21-Year-Old Jailed For 10 Years After Stealing $7.5M In Crypto By Hacking Cell Phones (#GotBitcoin?)
A 21-year-old man has been sentenced to 10 years in prison after becoming one of the first people in the United States to be convicted of stealing cryptocurrency by hacking into cell phones. Prosecutors in Santa Clara announced the jail sentence on April 22. 21-Year-Old Jailed For 10 Years After Stealing $7.5M In Crypto By Hacking Cell Phones (#GotBitcoin?)
In February, Joel Ortiz had pleaded guilty and to theft and accepted the 10-year plea deal.
Ortiz stole more than $7.5 million from at least 40 victims: the press release notes that he then spent $10,000 a time at Los Angeles nightclubs, hired a helicopter to fly him and his friends to a music festival, and bought top-end Gucci clothes and luggage.
In May 2018, one cryptocurrency entrepreneur in Cupertino lost $5.2 million in a matter of minutes, prosecutors note.
Prosecutors described the one-time high school valedictorian as a “prolific SIM swapper who targeted victims to steal cryptocurrency and to take over social media accounts with the goal of selling them for bitcoin (BTC).”
Illegal SIM swaps often involve duping phone companies into switching cell phone numbers to a new SIM card by providing stolen addresses and social security numbers. From here, hackers can circumvent two-step authentication measures that are designed to keep crypto safe.
Ortiz was detained at the Los Angeles International Airport last year, and investigators say they have only been able to recover $400,000 of the stolen funds. They believe the rest has either been hidden or spent. Prosecutor Erin West said:
“These are not Robin Hoods. These are crooks who use a computer instead of a gun. They are not just stealing some ethereal, experimental currency. They are stealing college funds, home mortgages, people’s financial lives.”
Oritz had been sentenced on April 19 by a judge after two hearings where victims described the financial devastation caused by his crimes.
In February in a separate case, an individual was indicted in New York for stealing identities and funds, including crypto, in the state’s first SIM swapping prosecution.
He Thought His Phone Was Secure; Then He Lost $24 Million To Hackers
Security researchers agree that for most people, adding text-message authentication is a big step up from only using a password, but that can leave you open to a relatively new attack called SIM swapping.
The first hint that Michael Terpin was about to have his digital life turned upside down—and lose a cryptocurrency windfall potentially valued at $24 million—seemed like an unremarkable annoyance. His mobile phone lost its signal.
But Mr. Terpin wasn’t driving between cell towers. He was working at a desk in his Las Vegas home. Way off in Norwich, Conn., someone had just taken over his phone number.
Within minutes, the hackers began trying to take over his Gmail accounts, using Google’s “Forgot password?” account reset feature. With access to his phone number and email, they were quickly able to steal millions in cryptocurrency from digital wallets Mr. Terpin believed to be secure.
Online, phone numbers have been slowly taking over passwords as our last line of defense against digital intrusions. As it has become clear that passwords alone don’t do enough to keep users secure, technology companies have been pushing an alternative—what they call a second factor of authentication. Most of the time, this second factor is a text message to a user’s mobile phone.
This past May, Google released research showing that by adding a phone number, users could block most types of attacks on their accounts.
Security researchers agree that for most people, adding text-message authentication is a big step up from only using a password. But Google also said that while using a phone number as a security layer stopped most targeted attacks, about a third of them still worked on Google users.
That is partly because of SIM swapping, a relatively new attack where criminals steal a victim’s phone number. It is what undid Mr. Terpin; and it is how hackers were able to post racist and anti-Semitic tweets to the feed of Twitter Chief Executive Jack Dorsey in August.
The odds of someone being hit with a SIM-swapping attack are infinitesimal, but the people who investigate these attacks consider them some of the most harmful they have ever seen. In its rush to jury-rig the mobile phone to fix the glaring problems with password security, the tech industry might have created another long-term risk.
Even before Mr. Dorsey’s incident, law-enforcement agencies across the country have been seeing a rise in SIM-swapping complaints, and the attackers are getting better organized and more adept at covering their tracks, said Nick Selby, director of cyber intelligence at the New York City Police Department.
SIM swappers can operate with surgical precision. Within minutes of breaking into a victim’s Gmail account, they will scour through old email messages looking for any evidence of financial accounts—cryptocurrency accounts for sure, but also social media, bank accounts and even IRAs, Mr. Selby said. In New York, the NYPD is now seeing victims whose online bank accounts were compromised.
“The speed in which this can happen is astounding,” he said.
To get your number, criminals pretend to be you. They might bribe employees, or walk into retail outlets with a fake identity card or enough stolen data to trick the carrier into putting your number on a new phone. (The term “SIM swap” refers to those little “subscriber identity module” chips that your phone uses to store your number.)
In May, federal authorities charged two former AT&T contract employees, saying criminals paid them between $50 and $150 per SIM swap. Authorities say they performed 41 SIM swaps for a group of identity thieves that called themselves “the Community.” A third man, who worked at Verizon, allegedly received $3,500 to provide SIM swappers with the inside information needed to answer security questions designed to protect user accounts, prosecutors said. Verizon said it had fired the former employee and is working with law enforcement on the investigation.
With your phone number under their control, the SIM swappers use the “Forgot my password” tool in various popular online services to take over online accounts. Gmail is usually first, because Google will typically let you reset a password if you control the associated phone number.
Once inside a Gmail account, the criminals lock you out. That means switching Google security settings so that the account can’t be reset via text message when you finally do recover your number. (Carriers can often restore your service in as little as an hour.) Instead, the crooks use Authenticator, a slick mobile app built by Google itself. With the app, even if you recover your phone number, you can still be locked out of your Gmail.
The attack is “super dead simple,” said Allison Nixon, a researcher with the cybersecurity firm Flashpoint.
Back in 2013, online gamers pioneered SIM swapping as a way of stealing prestigious Twitter and Instagram accounts. Sometimes they would do this for laughs, sometimes for money, Ms. Nixon said. By 2016, some realized that they could make big money by targeting cryptocurrency enthusiasts, who were often big holders of digital cash.
Mr. Terpin, a cryptocurrency investor and marketer, was hit on Jan. 7, 2018, at the height of bitcoin mania. The thieves stole some lesser-known cryptocurrencies from him, which they quickly traded for about 1,500 bitcoins. At the time, the booty was ostensibly valued at $24 million.
Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.
Mr. Terpin believes employees at an AT&T authorized dealer handed hackers control of his phone number, and those hackers found a way into his digital wallets by breaking into accounts of his that couldn’t be protected by Authenticator.
“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
“It is unfortunate that Mr. Terpin experienced this, but we dispute his allegations,” an AT&T spokesman said in an email message. (The company didn’t say which specific allegations it disputed.) The company is working with law enforcement, industry partners and consumers to combat SIM swapping, he said.
SIM swapping can cost millions, but it is also a deeply personal attack. Investigators with the Regional Enforcement Allied Computer Team, a law-enforcement task force in Santa Clara County, said they know of more than 3,000 victims, accounting for $70 million in losses nationwide. Most of those victims were holding cryptocurrency, said Erin West, a deputy district attorney with the county, but these investigators have also seen SIM swapping used to gather compromising photos for extortion and blackmail, she said.
Victims are often too embarrassed to pursue charges, Ms. West said. “You’re accessing everything about them. You’re accessing their emails of their kids’ soccer games, but also the dispute they had with their sister about their mom’s inheritance,” she said. “It’s a hideous violation of privacy.”
Meanwhile, phone carriers are getting better at flagging warning signs and putting holds on accounts that might be at risk, the NYPD’s Mr. Selby said. But some carriers are better at this than others, he said, and he doesn’t think they can stop it outright.
“What is easier to do is to protect the accounts that are the ultimate target,” he said. “You want to protect your accounts from being able to be reset simply because somebody has your phone number.”
Here’s How To Protect Yourself
Getting to the heart of SIM swapping means understanding the different ways your account can be recovered when you forget your password. The harder you make things for the SIM swappers, the harder it is going to be for you when you lose your phone or forget your password. These steps will take you closer to a state of super-security.
• Call your carrier and add a passcode on your mobile-phone account, and save that passcode in a place where you won’t lose it. (If you are paranoid, call your carrier to see if you can get into your account without it.) AT&T offers an “extra security” option here.
• Get a password manager like Dashlane and make sure you are using different passwords for your different accounts.
• Try out the “Forgot my password” option on your important accounts and see how they work. You are likely to find that many important accounts—bank accounts for example—can be reset with little more than access to your email, so lock that down first.
• If you want to add an additional factor, try adding a security key such as Yubikey or Google’s Titan. Many companies that offer online services—from Facebook and Dropbox to Microsoft and SquareSpace—have added support for them, which you can generally find in the security settings.
• Once you have a good second factor in place (such as Google’s Authenticator app or a security key), turn off SMS authentication wherever possible. This is a tricky step, since it is hard to recover if you lose your phone or security key, and not all online services will let you. But if they do, it will be in your account’s security settings. For Google, go here. For Microsoft, go here.
• If you are a high-net-worth individual and want to really lock down your account, you can enroll in Google’s free Advanced Protection program. Just make sure that you have several security keys so you don’t get locked out permanently.
Developer Flags Big-Money Loophole For Stealing All The ETH In MakerDAO
What if there were a way to empty all the ETH held by the Maker protocol?
That’s $300 million worth of crypto right now. That’s a lot of money. Even if doing it caused the price to drop in half or even by two-thirds, it could still be well worth the attempt.
Micah Zoltu, an independent software developer who is also one of the co-authors of the original white paper for the decentralized prediction market Augur, published a blog post on Monday describing an attack on MakerDAO that, he argued, could empty all the ETH from the system.
(Users Lock ETH Into The Maker Protocol To Generate Loans Of The Dollar-Pegged DAI Stablecoin.)
The problem, Zoltu writes, is in how Maker is governed: “Some group of plutocrats can control how the system behaves.”
The attack would only be feasible for a few MKR whales if they wanted to act quickly. Zoltu said that 40,000 MKR would be enough if the attack had some sophistication. As of this writing, 48,400 MKR, based on the staking approach of the Maker voting system, could do it right away.
So somewhere between $20 million and $25 million in crypto would need to be deployed to do it. That’s assuming a person could accumulate MKR in a way that didn’t drive up the price, which is unlikely.
“It is worth noting that Maker Foundation could attack the system in this way right now if they wanted,” Zoltu writes. “What is worse, [venture capital firm] a16z has enough MKR on hand right now to execute the attack the patient way!”
Aside from an inside job by the parties most invested in seeing ethereum’s flagship decentralized finance (DeFi) application survive, accumulating enough MKR to carry out the attack may be a significant hurdle.
“I feel like it’d at least double the price,” Joey Krug, a partner at Pantera Capital who has been briefed on the vulnerability, said. “You could probably get a lot of whales to sell to you OTC [over-the-counter] if you were paying double market.”
On the open market, the price would “go bonkers, multiples of what it is now,” Krug said.
That’s only if the attacker had to start from zero MKR, though. So first let’s get into the attack that Zoltu describes and then circle back to the Foundation’s objections.
How It Works
The Maker protocol is governed by the MKR token.
One million MKR has been minted, a sliver of that has been burned. The Maker Foundation still controls several hundred thousand, both in its treasury and in smart contracts that hold them in escrow.
One MKR sells for about $510 as of this writing. Daily turnover is quite variable but lately, there’s been about $4 million to $10 million in MKR turning over daily.
Anyone who holds MKR can put up a proposal as a smart contract on the protocol, one that can change any number of parameters. Maker uses continuous governance so that provisions can be voted to change at any time.
This is especially important right now because the system just made a major upgrade, implementing multi-collateral DAI and the DAI savings rate. This new upgrade is a whole new version of the protocol, such that there are really two kinds of DAI now and users are being asked to convert their old DAI (now called SAI) to the new.
The new system institutes some important security changes, such as a delay on how long it takes for changes voted through to go into effect and an emergency shutdown provision.
The biggest weakness allowing Zoltu’s attack is the fact that the current parameter for governance delay is zero seconds. That is, any governance provision that gets voted through goes into effect immediately.
This is something Wouter Kampmann, head of engineering at the Maker Foundation, said has been discussed in detail by the MakerDAO community, which has decided it is better to have zero delay for now while it determines which kinds of changes should be able to bypass the delay and which ones should still have a delay.
“It’s really a matter of finding that sweet spot there,” Kampmann said.
As long as it’s in place, though, Zoltu argues, the funds locked in MakerDAO are “not safu.”
In a call with CoinDesk, Kampmann said it would not be as simple as saying that all the ETH currently held as collateral by MakerDAO could just be directly moved to a wallet controlled by the attacker.
“The way permissionless, unstoppable code works is that there is certain business logic that determines the rules of how to interact with the contract – and these rules are unchangeable,” Kampmann said.
Zoltu admits it would take cleverness and planning, but at this point, readers who remember the DAO hack may be experiencing familiar chills. Your threat tolerance may vary.
The attack described by Zoltu would also need to be fairly fast. Kampmann expects that the governance delay may well be increased sometime in the first quarter, possibly in January.
Though it’s important to note that this decision is not up to him or foundation staff.
On The Other Hand
“You cannot just ignore the economics of it,” Kampmann said. “The problem with the model that’s set forth is really in the incentive model.”
There are a small number of whales that have enough MKR to execute this attack now, but they are extremely unlikely to do so. It would send shockwaves across ethereum and likely if they hold that much MKR, they would lose more in other assets than they would gain in stealing the ETH (which would likely drop in value too).
The best thing MKR holders who care about securing the protocol can do, according to Kampmann, is stake their MKR on votes. The more that’s staked, the more expensive this attack will be, and there is a lot of MKR on the sidelines right now.
Krug, who is well acquainted with the crypto investor class, acknowledged that MKR whales are probably well-intentioned, but he also said, “We can’t assume it for sure.”
There are over 16,000 ETH addresses with some MKR, however. If a bunch of minor whales were able to collude without warning the MakerDAO community, they might be able to assemble enough tokens without causing price movements.
The Maker Foundation said this would be very unlikely based on what’s known about MKR liquidity. That is, MKR just doesn’t move around that much.
But Zoltu insists this is not safe enough. He said, “They [the Maker Foundation] are operating under the assumption that there are no dark pools of liquidity available to attackers. This is, kind of by definition, something one cannot know.”
Cryptojacking Malware Devs Sentenced To 20 Years In Prison
Two members of the prolific Romanian hacker gang Bayrob Group were sentenced to two decades in U.S. prison apiece after their malware mined crypto on 400,000 infected computers.
Group leader Bogdan Nicolescu and co-conspirator Radu Miclaus were sentenced to 20 and 18 years respectively after being found guilty on 21 different counts of wire fraud, money laundering aggravated identity theft and other crimes, a press release announced Friday. The gang was also accused of developing malware which mined bitcoin and monero using their host computers’ processing power.
Tiberiu Danet, a third Bayrob Group member, pleaded guilty in Nov. 2018 to eight charges. His sentencing is scheduled for Jan. 8.
From its founding in 2007 to its members’ apprehension and eventual extradition in late 2016, the Bayrob Group, which operated out of Bucharest, Romania, ran a sprawling hacking and malware operation. They deployed trojan malware in seemingly mundane emails from well-known companies and groups, but when victims attempted to download attachments apparently from Norton, the IRS and Western Union, their computers instead became infected with the Bayrob botnet, according to an indictment.
The botnet allowed its Romanian handlers to steal $4 million total, prosecutors claimed.
The botnet also installed crypto mining software, according to the July 2016 indictment. And it was not discreet; the Bitcoin and Monero mining operation hogged hosts’ processing power.
“Once a bot was instructed to mine for cryptocurrency, much of its processing speed and power would be unavailable to its legitimate owner.”
Bayrob also scanned for and transferred ownership of victims’ crypto wallets, if they had one.
Brazilian Police Bust Alleged Crypto Fraud That Cost Investors $360M
Brazilian police have shut down a purported bitcoin investment scheme they allege stole 1.5 billion Brazilian reals ($359 million).
According to the Paraná state government, civil police in the state raided an unnamed organization in Sao Paulo, Curitiba and other regional cities last Thursday, claiming the group promised as many as 5,000 victims that they could produce sky-high returns on bitcoin investments.
Scammers targeted their network of victims through social media. After the victims sent funds, the suspects told them to wait as their investments grew three to four percent daily. But victims were not allowed to withdraw, the police alleged, and their money disappeared.
The four-month investigation culminated Thursday when police filed charges of fraud, money laundering, criminal association and forgery against the group. They arrested nine individuals in a SWAT operation that involved 50 officers, 20 vehicles and a helicopter.
Previously, Brazilian government officials have used bitcoin for illicit purposes too. In 2018, police busted a $22 million operation that siphoned funds from a prison budget and laundered them through the cryptocurrency.
The country’s government is no fan of bitcoin – whether used criminally or not. President Jair Bolsonaro bad-mouthed bitcoin on national TV in June while simultaneously stating he “doesn’t know” what it is, and former chief central banker Ilan Goldfajn compared it to a “pyramid scheme” during his tenure.
Pennsylvania Man Charged With SIM Swap Conspiracy To Steal Crypto
United States authorities have charged a Pennsylvania man with conspiracy to commit wire fraud and extortion via a series of SIM swaps targeting cryptocurrency execs and investors.
SIM-swapping — alternatively known as a port-out scam — involves the theft of a cell phone number in order to hijack online financial and social media accounts, enabled by the fact that many firms use automated messages or phone calls to handle customer authentication.
As per a Dec. 11 news release from the U.S. Department of Justice, Anthony Francis Faulk, 23, allegedly used “fraud, deception, and social engineering techniques” to persuade telecoms employees to transfer numbers from SIM cards belonging to his targets.
The charges were filed by U.S. Attorney David L. Anderson and FBI Special Agent in Charge John Bennett and were submitted to the U.S. District Court in Northern California.
Charges Carry A Maximum Sentence Of 20 Years
Faulk and his co-conspirators, none of whom are identified, are alleged to have perpetrated their scheme between Oct. 2016 and May 2018.
While the court documents do not disclose the amount of allegedly stolen cryptocurrency, the indictment claims that Faulk used the proceeds to purchase a house, a Ferrari and three other cars, jewelry, a Rolex watch, and royalty rights to twenty songs.
The ill-gotten property will be subject to criminal forfeiture if Faulk is convicted. Following his arrest, Faulk appeared before a court in the Western District of Pennsylvania on Dec. 11.
He has been charged with one count of conspiracy to commit wire fraud and one count of interstate communications with intent to extort.
The former charge carries a maximum statutory sentence of 20 years in prison and a $250,000 fine, the latter a maximum statutory sentence of 2 years and likewise, a $250,000 fine.
Faulk has temporarily been released on a $250,000 bond and is due to appear in court on Jan. 9, 2020.
A persistent threat
SIM-swapping has become an increasing concern for law enforcement and has accordingly brought telecoms firms — gatekeepers of user identity data — under the spotlight for their alleged complicity in the crime.
Michael Terpin — a blockchain and crypto investor who filed a SIM-swapping-related lawsuit against telecoms provider AT&T — told Cointelegraph that the biggest risk to crypto investors “is that major phone companies promise you security and don’t deliver it.”
US Lawmakers Urge FCC to Step Up Its Action Against SIM Swaps
United States lawmakers have appealed to the Federal Communications Commission (FCC) to hold telecoms providers to account for failing to protect consumers against SIM swap attacks.
SIM-swapping — alternatively known as a port-out scam — involves the theft of a cell phone number in order to hijack online financial and social media accounts, enabled by the fact that many firms use automated messages or phone calls to handle customer authentication.
On Jan. 9, six Democrats from the U.S. House of Representatives and Senate sent a letter to FCC Chairman Ajit Pai, requesting that the agency impose more robust requirements on mobile carriers to mitigate the risks of such attacks.
“Consumers have no choice but to rely on phone companies to protect them”
The lawmakers’ letter reveals that the number of complaints pertaining to SIM swaps has increased from 215 in 2016 to 728 through November 2019, according to the Federal Trade Commission. They note that consumer complaints usually reflect just a small fraction of the actual number of total incidents.
They further point to a November 2019 Wall Street Journal report claiming that a law-enforcement task force in Santa Clara County had revealed it was aware of over 3,000 SIM swap victims, accounting for $70 million in losses nationwide.
In some cases, as the lawmakers underscore, SIM swaps are successful thanks to corrupt telecoms firm employees. While additional security measures — i.e. requiring customers to show IDs in-store to conduct SIM swaps — have been adopted by some carriers in the U.S. and abroad, their implementation in the states allegedly remains “spotty and consumers are unlikely to find out about the availability of these optional security features until it is too late.”
Aside from risks to consumers, the letter argues that such attacks may endanger national security, noting that “countless […] U.S. government websites used by millions of Americans either allow password resets via email or support two-factor authentication via SMS, which can both be exploited by hackers using SIM swaps.”
The lawmakers posed eight questions to the FCC, among them how many SIM swap incidents it had received, if indeed it had tracked them, as well as inquiries into its coordination with third parties such as banks and its regulations over mobile carriers’ reporting to law enforcement.
The prevalence of SIM-swapping has brought telecoms firms — gatekeepers of user identity data — under increasing pressure for their alleged complicity in the crime.
AT&T, for example, has faced more than one lawsuit accusing it of repeatedly failing to protect user accounts in violation of the Federal Communications Act.
One plaintiff, tech advisor Seth Shapiro, today accused AT&T of marshaling a “host of red herring whataboutism inquiries” in its December motion to dismiss a lawsuit over its role in indirectly facilitating the theft of over $1.8 million in cryptocurrency from Shapiro’s accounts.
Michael Terpin — another blockchain and crypto investor who filed a SIM-swapping-related lawsuit against AT&T — told Cointelegraph that the biggest risk to crypto investors “is that major phone companies promise you security and don’t deliver it.”
21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,
Your Questions And Comments Are Greatly Appreciated.
Monty H. & Carolyn A.Go back