Six people have been indicted for allegedly being SIM card swappers who stole victims’ identities and their cryptocurrency, and three mobile phone company employees have been indicted for allegedly accepting bribes to help them steal subscribers’ identities.

On Thursday, federal prosecutors in the US Attorney’s Office for the Eastern District of Michigan said that the six alleged hackers are part of a hacking gang called “The Community.” The gang allegedly carried out seven attacks that netted a cryptocurrency haul valued at more than US $2.4 million.

The unsealed indictment charges Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25, of Pasco County, Florida; Colton Jurisic, 20, of Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri; and Ryan Stevenson, 26, of West Haven, Connecticut, with conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number …and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Prosecutors allege that The Community got control of victims’ mobile phone numbers and intercepted phone calls and text messages. They often purchased help by bribing an employee of a mobile phone provider. Other times, they used social engineering: contacting a mobile phone provider’s customer service; posing as the victim; and sweet-talking their way into having the victim’s phone number swapped to a SIM card in one of their own mobile devices.

Prosecutors also allege that The Community bribed the other three people charged in the indictment, who are all employees at mobile phone service companies – Jarratt White, 22, of Tucson, Arizona; Robert Jack, 22, of Tucson, Arizona; and Fendley Joseph, 28, of Murrietta, California. The three allegedly helped the hackers steal subscribers’ identities.

The indictment claims that once the gang had control of a victim’s phone number, they’d use it as a gateway to gain control of online services such as email, cloud storage, and cryptocurrency exchange accounts.

The Community gang members allegedly tried to hijack victims’ cryptocurrency wallets or online cryptocurrency exchange accounts so as to clean them out of funds. The indictment alleges that the defendants executed seven attacks that resulted in the theft of cryptocurrency valued at $2,416,352.

If convicted of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years, while the aggravated identity theft in support of wire fraud charge carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud. Maximum sentences are rarely handed out, however.