kid at the next kiosk a mile away who will do it.

          So yeah, they need to make sim swaps not available to any stores unless they clear a call through corporate, and train all corporate on how to do it, and make employees penalized if they do it improperly. From the legal end, they need to prosecute anyone doing this, which looks like they are starting to push on it more.

          Anyway, as long as you know this and you are ok with the risks, more power to you. Just don’t think it’s anything that will do more than slow it down.

    3. Michael

      “… you may consider it to be a fraudulent attempt.”

      “You *may* consider” gives your permission. It *does not* say what you really mean: “The request is fraudulent; deny it.”

    4. Lars

      You can also call and tell them that any changes to your account need to be authorized in store, in person w proof of ID.

  8. rich

    No problem with this guy getting sentenced to 20 years or more

    1. Angus Gordon

      Agreed. Anyone else care to share their idea of a fitting sentence for this crime?
      Stealing $1m from someone…jeez.

  9. vb

    “approximately 28 SIM swaps were conducted using the same employee ID number ”

    It unclear to me if Narvaez was the employee or if Narvaez will be getting a cellmate. Also, I wonder why no conspiracy charges? Seems like a conspiracy to me.

  10. throwback

    lmaooo rip xzavyer, only real ones know who he is, atleast dreya got out while she could rip the mc accounts and twitter names too

    1. On FOENEM

      Y3Y3 Shout Out Xza, Joel, Ricky EVERY1 IN THA COM G3TTIN LOCKED…

      CAN’T DO THE T1ME DON’T DO THE CRIME ON FOE’NEMM,,

  11. CK JAGUAR

    Did you get all that? DON’T use the same phone when you hijack accounts. And at least Google and Verizon cooperate with POLICE on tracking you. Liberals, democrats, progressives and Antifa need to put a stop to this immediately. I’ve never seen a better liberal cause.

  12. Evan Shepard

    go into your cell carrier store and tell them no changes are to be made to the account unless in person with ID. should help prevent this sort of attack. our data is everywhere now.

    1. Moike

      > in person with ID

      And how hard is it to create a fake ID and show up on a store? The original ID is not on file in most cases.

      1. Jorge_C

        Considering the attacker was across the entire continental united states and was only 19, it isn’t crazy to think that requiring all changes to be made in-person might have helped here. Of course if the attacker has help from insider employees I guess its moot until their internal security gets some upgrades.

        1. Readership1 (previously just Reader)

          Crossing the continent takes 6 hours by air from LA to NYC. $137.

          Nyc to Miami is $89. Also crossing the country. 4 hours.

          It’s not only cheap to cross the country, it’s incredibly commonplace. Limiting account access by geography is easily and cheaply circumvented.

  13. Readership1 (previously just Reader)

    I feel like a broken record mentioning this, but the story has a little error:

    AT&T does NOT let PRE-PAID customers protect their accounts from SIM-swapping with a unique code separate from their account password.

    AT&T Wireless limits prepaid customers to a single 4 digit “passcode” to be used for all account changes.

    And it’s initially set to the last four of the phone number.

    This is a gripe of mine.

  14. Doug

    It seems this type of fraud would be relatively simple for a carrier to protect if they cared to put in the time.

    1) Require a pin sent to the current phone be entered before allowing any SIM transfer. The attacker would have to already have the other phone in their possession to make the change.

    2) Setup your system so that only a small handful of much more closely vetted employees can handle any “override” situation.

    3) Have your internal audit group audit the transactions for the #2 group at least once a month.

    If the telco was routinely finding / firing offenses in this regard, the news would get out and employees would be less inclined to take the risk.

  15. Sir Laughsalot

    Play with money laundering and quick buck schemes, expect to loose it quick too. No pity for anyone involved.
    It’s a good thing phone companies don’t hold titles for homes and cars lol.
    Anyone that uses a phone for security is a fool.

  16. PHP

    Set MFA up on O365, and Microsoft demands a fallback phone number. Even if you pick the app. So much for security.

  17. Orph Gibberson

    What about getting a prepaid/burner phone that is only used for 2 factor identification?

  18. SalSte

    Is it about time that we just admit that cryptocurrency is nothing but a scam?

  19. Dfg11333

    Am I the only one who feels giving as much information (email address, although easy to guess) about that person before he is judged is wrong ?

    If it was not for the title mentioning “Alleged”, the rest of the article is basically treating the guy as guilty and giving away all information to make the rest of his life miserable.

    Sure, maybe there is a 99% chance the guy _is_ guilty, but identity theft being a thing, I would always be a bit careful.

    1. CW

      Yeah, I’d assume that most 19 year-olds have enough cash to buy a McClaren. He must have saved up some wages from working at Taco Bell.

      You might want to change those odds to a 99.99999999% chance of being guilty.

  20. JimV

    Who was the “Tiffany Ross” who actually purchased the McLaren? If she is/was his girlfriend, it’s pretty unlikely she was a completely innocent or unwitting accomplice given his lifestyle. Did she flip and become the prosecution’s witness, or will she end up being charged as an accomplice?

  21. Joe jackson

    No picture of the guy can be found anywhere, Facebook has a zillion profiles for this name. This dude doesn’t exist, let be honest here.

    1. -

      I’ve been in a call with him before so I can assure you that he exists.

      Do you really think that someone who engages in that activity would make their facebook public, even if he even had one?

      Plus there has been a picture of him floating around recently, so I don’t know what you’re on about.

  22. Bob

    “The arrest is the third known law enforcement action this month targeting “SIM swappers,”

    I can’t find the story online, but it was on Colombian tv (probably Caracol or RCN–I saw the videon on YouTube). A week or two ago, they busted an outfit in Bogota that was doing SIM swapping there

  23. KFritz

    Other commenters are surprised that the federal government isn’t prosecuting crimes against cryptocurrency holders. Paragraph 2 of this link may explain this:

    “As a medium of exchange, Bitcoin remains today pretty much what it was in 2010: an interesting complement to the existing monetary system, primarily useful for people interested in avoiding legal authorities or living in societies racked by inflation (like, say, in Venezuela or Zimbabwe).”

    https://www.technologyreview.com/s/610783/bitcoin-would-be-a-calamity-not-an-economy/

    In other words, the Feds aren’t terribly interested to aid people in the commission of crimes or the avoidance of taxes.

    In this link, the economist Michael Hudson bluntly states that most of the wealth represented by Bitcoin likely comes from crime.

    https://michael-hudson.com/2018/04/high-cost-economy/

    1. PattiM

      …it also squanders an INCREDIBLE amount of our remaining finite energy sources – something like several percent per year – with no tangible or otherwise useful output. (Most analyses of energy use aren’t done by physicists, so energy and power are usually incorrectly calculated.) Just sayin’

  24. PattiM

    It hasn’t been very long at all that “two factor authentication” was listed as being really good security. First law of cybernetics suggests that the more complex we make the security system, the more exploits are built-in (since our brains can’t possibly visualize systems that complex). I guess that’s the reason there are bugs in software, CPUs, etc. It seems to be build/patch/build-more/patch-more/… and all the time folks are using exploits.

  25. jose

    maybe someone needs to pay KELLY richard KIRKENDALL a visit?

Comments are closed.