Cops Accuse 20-Year-Old College Student of Stealing More Than $5 Million in Bitcoin by Hijacking Phone Numbers (vice.com) 71
California authorities say a 20-year-old college student hijacked more than 40 phone numbers to steal $5 million in Bitcoin, including some from cryptocurrency investors at a blockchain conference Consensus. Motherboard, which broke the story citing court documents: This is the first reported case of an alleged hacker who was using SIM swapping (also known as SIM hijacking or Port Out Scam) specifically to target people in the blockchain and cryptocurrency worlds.
Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.
Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.
Phone company liability... (Score:3)
No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.
Ha ha ha. I crack myself up!
Re:Phone company liability... (Score:5, Insightful)
No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.
Ha ha ha. I crack myself up!
Something you may find even more hilarious, or sadly hilarious perhaps.
When the company I work for was sold, our new parent company wanted to bring our phone system into their fold, and into their main account.
At the very end of the transition we had a big conference call with everyone involved with the cut-over, myself as the POC here, the technical POC at HQ, one of the HQ phone company reps, and a couple people who specialize in Cisco VoIP in case anything went wrong.
They asked me if I was ready for them to pull the trigger on porting our 100 DIDs (aka our outside phone numbers) over to their phone co, so I replied by asking if I should conference in our own phone company rep to authorize the port.
Their reply: That won't be necessary, we will initiate it on our end.
Over the next 10 minutes each number was moved (I assume they were doing each one by hand instead of scripted/automated) and said I should start verifying the ones on our critical list as still functional.
From a technical stand point, all went well and worked.
From a procedural stand point, what the fucking hell?!?
No authorization, no informing our phone co this was happening, nothing in place to prevent it, and most disturbing, nothing from the phone co to me to even say it happened.
I called them up after the conference call anyway to ensure service was terminated. I was told *that* part was automated!
Once the numbers are ported off-network the current bill will be prorated for the rest of the month, the account closed at the end of the month, and that I'd be contacted within 30 days after termination to arrange for returning their CPE to them...
This is all just SOP when it comes to porting numbers around.
The only response they seem to have if done by mistake is to port the numbers back, after the fact, and presumably after any damage is done.
Re:Phone company liability... (Score:5, Informative)
Per FCC regulations, your phone company can NOT initiate a confirmation contact once a port-out has been initiated. If the account #'s, names, and security information are correct in the port-out request initiated by the new phone company, the old provider has no legal authority to question or verify the legitimacy of the port-out request and must complete the port-out within 24 hours or show good reason it could not technically be completed. And they are not allowed to contact you for any reason regarding the number port.
Re: (Score:3)
You know what's worse? We were cheering this portability change because we didn't want to be owned by our phone overlords.
That said, I prefer this and the possibility of fraud. Honestly, let's say the old company had to confirm the phone number change. How well do you think that line would be staffed? How much money and resources do you really expect a company to provide to say farewell to business.
Whenever I cancel a subscription, I usually get sent to a queue that feels like it must be manned by 3 peo
Re:Phone company liability... (Score:4, Insightful)
That is the process that the FCC says must be followed. Customer contacts new carrier, new carrier contacts old carrier, old carrier may not refuse request, transfer must be completed by midnight the same day. If the old carrier required authorization from you that could result in them either refusing the transfer (not allowed) or failing to meet the transfer deadline.
The idea is to make it easy for customers to switch carriers without being given the run-around, having to jump through hoops, or being given the hard sell from the old carrier. Of course, where there is convenience there is always the possibility of fraud.
Re: (Score:2)
No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.
Ha ha ha. I crack myself up!
Good one... The next thing you'll be expecting is for phone companies to put in methods to prevent this kind of thing from happening in the future like an ID requirement for picking up SIM cards, a callback to the previous number to confirm or a MFA system.
Erm... like they use in the ROTW.
I could use some filling-in (Score:1)
Re:I could use some filling-in (Score:4, Interesting)
and that is why the bitcoin exchanges banking laws (Score:2)
and that is why the bitcoin exchanges need to be covered by banking laws. Now much info will they giveup? or will they hide over seas?
Re: (Score:3)
and that is why the bitcoin exchanges need to be covered by banking laws. Now much info will they giveup? or will they hide over seas?
Sure they should... None... Yes.
The issue with any of the crypto is also their strength, they are not centralized and are uncontrollable by law.
So, if you dabble in crypto, it's like trading gold bullion in the wild west. Yea, you can buy *anything* you like with it, but if it gets stolen, it's gone. Smart money doesn't hold crypto online very long or use exchanges except when necessary, but you offline it ASAP. Just like you don't carry more bullion than you need for your trip and hide the rest.
Re: (Score:2)
but when it's being used to buy drugs / hitmen the "banks" can be seen as accessory to crime
Re: (Score:2)
The whole thing breaks down into a question of legal jurisdiction fairly quick. The uncentralized nature of crypto means that you can use a "bank" for the transaction that isn't legally part of the jurisdiction of where the crime is committed. So you can get accessary charges or conspiracy charges filed on entities which cannot be forced to appear and stand trial or pay fines. (Just ask Robert Mueller about how this works, most of the charges from that investigation are like this so far.)
Re: (Score:2)
but if they use the mail or an wire to send funds to you then that is where they come in.
Re: (Score:2)
That's not even the worst bit, once you get known for a bigger account, well, all they need is you and they have the username and password. Crypto is rapidly becoming the wild wild west, neck deep in crime and becoming quite dangerous. Like who did this idiot steal 5 million dollars from, can they even claim it back from the police because dirty money. The safest place for this idiot is probably prison but their chances of survival after that pretty slim.
Re: (Score:3)
I'm way more interested in how the bitcoins were obtained in the first place. How can you access a coinbase or similar account with someone's phone number?
Do you really want to know? You may read this blog [medium.com] about how he lost the control of his coinbase account due to the people in telecom company. 2FA doesn't help if the registered phone number to the account is changed.
That's how much I would steal (Score:2)
> Is there even a point to stealing that much money?
I've been working in security and paying attention to the justice system for a long time. I've learned that crooks don't normally get caught the first time; they keep doing it until they get caught.
Stealing $100 or $1,000 or 10,000 isn't enough to change your life, just enough to risk going to jail or prison. To materially change your life, you'd have to steal $1,000 over and over again, until you got caught.
If someone steals $5 million in one weekend
Re: (Score:2)
Wrong approach... (Score:4, Interesting)
He should have run the scam from abroad and used the money to buy residence in a non-extradition country... In all seriousness: he used his own phone and expected not to be caught?
Two more points:
(1) $1 million bail is more than many murderers get. This shows the priorities of the state -- fortunes of tech squillionaires are worth more than human lives.
(2) The phone companies that apparently make SIMs stupidly easy to port-out should share the blame.
Re: (Score:2)
Even non-SIM phones can be ported out. Instead of activating a new SIM on the account and putting it in a phone, a "social engineering" hacker can get an entirely new phone with IMEI activated on the account. Same result.
Then again, non-SIM phones are a dying breed in the US. Even "CDMA" carriers like Verizon have moved to SIMs on 4G devices.
Re: (Score:2)
Yes it does -- rich techbros get the best "justice" money can buy.
Murderers can face a death sentence in California, so don't argue about flight risk.
Re: (Score:2)
No, the person you responded to is correct. Bail cost is set based on flight risk and severity of crime. This person was caught while attempting to leave the country. He also has disposable IDs.
The death sentence in California is not a real concern. The last person the state of California officially put to death was over 10 years ago.
https://deathpenaltyinfo.org/n... [deathpenaltyinfo.org]
Re: (Score:2)
The last person the state of California officially put to death was over 10 years ago.
Over 10 years ago? How civilized!
Re: (Score:2)
I think you missed the point of the post I was replying to
Re: (Score:2)
I think this type of crime will become much more difficult very soon. I mean, at least 40 phone numbers were bound to the same IMEI! To me, this is clearly a sign of criminal activity. The phone company should have tipped the cops way before that. Anybody considering this type of theft will eventually have no choice but to get a new phone for every 4 or 5 numbers stolen.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
He should have run the scam from abroad and used the money to buy residence in a non-extradition country... In all seriousness: he used his own phone and expected not to be caught?
Two more points:
(1) $1 million bail is more than many murderers get. This shows the priorities of the state -- fortunes of tech squillionaires are worth more than human lives.
(2) The phone companies that apparently make SIMs stupidly easy to port-out should share the blame.
As to #1, firstly, bail is mostly based on flight risk, so someone who is not likely to flee or does not have the means to flee is given a lower bail. Secondly, any murderer who is believed likely to re-offend is not granted bail. So for a million bucks bond, the state doesn't have to pay to feed and house this miscreant, seems smart to me.
SIM Lock (Score:3)
After domain names started to be worth big money, registrars came up with an added protection against people stealing your domain registration. IIRC they call this "Domain Lock, or "Registrar Lock" or something like that. So perhaps cellular service providers need to implement some form of "SIM Lock".
Re:SIM Lock (Score:4, Insightful)
Re: (Score:2)
And with the same quality reasoning: forcing everyone to pay for security most don't need - isn't that filthy socialism?
Re: (Score:2)
> Having people pay for security that should always be present is essentially extortion.
Why? That doesnt do much in the big picture.
How about: never treat control of a phone number as a security factor?
There are so many good ways to do second factor auth; a legacy phone line account should never be a part of the mix.
ATT sim lock = free limited unlock $5-10/mo full $ (Score:2)
ATT sim lock = free limited unlock $5-10/mo full unlock $20/mo
limited unlock is needed to use a non ATT phone. Full unlock needed to use let you use 2th sim in phone or be able to unlock your att phone for other sims.
he was clever enough to do this (Score:1)
but not clever enough to avoid getting caught.
wouldn't you just be paranoid as all hell if you had done something like this ?
flashing a gucci bag ? wtf ?
Re: (Score:2)
You got to admit it's the dumb criminals that get caught. My brother in law, who is a local cop, can tell you a lot of stories about how stupid they usually are. Like stealing a pile of stuff from somebody's garage then heading to the local pawn broker, using their real names and ID's to sell it, the same day and standing there while the broker calls the police...
But this guy was smart enough to steal it, You'd think that after amassing all this currency he would have laundered it though a couple of crypto
Re: (Score:2)
But this guy was smart enough to steal it, You'd think that after amassing all this currency he would have laundered it though a couple of crypto currencies using multiple exchanges or something to hide the facts and make it untraceable...
He knows better than anyone how unsafe it is to keep your money in cryptocurrencies. The last thing you want is for someone to steal your hard earned stolen money.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have a friend who owns a check cashing business that I do IT work for pro-bono.. I can assure you that he's very careful about what checks he is cashing and for whom he's cashing them. He has a number of fake checks in his hands that the person trying to cash it left when they figured out that they where not getting it back w/o having a conversation with the police. It's kind of obvious too, when they bail like that.
Also, he doesn't buy stuff or deal with crypto currencies at all. He's more concerned a
Re: (Score:2)
What kind of moron does free work for someone running that kind of scammy, high profit, 'cheat the idiots', RTO type business?
Next you'll tell me you volunteer for the Democrats...just fuck.
Re: (Score:2)
LOL.. I do pro-bono work for him because he cannot really afford to pay me and I cannot afford to get paid due to the paperwork my employer would require and the tax implications of having a side job. Besides, he is my friend.
Also, he's actually providing a community service cashing checks and only collects 1-3% depending on the risk. If you cash checks there often from the same source with similar values, you get the preferred rate. If you show up the first time with a huge check you may walk away disa
There's something ironic (Score:2)
Re: (Score:2)
it's FPMIA prison for your unless you make a deal now!
Re: (Score:2)
Nobody does those things with Bitcoin. That is why Monero was invented.
Two factor authentication (Score:2)
Re: (Score:2)
Phone Company "security"... LOL! (Score:5, Interesting)
Re: (Score:2)
My housemate, who had land line phone service in his name, moved out. I called up the phone company, and told them I needed to put the phone in my name. They told me that for security reasons my ex housemate had to do that himself. So I asked them, "So, if I hang up and call you right back claiming to be him, you'll put the phone in my name?" There reply was, "Yes." I did, and they did.
Years ago when I worked for a large corporation I added my phone to their account. All it took was a call to say I work for X please put me on the corporate account and it was done. When I left and called to transfer it back I was told the "person in charge of phones at X" needs to call and do that. I asked who that was and they didn't know, and when I asked what happens if I just stop paying they said , no problem, X just pays. Since I wanted my number back I had a friend call and say they were the person
The WAvE (Score:2)
Oops.....
"flashing a Gucci bag" (Score:2)
What a lamer. Gucci? For real? He should have just gotten a Tumi bag.
Second phone under assumed name? (Score:2)
Let's say that your real name is "John Smith", with a cellphone listed in that name.
Get a burner phone, under the name of "Jane Doe". Use that number for your bitcoin stuff. That's your "bitcoin phone number"
Identity thief knows that John Smith is into bitcoin. So he hijacks the "John Smith" phone number, which is useless for his purposes. Or is there some way for the actual "bitcoin phone number" to leak out to him?