Call of Duty, SWAT teams, Augur and $3 million of stolen cryptocurrency
The Internet age makes for strange crimes.
In short, a group of people stole $3 million in cryptocurrency by coercing someone over Call of Duty with the threat of SWATting and forced him to SIM swap Augur employees so they could steal their crypto.
To unpack that:
According to the Chicago Sun Times there's a group of people playing the Call of Duty video game who fancy themselves hackers. They would meet people on the game and threaten them with "SWATting".
SWATting is the practice of sending SWAT teams to someone's house. The usual procedure for doing this is to get someone's IP address and from that deduce their street address. Then they call the police claiming to be a person living at the target address, and saying they're going to go on a shooting spree, are holding hostages or similar.
The goal is to get a lot of heavily armed and high strung police officers to bust in the door of an unsuspecting victim. SWATting has resulted in several deaths, injuries for both police officers and victims, and alot of jail time for perpetrators in recent years.
It's also led to discussion of whether the ability to send a taxpayer funded hit squad to someone's house on demand is really conducive to civilised living, and if there should be some kind of investigation process, or middle ground between doing nothing and going in guns blazing.
The group of so-called hackers used the threat of SWATting to rope accomplices into their scheme via the Call of Duty game. They would then give these unwilling accomplices the names, phone numbers and other details of targets, and then instruct their new accomplices in how to take over the victim's phones.
With control over the phones, they were able to steal cryptocurrency from specific targets.
How SIM swapping is used
SIM swapping is a technique for gaining control of someone's phone number. The victim won't know that anything happened unless they try to use their phone, at which point they'll realise it's dead.
The complex steps for carrying out a SIM swap attack go as follows:
- Contact the phone company pretending to be the other person, and say you've lost your old phone and so need your number transferred to your new phone.
- That's all.
It's neither high tech nor difficult, and many phone companies have yet to take it especially seriously, although some ongoing lawsuits might be changing that. The clincher is that phone company retail and customer service employees tend to have access to this information, and so can more or less hand it over to third parties or use it themselves as desired. Control over phone numbers is extremely valuable, but security practices have yet to catch up to their importance.
With control over the victim's phone number, email addresses are often the next target. Sometimes simply having control of the phone number and knowing the email address is enough to get in; the attackers just go in, say they have forgotten the password and elect to have a new password or security code sent to the phone number where possible.
Once they're in the victim's email account, hackers will generally make themselves at home by setting up arrangements like a system that automatically forwards all emails the victim receives to the hacker's own account, and automatically deletes any emails they don't want the victim to see – usually ones from banks or cryptocurrency exchanges.
Now the hacker can still do their thing even if the victim changes their email password. Some victims will be forwarding everything to a hacker for weeks without even knowing it, giving the hacker a quite leisurely window to scrape out the victim's wallet.
Generally the combination of phone number control and email control is enough to take over any accounts a victim has, including cryptocurrency exchange accounts. Naturally, the confirmation email requirements, mobile confirmations and so on doesn't do a lot of good in these situations.
And it's all made possible by one little lie to the phone company. Scary, eh?
This method of SIM swap-based thefts can and does rob both bank accounts and cryptocurrency accounts, but cryptocurrency accounts are generally preferable for thieves because they can potentially get a lot more bang for their buck, and it's almost impossible to recover cryptocurrency funds after they're gone.
This method can only pull amounts up to certain withdrawal limits from bank accounts, and charges can often be reversed and tracked down much more easily. By contrast, cryptocurrency SIM swap thefts can pull in millions, while being almost entirely untrackable and unrecoverable.
In this case the hackers, or professional fibbers as they might be more accurately called, managed to pull about $3 million of cryptocurrency from their victims. In particular, they got about $800,000 in REP tokens from several Augur employees.
It was enough for Augur to report the campaign to the FBI, which kicked off the investigation.
So far, the FBI has picked up one of the suspects who is believed to have been coerced into participation by the potentially deadly threat of SWATting.
According to the FBI affidavit, he's admitted to helping take over the phones of more than 100 people. But in an interview with the Chicago Sun Times he said the real number was well under 100, and said he's just as much a victim as anyone else.
"I have done nothing but cooperate with Augur and the FBI," he said. "I have never once profited from anyone [by] crypto-hacking, ever."
Call of Duty, SWAT teams, identity theft and cryptocurrency. The future makes for some strange crimes.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA