US court sentences SIM-swapping crypto thief to 3 years in jail

A 23-year-old Pennsylvania man has been sentenced to serve 36 months in prison and ordered to pay nearly $3 million in restitution for stealing cryptocurrency executives’ holdings through a SIM-swapping scheme.

Anthony Francis Faulk from Latrobe, Pennsylvania, admitted his role in the conspiracy through a written plea agreement filed on March 2, 2023. In addition to the prison term, the court also ruled for the forfeiture of assets acquired from the proceeds of Faulk’s criminal activities.

As outlined in the agreement, Faulk, using the alias “shade,” collaborated with Matthew Ditman, also known as “lord crump,” and Ahmad Hared, known as “special547” or “winblo,” to perpetrate cryptocurrency fraud and extortion.

The scheme revolved around a practice known as “SIM swapping,” which involved manipulating cellphone companies into granting Faulk and his co-conspirators control over victims’ mobile numbers. With this access, they hacked into victims’ email and other accounts, eventually stealing cryptocurrency and digital assets owned by the victims. The conspiracy took place between October 2016 and May 2018.

Two of Faulk’s accomplices are also facing charges of conspiracy to commit fraud and extortion. Their trials are scheduled for late August and early October 2023.

SIM-swapping is a big concern in the crypto world, especially for those with a lot of valuable assets. This is because people in these circles are more likely to have valuable holdings that hackers want to target.

Numerous online services, including email accounts, digital wallets, and cryptocurrency exchanges, offer users an added layer of security through SMS-based two-factor authentication. These services depend on the SIM card, which functions as a person’s unique identifier. However, relying solely on text-based two-factor authentication is a cybersecurity mistake.

A potential thief could physically steal the victim’s SIM card or bribe telecom employees, as alleged in an unrelated $1.7 million lawsuit against AT&T. Malicious actors could also deceive unsuspecting employees into providing access.

In Faulk’s case, it seems they leaned towards the latter approach. The indictment against him suggests that he employed fraudulent tactics, deceptive practices, and social engineering to persuade representatives from cell phone service providers to grant him control.

It is unclear exactly how the thieves replaced the victims’ mobile SIMs, but the lawsuit suggests they impersonated their identities to AT&T’s customer service agents and requested that the phone number be transferred to their own device.