U.S. authorities charged a 23-year-old Pennsylvania man Wednesday for allegedly stealing cryptocurrency executives’ holdings through a SIM-swapping scheme.
Anthony Francis Faulk faces charges of conspiracy to commit wire fraud and extortion in the Northern District of California for his alleged plot, in which he is said to have turned the stolen funds into cars, a Rolex watch, a house, royalty rights to songs and diamond-encrusted jewelry, according to court documents.
He allegedly stole the money through a series of SIM-swaps between October 2016 and May 2018.
Faulk and unnamed accomplices took control of at least one victim’s cell phone and attempted to access at least three others’ as well, though it was unclear if these other attempts were successful, the indictment alleges.
SIM-swapping is a well-known threat in the upper echelons of crypto circles, whose members are often targeted because of the higher likelihood that they have lucrative holdings.
Many different internet services – emails, digital wallets, exchange accounts – attempt to provide users additional security through SMS-based two factor authentication. Those services rely on the SIM, the identification system that is effectively an individual’s number.
But relying on text-based two factor authentication is a cybersecurity faux pas. Cell phones were not built to be security apparati, and any number of factors can compromise them outright.
SIM swapping refers to myriad exploitative techniques. In all cases, a successful SIM swap transfers the victim’s cellular identity to the thieves, allowing them to breach associated accounts and change passwords.
A would-be thief could physically steal the victim’s SIM card or bribe telecom employees to become their corporate plants, as is alleged in a separate, unrelated, $1.7 million-dollar lawsuit against AT&T. Malicious actors can also dupe unwitting workers to give them access.
It appears that Faulk and his co-conspirators are alleged to have engaged in the latter. The unsealed indictment against him alleges Faulk used “fraud, deception and social engineering to induce representatives of cell phone service providers” to gain control.
The indictment does not detail how much cryptocurrency Faulk allegedly seized from his victims. Faulk was arrested in Latrobe, Pennsylvania, Wednesday and is out on $250,000 bond. He is scheduled to appear in court on Jan. 9 2020, according to a press release from the Department of Justice.