The cops are starting to close in on hackers who hijack phone numbers to steal Bitcoin and other cryptocurrencies.
On July 12, police in California arrested a college student accused of being part of a group of criminals who hacked dozens of cellphone numbers to steal more than $5 million in cryptocurrency. Joel Ortiz, a 20-year-old from Boston, allegedly hacked around 40 victims with the help of still unnamed accomplices, according to court documents obtained by Motherboard.
This is the first reported case against someone who allegedly used the increasingly popular technique known as SIM swapping or SIM hijacking to steal bitcoin, other cryptocurrencies, and social media accounts. Ortiz and his associates specifically targeted people involved in the world of cryptocurrency and blockchain, allegedly hacking several people during the high-profile Consensus conference in New York City in May.
SIM swapping consists of tricking a provider like AT&T or T-Mobile into transferring the target’s phone number to a SIM card controlled by the criminal. Once they get the phone number, fraudsters can leverage it to reset the victims’ passwords and break into their online accounts (cryptocurrency accounts are common targets.) In some cases, this works even if the accounts are protected by two-factor authentication. This kind of attack, also known as “port out scam,” is relatively easy to pull off and has become widespread, as a recent Motherboard investigation showed.
Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes.
He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.
After being arrested and read his Miranda rights, Ortiz told investigators that he and his “co-conspirators” have access to millions of dollars in cryptocurrency, according to a statement filed in court by the main investigator in the case.
“My fucking SIM got hacked.”
Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin. According to the investigators, as well as people in the SIM swapping community, Ortiz was a member of OGUSERS, a website where members trade valuable Instagram or Twitter accounts.
In one of at least three attacks that happened during Consensus, Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million that he had crowdfunded in an ICO.
“I looked at my phone and it was dead,” the entrepreneur, who asked to remain anonymous for fear of being targeted again, told Motherboard.
He knew what was going on as soon as he lost service, because the day before, a friend at the conference had also gotten hacked.
“We were having a meeting and all of a sudden he says ‘fuck my phone just stopped working,’” the entrepreneur recalled his friend saying. Later in the day, he said his friend texted him: “My fucking SIM got hacked.”
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
According to court documents, Ortiz took control of the entrepreneur’s cellphone number, reset his Gmail password and then gained access to his cryptocurrency accounts. The entrepreneur ran to the AT&T store to get his number back, but it was too late.
Prosecutors told Motherboard that they still don’t know how or why Ortiz chose his targets in the cryptocurrency world. What they say they know for sure is that there’s a lot of people out there who have been targeted by this scam.
Erin West, the Santa Clara County deputy district attorney, put out a call for more victims to come forward.
“This is happening in our community and unfortunately there are not a lot of complaints to law enforcement about it. We would welcome the opportunity to look into other complaints of this happening,” West told Motherboard in a phone call. “We think that this is something that’s underreported and very dangerous.”
Ortiz’s bail was set to one million dollars. As of this writing, he remains in jail awaiting his plea hearing, set for August 9. Ortiz’s lawyer did not respond to a voicemail left requesting comment.
HOW THE COPS NABBED ORTIZ
According to an investigation report obtained by Motherboard, detectives started looking into the case when one victim, an investor involved in blockchain projects, told police that hackers stole his cellphone number.
Ortiz allegedly targeted the investor between February and March on several occasions. He hijacked his phone number twice, reset passwords on his email and cryptocurrency accounts, added his own two-factor Google authenticator app to further lock the victim out, and even harassed his daughter, according to the case investigators, who are part of the Regional Enforcement Computer Team, a task force made of multiple local California police departments that focuses on cybercrime.
On March 20, Ortiz allegedly called the investor’s wife using the stolen phone number and then messaged the investor’s daughter and friends asking for bitcoin.
To track down the hacker, the investigators first sent the investor’s cellphone provider AT&T a warrant asking to disclose his call records for the the days when the hacker was allegedly in control of the investor’s number. The records provided by AT&T revealed that the investor’s number was used by two Samsung Android phones, which were identified by their IMEI numbers. The investor told investigators he did not use Samsung phones, according to the report.
These were the hackers’ phones, the investigators concluded.
Once the cops had this information, they sent Google a search warrant for data connected to those IMEI numbers.
This revealed three emails associated with those numbers, including a Gmail account and a Microsoft Live account. By searching through that Gmail account, thanks to another warrant sent to Google, the investigators found evidence linking the account to Ortiz and showing potential criminal activity: an email that contained a selfie of Ortiz holding his Massachusetts ID card; an email “containing information about SIM swapping;” emails that showed Ortiz purchased domains such as “tw-tter.com” apparently to use in phishing attacks; and emails from YouTube that showed Ortiz had uploaded videos on how to exploit social media and phone company websites and how to use unknown security vulnerabilities, also known as “zero-day exploits.”
Then, investigators served warrants on the cryptocurrency exchanges used by Ortiz, including Coinbase, Bittrex, and Binance. The information provided by the companies showed Ortiz had moved more than $1 million dollars worth of various cryptocurrencies through those exchanges. The authorities said they have seized $250,000 in cryptocurrency from Ortiz, but said they aren’t sure where other cryptocurrency he allegedly stole is being stored.
The investigators then asked AT&T for “any and all accounts” linked to Ortiz’s IMEI numbers at any point between November 2017 and June 2018. Thanks to this request, they found “approximately forty” AT&T phone numbers, all potential victims of Ortiz’s hacks.
The investigators then called all the alleged victims and found that all their cell phones numbers “were taken over through a process known as ‘SIM swapping,’” as one of the investigators stated in the report.
SIM SWAPPERS BRACE FOR MORE ARRESTS
News of Ortiz’s arrest quickly spread among members of OGUSERS, a marketplace for social media usernames that SIM swapping hackers use to sell stolen accounts.
Last week, on July 18, an OGUSERS member posted a thread titled: “Who do you think is next?” in an apparent reference to Ortiz’s arrest. Around the same time, several hackers who claimed to be OGUSERS members told Motherboard about Ortiz’s arrest, and said he was known in the community for stealing cryptocurrency.
“I’ve been in a call with him when he simmed someone, found their private keys, and took 4 mil,” a person who claimed to know Ortiz told Motherboard in an online chat.
Multiple sources said Ortiz’s account on OGUSERS was “J.” That user was recently banned from the forum. In another forum thread titled “everyone is gone,” users complained that after Motherboard published an investigation into SIM swapping that included information about OGUSERS, many members left. According to sources who frequent the forum, the site administrators have banned several accounts of known SIM swappers after Motherboard’s investigation into the forum.
Ortiz apparently owned some one-letter accounts on Twitter and Instagram. These accounts are extremely rare, given that one would have had to register them right when those platforms launched.
A recent video posted on a Facebook account seemingly owned by Ortiz shows two people dancing in a club holding two signs: an @ an a 0, a handle that Motherboard was able to link to Ortiz.
Meanwhile, the OGUSERS community is bracing for the worst.
“Three staff members have closed their accounts or removed themselves from their positions,” said a member of OGUSERS. “And any simmers still remaining have gone into hiding.”
Another longtime member of OGUSERS, who asked to remain anonymous, is convinced this was just the beginning.
“Anyone who’s ever done anything illegal is going to get snitched on,” he told me in a phone call. “I warned these kids when this was going to happen, and now it’s happening.”
Jordan Pearson contributed reporting.
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.