Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bitcoin Crime Privacy Security Technology

Cops Accuse 20-Year-Old College Student of Stealing More Than $5 Million in Bitcoin by Hijacking Phone Numbers (vice.com) 71

California authorities say a 20-year-old college student hijacked more than 40 phone numbers to steal $5 million in Bitcoin, including some from cryptocurrency investors at a blockchain conference Consensus. Motherboard, which broke the story citing court documents: This is the first reported case of an alleged hacker who was using SIM swapping (also known as SIM hijacking or Port Out Scam) specifically to target people in the blockchain and cryptocurrency worlds.

Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.

This discussion has been archived. No new comments can be posted.

Cops Accuse 20-Year-Old College Student of Stealing More Than $5 Million in Bitcoin by Hijacking Phone Numbers

Comments Filter:
  • by jholder ( 22001 ) on Monday July 30, 2018 @01:15PM (#57034472) Homepage Journal

    No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.

    Ha ha ha. I crack myself up!

    • by dissy ( 172727 ) on Monday July 30, 2018 @02:08PM (#57034920)

      No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.

      Ha ha ha. I crack myself up!

      Something you may find even more hilarious, or sadly hilarious perhaps.

      When the company I work for was sold, our new parent company wanted to bring our phone system into their fold, and into their main account.
      At the very end of the transition we had a big conference call with everyone involved with the cut-over, myself as the POC here, the technical POC at HQ, one of the HQ phone company reps, and a couple people who specialize in Cisco VoIP in case anything went wrong.

      They asked me if I was ready for them to pull the trigger on porting our 100 DIDs (aka our outside phone numbers) over to their phone co, so I replied by asking if I should conference in our own phone company rep to authorize the port.

      Their reply: That won't be necessary, we will initiate it on our end.

      Over the next 10 minutes each number was moved (I assume they were doing each one by hand instead of scripted/automated) and said I should start verifying the ones on our critical list as still functional.
      From a technical stand point, all went well and worked.
      From a procedural stand point, what the fucking hell?!?

      No authorization, no informing our phone co this was happening, nothing in place to prevent it, and most disturbing, nothing from the phone co to me to even say it happened.

      I called them up after the conference call anyway to ensure service was terminated. I was told *that* part was automated!
      Once the numbers are ported off-network the current bill will be prorated for the rest of the month, the account closed at the end of the month, and that I'd be contacted within 30 days after termination to arrange for returning their CPE to them...

      This is all just SOP when it comes to porting numbers around.
      The only response they seem to have if done by mistake is to port the numbers back, after the fact, and presumably after any damage is done.

      • by Yalius ( 1024919 ) on Monday July 30, 2018 @02:23PM (#57035036)
        Want to know what's worse?

        Per FCC regulations, your phone company can NOT initiate a confirmation contact once a port-out has been initiated. If the account #'s, names, and security information are correct in the port-out request initiated by the new phone company, the old provider has no legal authority to question or verify the legitimacy of the port-out request and must complete the port-out within 24 hours or show good reason it could not technically be completed. And they are not allowed to contact you for any reason regarding the number port.
        • You know what's worse? We were cheering this portability change because we didn't want to be owned by our phone overlords.

          That said, I prefer this and the possibility of fraud. Honestly, let's say the old company had to confirm the phone number change. How well do you think that line would be staffed? How much money and resources do you really expect a company to provide to say farewell to business.

          Whenever I cancel a subscription, I usually get sent to a queue that feels like it must be manned by 3 peo

      • by bws111 ( 1216812 ) on Monday July 30, 2018 @02:40PM (#57035158)

        That is the process that the FCC says must be followed. Customer contacts new carrier, new carrier contacts old carrier, old carrier may not refuse request, transfer must be completed by midnight the same day. If the old carrier required authorization from you that could result in them either refusing the transfer (not allowed) or failing to meet the transfer deadline.

        The idea is to make it easy for customers to switch carriers without being given the run-around, having to jump through hoops, or being given the hard sell from the old carrier. Of course, where there is convenience there is always the possibility of fraud.

    • by mjwx ( 966435 )

      No doubt the phone companies whose processes were criminally negligent in allowing a person like this to engineer transfer of the number will also be brought to trial and punished.

      Ha ha ha. I crack myself up!

      Good one... The next thing you'll be expecting is for phone companies to put in methods to prevent this kind of thing from happening in the future like an ID requirement for picking up SIM cards, a callback to the previous number to confirm or a MFA system.

      Erm... like they use in the ROTW.

  • Is there even a point to stealing that much money? Like, a quarter bitcoin or whatever might be too small-time to be investigated, but stealing $5M? Wouldn't it be trackable to him pretty much the moment he purchased something with that money? (or, at the very least, after the purchase of anything that would need to be shipped to him?) I've never looked at cryptos, so I might be off in my understanding here.
    • by fadethepolice ( 689344 ) on Monday July 30, 2018 @01:37PM (#57034664) Journal
      It's pretty easy to wash bitcoins. I'm thinking this person did not do that. Since they did not actually purchase the bitcoins, there is no tie to them on the blockchain. Send the bitcoins anonymous online converter and convert the bitcions to ethereum, I ran through the process once just to see how it worked, but can't remember the name of the service at the moment. They are out there though. They generate a temporary wallet then send the coins back to you on a wallet you provide, which you then never have to use again. Then convert the ethereum (or litecoin, whatever) to Monero. After that use a separate online converter to convert your Monero back to bitcoin. Transfer the bitcoins to a hardware wallet. At that point you have generally removed all blockchain connections. You want to do all of this on new virgin equipment and networks not connected to you in any way. I'm way more interested in how the bitcoins were obtained in the first place. How can you access a coinbase or similar account with someone's phone number?
      • and that is why the bitcoin exchanges need to be covered by banking laws. Now much info will they giveup? or will they hide over seas?

        • and that is why the bitcoin exchanges need to be covered by banking laws. Now much info will they giveup? or will they hide over seas?

          Sure they should... None... Yes.

          The issue with any of the crypto is also their strength, they are not centralized and are uncontrollable by law.

          So, if you dabble in crypto, it's like trading gold bullion in the wild west. Yea, you can buy *anything* you like with it, but if it gets stolen, it's gone. Smart money doesn't hold crypto online very long or use exchanges except when necessary, but you offline it ASAP. Just like you don't carry more bullion than you need for your trip and hide the rest.

          • but when it's being used to buy drugs / hitmen the "banks" can be seen as accessory to crime

            • The whole thing breaks down into a question of legal jurisdiction fairly quick. The uncentralized nature of crypto means that you can use a "bank" for the transaction that isn't legally part of the jurisdiction of where the crime is committed. So you can get accessary charges or conspiracy charges filed on entities which cannot be forced to appear and stand trial or pay fines. (Just ask Robert Mueller about how this works, most of the charges from that investigation are like this so far.)

          • by rtb61 ( 674572 )

            That's not even the worst bit, once you get known for a bigger account, well, all they need is you and they have the username and password. Crypto is rapidly becoming the wild wild west, neck deep in crime and becoming quite dangerous. Like who did this idiot steal 5 million dollars from, can they even claim it back from the police because dirty money. The safest place for this idiot is probably prison but their chances of survival after that pretty slim.

      • I'm way more interested in how the bitcoins were obtained in the first place. How can you access a coinbase or similar account with someone's phone number?

        Do you really want to know? You may read this blog [medium.com] about how he lost the control of his coinbase account due to the people in telecom company. 2FA doesn't help if the registered phone number to the account is changed.

    • > Is there even a point to stealing that much money?

      I've been working in security and paying attention to the justice system for a long time. I've learned that crooks don't normally get caught the first time; they keep doing it until they get caught.

      Stealing $100 or $1,000 or 10,000 isn't enough to change your life, just enough to risk going to jail or prison. To materially change your life, you'd have to steal $1,000 over and over again, until you got caught.

      If someone steals $5 million in one weekend

  • Wrong approach... (Score:4, Interesting)

    by b0s0z0ku ( 752509 ) on Monday July 30, 2018 @01:20PM (#57034526)

    He should have run the scam from abroad and used the money to buy residence in a non-extradition country... In all seriousness: he used his own phone and expected not to be caught?

    Two more points:
    (1) $1 million bail is more than many murderers get. This shows the priorities of the state -- fortunes of tech squillionaires are worth more than human lives.
    (2) The phone companies that apparently make SIMs stupidly easy to port-out should share the blame.

    • by Chryana ( 708485 )

      I think this type of crime will become much more difficult very soon. I mean, at least 40 phone numbers were bound to the same IMEI! To me, this is clearly a sign of criminal activity. The phone company should have tipped the cops way before that. Anybody considering this type of theft will eventually have no choice but to get a new phone for every 4 or 5 numbers stolen.

      • If they can port the numbers out, can't they port them to some cut-rate VoIP provider that supports SMS/texts?
    • Why should the bail limit always be correlated to the severity of the crime? It's meant to be a financial disincentive for skipping out on the trial. Ideally it should be a significant portion of the proceeds of the crime, especially if it's possible he'd done this more times than authorities know about.
    • by mjwx ( 966435 )

      He should have run the scam from abroad and used the money to buy residence in a non-extradition country... In all seriousness: he used his own phone and expected not to be caught?

      Two more points:
      (1) $1 million bail is more than many murderers get. This shows the priorities of the state -- fortunes of tech squillionaires are worth more than human lives.
      (2) The phone companies that apparently make SIMs stupidly easy to port-out should share the blame.

      As to #1, firstly, bail is mostly based on flight risk, so someone who is not likely to flee or does not have the means to flee is given a lower bail. Secondly, any murderer who is believed likely to re-offend is not granted bail. So for a million bucks bond, the state doesn't have to pay to feed and house this miscreant, seems smart to me.

  • by nuckfuts ( 690967 ) on Monday July 30, 2018 @01:28PM (#57034582)

    After domain names started to be worth big money, registrars came up with an added protection against people stealing your domain registration. IIRC they call this "Domain Lock, or "Registrar Lock" or something like that. So perhaps cellular service providers need to implement some form of "SIM Lock".

    • Re:SIM Lock (Score:4, Insightful)

      by b0s0z0ku ( 752509 ) on Monday July 30, 2018 @01:30PM (#57034596)
      No. It should be implemented by default. Having people pay for security that should always be present is essentially extortion.
      • by Megol ( 3135005 )

        And with the same quality reasoning: forcing everyone to pay for security most don't need - isn't that filthy socialism?

      • > Having people pay for security that should always be present is essentially extortion.

        Why? That doesnt do much in the big picture.

        How about: never treat control of a phone number as a security factor?

        There are so many good ways to do second factor auth; a legacy phone line account should never be a part of the mix.

    • ATT sim lock = free limited unlock $5-10/mo full unlock $20/mo

      limited unlock is needed to use a non ATT phone. Full unlock needed to use let you use 2th sim in phone or be able to unlock your att phone for other sims.

  • but not clever enough to avoid getting caught.

    wouldn't you just be paranoid as all hell if you had done something like this ?

    flashing a gucci bag ? wtf ?

    • You got to admit it's the dumb criminals that get caught. My brother in law, who is a local cop, can tell you a lot of stories about how stupid they usually are. Like stealing a pile of stuff from somebody's garage then heading to the local pawn broker, using their real names and ID's to sell it, the same day and standing there while the broker calls the police...

      But this guy was smart enough to steal it, You'd think that after amassing all this currency he would have laundered it though a couple of crypto

      • by Nidi62 ( 1525137 )

        But this guy was smart enough to steal it, You'd think that after amassing all this currency he would have laundered it though a couple of crypto currencies using multiple exchanges or something to hide the facts and make it untraceable...

        He knows better than anyone how unsafe it is to keep your money in cryptocurrencies. The last thing you want is for someone to steal your hard earned stolen money.

      • Comment removed based on user account deletion
        • I have a friend who owns a check cashing business that I do IT work for pro-bono.. I can assure you that he's very careful about what checks he is cashing and for whom he's cashing them. He has a number of fake checks in his hands that the person trying to cash it left when they figured out that they where not getting it back w/o having a conversation with the police. It's kind of obvious too, when they bail like that.

          Also, he doesn't buy stuff or deal with crypto currencies at all. He's more concerned a

          • What kind of moron does free work for someone running that kind of scammy, high profit, 'cheat the idiots', RTO type business?

            Next you'll tell me you volunteer for the Democrats...just fuck.

            • LOL.. I do pro-bono work for him because he cannot really afford to pay me and I cannot afford to get paid due to the paperwork my employer would require and the tax implications of having a side job. Besides, he is my friend.

              Also, he's actually providing a community service cashing checks and only collects 1-3% depending on the risk. If you cash checks there often from the same source with similar values, you get the preferred rate. If you show up the first time with a huge check you may walk away disa

  • about getting in trouble with the law for stealing a currency used to buy drugs and launder money...
  • So basically this two factor authentication all these companies are trying to force on you is pretty much just a scam to get your phone number.
    • Real 2FA does not require your phone number. SMS-based 2FA is known to be flawed and vulnerable to attacks like this. Real 2FA just needs ANY device, a mobile phone is just a good one since you'll usually have it with you and if your PC is infected your phone won't be. As long as this device has an accurate clock and has a way to do an initial sync with the server (usually by scanning a QR code and inputting a test 2FA code to ensure sync was successful), you're good.
  • by Locke2005 ( 849178 ) on Monday July 30, 2018 @02:47PM (#57035222)
    My housemate, who had land line phone service in his name, moved out. I called up the phone company, and told them I needed to put the phone in my name. They told me that for security reasons my ex housemate had to do that himself. So I asked them, "So, if I hang up and call you right back claiming to be him, you'll put the phone in my name?" There reply was, "Yes." I did, and they did.
    • My housemate, who had land line phone service in his name, moved out. I called up the phone company, and told them I needed to put the phone in my name. They told me that for security reasons my ex housemate had to do that himself. So I asked them, "So, if I hang up and call you right back claiming to be him, you'll put the phone in my name?" There reply was, "Yes." I did, and they did.

      Years ago when I worked for a large corporation I added my phone to their account. All it took was a call to say I work for X please put me on the corporate account and it was done. When I left and called to transfer it back I was told the "person in charge of phones at X" needs to call and do that. I asked who that was and they didn't know, and when I asked what happens if I just stop paying they said , no problem, X just pays. Since I wanted my number back I had a friend call and say they were the person

  • Let's see another round of "the wave" in a stadium filled with blockchain fanboyz continually screaming it's a technology going to change the world and every bank needs to jump there now!
    Oops.....
  • What a lamer. Gucci? For real? He should have just gotten a Tumi bag.

  • Let's say that your real name is "John Smith", with a cellphone listed in that name.

    Get a burner phone, under the name of "Jane Doe". Use that number for your bitcoin stuff. That's your "bitcoin phone number"

    Identity thief knows that John Smith is into bitcoin. So he hijacks the "John Smith" phone number, which is useless for his purposes. Or is there some way for the actual "bitcoin phone number" to leak out to him?

Avoid strange women and temporary variables.

Working...