US hacker jailed for role in multimillion-dollar SIM swapping campaign

The final member of an international hacking group known as ‘The Community’ has been sentenced for his role in a multimillion-dollar SIM hijacking campaign, the U.S. Department of Justice (DOJ) announced this week.

Missouri resident Garrett Endicott, 22, became the sixth member of the hacking group to be sentenced. He was given 10 months in prison for his part in the campaign — which saw millions of dollars worth of cryptocurrency stolen from victims — and was ordered to pay $121,549 in restitution.

SIM hijacking, also known as SIM swapping, is a technique whereby an attacker takes control of a target’s phone number, allowing them to receive text messages and other forms of two-factor authentication (2FA) codes that can then be used to log into the victims’ email, cloud storage, and ultimately their cryptocurrency exchange accounts.

In the case of The Community, the SIM hijacking campaign “was often facilitated by bribing an employee of a mobile phone provider”, according to prosecutors. “Other times, SIM hijacking was accomplished by a member of The Community contacting a mobile phone provider’s customer service — posing as the victim — and requesting that the victim’s phone number be swapped to a SIM card (and thus a mobile device) controlled by The Community.”

The scheme resulted in the theft of tens of millions of dollars in cryptocurrency. Individuals from across the U.S, including California, Missouri, Michigan, Utah, Texas, New York and Illinois, lost cryptocurrency valued (at the time of the theft) from under $2,000 to over $5 million.

The DOJ said the sentenced defendants were involved in total thefts ranging from approximately $50,000 to over $9 million.

Endicott was given a lighter sentence than other members of The Community. Florida resident Ricky Handschumacher was handed four years in prison and fined more than $7.6 million; Iowa resident Colton Jurisic is serving 42 months in prison and was ordered to pay more than $9.5 million; and South Carolina resident Reyad Gafar Abbas was sentenced to two years in prison and fined more than $310,000.

Irish citizen Conor Freedman was previously sentenced to three years in prison by an Irish court, while Connecticut resident Ryan Stevenson was sentenced to probation. Both were ordered to pay some form of restitution.

Endicott’s sentencing comes just weeks after the FCC proposed new rules to help combat SIM hijacking scams. The federal regulator wants providers to adopt more secure methods in authenticating a person’s identity before agreeing to transfer their service to a new phone or to another carrier. It has also proposed a rule that would require providers to notify customers whenever a SIM switch or a port-out request is made on their accounts.