A hacker allegedly stole over $5 million in bitcoin by hijacking phone numbers and demanding ransoms.
According to authorities in California, a 20-year old college student hijacked more than 40 phone numbers and stole millions of dollars’ worth of bitcoin. Some of his victims included cryptocurrency investors visiting the Consensus blockchain conference.
We’ve been hearing reports of similar attacks for the past few months. Now, it appears law enforcement is starting to close in on the attackers
On July 12, police in California arrested Joel Ortiz, a 20-year old student from Boston, according to a report from Motherboard. Motherboard, Vice’s tech-oriented website, obtained court documents related to the arrest.
“This is the first reported case against someone who allegedly used the increasingly popular technique known as SIM swapping or SIM hijacking to steal bitcoin, other cryptocurrencies, and social media accounts.”
How did he do it? Well, like similar SIM attacks, Ortiz and his associates spoofed phone numbers, then used these phone numbers to get past two factor authentication-style systems.
SIM swapping consists of tricking a carrier like AT&T or Verizon into transferring the target’s phone number to a SIM card controlled by the criminal. Once the transfer is complete, the hacker can reset the victims’ passwords and break into their online accounts.
You might think you’re in complete control of your digital identity. You might think your phone number is safely in your hands. Unfortunately, your phone number is controlled by your carrier, and your carrier can be a weak point in your security system.
This type of attack is known as a port out scam. It’s surprisingly easy to pull off and requires limited advanced hacking knowledge: if you can call a carrier and convince them to make the switch, then you can successfully pull off the attack.
In this latest incident, Ortiz and a group of associates specifically targeted people involved in crypto and blockchain. The group allegedly targeted multiple individuals during the high-profile Consensus conference in New York City in May 2018.
California law enforcement authorities arrested Ortiz at Los Angeles International Airport on his way to Europe.
Motherboard cited “sources close to the investigation” when saying that Ortiz was carrying a Gucci bag and other flashy items when arrested – part of a recent spending spree with his ill-gotten gains.
Joel Ortiz is now facing 28 charges, including 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft. The charges were filed against Ortiz the day before his arrest. After being arrested, Ortiz told investigators that he and his associates have access to millions of dollars in cryptocurrency.
Ortiz Allegedly Stole Bitcoin And Sold Social Media Profiles For Crypto
Joel Ortiz was allegedly part of the prolific OGUSERS community of SIM hijackers. OGUSERS isn’t officially a website for SIM hackers. Instead, it’s a website where users can trade valuable Instagram or Twitter handles. Members of the community may hack a high-profile account using SIM hijacking techniques, then sell access to that account via the OGUSERS website.
Ortiz allegedly controls some single-letter and single-number social media accounts on Instagram and Twitter, highly-coveted accounts that can sell for thousands. Police reports suggest that he may own the @0 account on Instagram, for example.
In addition to stealing and selling social media accounts using SIM hijacking techniques, Ortiz also allegedly stole more than $1.5 million from a single crypto entrepreneur during the Consensus conference in New York. The stolen funds included $1 million the entrepreneur had recently raised through an ICO.
“I looked at my phone and it was dead,” the entrepreneur revealed in a statement to Motherboard. That entrepreneur asked to remain anonymous. He knew immediately what was going on because a friend had been hacked in a similar way the previous day.
After taking control of the entrepreneur’s phone number, Ortiz allegedly reset his Gmail password, then gained access to his crypto accounts. The entrepreneur sprinted to the nearest AT&T store to reclaim his number, but it was too late.
Ortiz Allegedly Harassed Victims’ Wives And Daughters To Steal Money
Joel allegedly used some shady tactics to steal money from his victims. Ortiz saved some of his dirtiest tricks for one high-profile victim, an investor involved in blockchain projects.
Ortiz allegedly targeted the investor in February and March 2018. He hijacked his number twice, reset passwords to his email and crypto accounts, and even added his own two-factor Google Authenticator app to lock the victim out.
Ortiz then took things a step further, harassing the victim’s daughter and calling the investor’s wife demanding bitcoin.
“TELL YOUR DAD TO GIVE US BITCOIN,” Ortiz screamed at the daughter in an iMessage conversation included in court documents.
How Did Police Catch Ortiz?
Police eventually tracked down Ortiz in a surprisingly simple way.
After the investor mentioned above was hacked, he reported the incident to police. Police – including investigators from the Regional Enforcement Allied Computer Team in California – sent a warrant to AT&T asking to disclose call records for the days during which the investor’s number was out of his control.
Those call records revealed that the investor’s number was used by two Samsung Android phones. Those phones were identified by their IMEI number. The investor told police he did not use Samsung phones, leading investigators to conclude the hacker used the devices.
The cops then sent Google a search warrant for data connected to those IMEI numbers. That warrant revealed three email addresses associated with the IMEI numbers, including a Gmail account and a Microsoft Live account.
Investigators combing through the Gmail account found plenty of evidence linking the account to Ortiz and his criminal activities. There was a picture of Ortiz holding his Massachusetts ID card, for example, along with an email about SIM swapping. Other emails revealed that Ortiz purchased domains like tw-tter.com, presumably for phishing attacks.
Police then served warrants to Coinbase, Bittrex, and Binance, all of which were exchanges used by Ortiz. This revealed that Ortiz had moved more than $1 million in various cryptocurrencies through the exchanges.
To date, police have seized approximately $250,000 in cryptocurrency from Ortiz. It’s unclear where Ortiz is hiding the remaining stolen funds.
SIM Swappers Are Preparing For More Arrests
Ortiz was a prominent member of the OGUSERS social media account marketplace, a marketplace where SIM swappers can sell stolen accounts.
That community apparently knew about Ortiz’s arrest long before Motherboard broke the story. On July 18, an OGUSERS member posted a thread titled, “Who do you think is next?”, apparently in reference to his arrest.
One OGUSERS member allegedly told Motherboard that Ortiz has stolen far more than what’s being reported:
“I’ve been in a call with him when he simmed someone, found their private keys, and took 4 mil,” said one OGUSERS member in an online message to Motherboard.
Ortiz’s username on the OGUSERS forum was reportedly “J”. That username was recently banned. Other threads on the forum indicate that other users packed up and left after the Ortiz arrest. “Everyone is gone”, writes one user on the forum. The forum reportedly banned a number of SIM swappers after the Motherboard investigation. Weeks before the Ortiz arrest was revealed, Motherboard had published detailed information about the OGUSERS forum and sim swapping.
In any case, the community is bracing for more arrests.
Ortiz’s bail is set at $1 million. He remains in prison until his plea hearing, scheduled to take place on August 9.