Slashdot Mirror
Cops Accuse 20-Year-Old College Student of Stealing More Than $5 Million in Bitcoin by Hijacking Phone Numbers (vice.com)
California authorities say a 20-year-old college student hijacked more than 40 phone numbers to steal $5 million in Bitcoin, including some from cryptocurrency investors at a blockchain conference Consensus. Motherboard, which broke the story citing court documents: This is the first reported case of an alleged hacker who was using SIM swapping (also known as SIM hijacking or Port Out Scam) specifically to target people in the blockchain and cryptocurrency worlds.
Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.
Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.
He should have run the scam from abroad and used the money to buy residence in a non-extradition country... In all seriousness: he used his own phone and expected not to be caught?
Two more points:
(1) $1 million bail is more than many murderers get. This shows the priorities of the state -- fortunes of tech squillionaires are worth more than human lives.
(2) The phone companies that apparently make SIMs stupidly easy to port-out should share the blame.
No. It should be implemented by default. Having people pay for security that should always be present is essentially extortion.
It's pretty easy to wash bitcoins. I'm thinking this person did not do that. Since they did not actually purchase the bitcoins, there is no tie to them on the blockchain. Send the bitcoins anonymous online converter and convert the bitcions to ethereum, I ran through the process once just to see how it worked, but can't remember the name of the service at the moment. They are out there though. They generate a temporary wallet then send the coins back to you on a wallet you provide, which you then never have to use again. Then convert the ethereum (or litecoin, whatever) to Monero. After that use a separate online converter to convert your Monero back to bitcoin. Transfer the bitcoins to a hardware wallet. At that point you have generally removed all blockchain connections. You want to do all of this on new virgin equipment and networks not connected to you in any way. I'm way more interested in how the bitcoins were obtained in the first place. How can you access a coinbase or similar account with someone's phone number?
No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.
Ha ha ha. I crack myself up!
Something you may find even more hilarious, or sadly hilarious perhaps.
When the company I work for was sold, our new parent company wanted to bring our phone system into their fold, and into their main account.
At the very end of the transition we had a big conference call with everyone involved with the cut-over, myself as the POC here, the technical POC at HQ, one of the HQ phone company reps, and a couple people who specialize in Cisco VoIP in case anything went wrong.
They asked me if I was ready for them to pull the trigger on porting our 100 DIDs (aka our outside phone numbers) over to their phone co, so I replied by asking if I should conference in our own phone company rep to authorize the port.
Their reply: That won't be necessary, we will initiate it on our end.
Over the next 10 minutes each number was moved (I assume they were doing each one by hand instead of scripted/automated) and said I should start verifying the ones on our critical list as still functional.
From a technical stand point, all went well and worked.
From a procedural stand point, what the fucking hell?!?
No authorization, no informing our phone co this was happening, nothing in place to prevent it, and most disturbing, nothing from the phone co to me to even say it happened.
I called them up after the conference call anyway to ensure service was terminated. I was told *that* part was automated!
Once the numbers are ported off-network the current bill will be prorated for the rest of the month, the account closed at the end of the month, and that I'd be contacted within 30 days after termination to arrange for returning their CPE to them...
This is all just SOP when it comes to porting numbers around.
The only response they seem to have if done by mistake is to port the numbers back, after the fact, and presumably after any damage is done.
Want to know what's worse?
Per FCC regulations, your phone company can NOT initiate a confirmation contact once a port-out has been initiated. If the account #'s, names, and security information are correct in the port-out request initiated by the new phone company, the old provider has no legal authority to question or verify the legitimacy of the port-out request and must complete the port-out within 24 hours or show good reason it could not technically be completed. And they are not allowed to contact you for any reason regarding the number port.
That is the process that the FCC says must be followed. Customer contacts new carrier, new carrier contacts old carrier, old carrier may not refuse request, transfer must be completed by midnight the same day. If the old carrier required authorization from you that could result in them either refusing the transfer (not allowed) or failing to meet the transfer deadline.
The idea is to make it easy for customers to switch carriers without being given the run-around, having to jump through hoops, or being given the hard sell from the old carrier. Of course, where there is convenience there is always the possibility of fraud.
My housemate, who had land line phone service in his name, moved out. I called up the phone company, and told them I needed to put the phone in my name. They told me that for security reasons my ex housemate had to do that himself. So I asked them, "So, if I hang up and call you right back claiming to be him, you'll put the phone in my name?" There reply was, "Yes." I did, and they did.
I've abandoned my search for truth; now I'm just looking for some useful delusions.