Industry News

Teenager charged over $50 million SIM-swap cryptocurrency theft

Samy Bensaci, an 18-year-old living in Montreal, Canada, has been charged in connection with the theft of over $50 million worth of cryptocurrency in a SIM-swapping scam.

A SIM swap attack (also sometimes called a Port Out scam) is one where fraudsters manage to trick the customer support staff of cellphone operators into giving them control of someone else’s phone number.

When an online account subsequently sends its authentication token or reset password link to the user’s phone number via SMS, it ends up in the hands of the attacker. In this way a hacker can hijack an email account, and gain access to cryptocurrency wallets if they are not more strongly secured.

According to Lieutenant Hugo Fournier, a spokesperson for the Sûreté du Québec, the fraud that Benasci was allegedly involved in stole “$50 million from our neighbours to the south and $300,000 in Canada.”

Individuals allegedly targeted by the attack include Dan Tapscott, the head of the Blockchain Research Institute, and his son Alex, a well-known advisor on blockchain technologies and cryptocurrencies.

Many of those targeted by the SIM swap fraud are thought to have attended Consensus, an annual cryptocurrency and blockchain conference held in New York.

Arrested and charged in November, Benasci was released on CA $200,000 bail and ordered to live with his parents in Northeast Montreal according to local media reports.

Benasci is prohibited from accessing any device capable of accessing the internet – which includes computers, tablets, mobile phones, and games consoles, has been ordered to surrender his passport to local police in order to guarantee he will not leave the country.

In addition the court has prohibited Benasci from owning or exchanging any form of cryptocurrency

In particular, Bensaci is prohibited from accessing “any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet”.

One victim of a SIM swap attack is Robert Ross, who claims he had one million dollars stolen from him after an AT&T customer service representative was tricked into redirecting Ross’s number to a cellphone under the control of a hacker:

“Because of AT&T, the hacker was then able to take control of my Gmail by clicking “forgot password”, which sent a text to the hacker’s phone instead of mine to reset my email password. In minutes, I lost control of my mobile service, email and several other accounts. Then he logged into my financial accounts and used my $1M in US dollars to buy Bitcoin with my $1M and sent it all to himself. He also got picture perfect copies of my birth certificate, passport and driver’s license.This all happened in 20 minutes, and all because of AT&T and a 21-year old criminal. This was most of my life savings and it’s been devastating to my family.”

Ross now runs the website StopSIMCrime.org, which aims to raise awareness and resources about the threat.

But despite Ross’s efforts, SIM swap frauds continues to occur, and some victims have lost much more than $1 million.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.