At a conference in Midtown Manhattan last May, Seth Shapiro watched his life’s savings disappear in a matter of minutes. He later learned from detectives that a group of hackers had seized control of his cellphone, striking from hundreds of miles away by using a technique called “SIM swapping” to access Shapiro’s phone remotely, and drained an encrypted digital wallet of nearly $2 million in cryptocurrency.
“That was probably the worst moment in my life,” Shapiro said. “I just sat there … knowing that everything we had was gone.”
In a case watched closely by cryptocurrency investors, hackers, and law enforcement officials alike, one of the hackers arrested in connection to Shapiro’s case, Joel Ortiz, 21, was sentenced last month in Santa Clara County to 10 years in prison after pleading guilty to his role in a string of cyber heists. Prosecutors say those heists involved several different hackers operating from around the country and netted a total of nearly $18 million in stolen money and assets.
Ortiz, prosecutors say, is the first so-called SIM swapper to be sentenced to prison time in the United States. They say he is only a small part of a new wave of young hackers, some as young as 15-years-old, who have ripped off more than 800 victims to the tune of $50 million since early 2018. And, authorities say, there are many more hackers who have not been caught who continue to seek ways to steal through SIM swapping.
“It’s a nationwide epidemic,” said Santa Clara County Deputy District Attorney Erin West, who prosecuted the case against Ortiz and has four other SIM-swap cases currently pending in Santa Clara County Superior Court. “It is young kids, who haven’t had jobs, who have figured out a sneaky way, from their homes, in their pajamas, of how to steal your money.”
West says the San Francisco Bay Area has been hit especially hard by SIM swap scams, where more than 50 victims who have been hit for $35 million. She says the culprits are typically young, decentralized groups of hackers who can steal millions in mere minutes from just about anywhere in the world.
Despite the threat, NBC Bay Area found that there are few formal, concerted law enforcement efforts to target and stop SIM swap theft.
One exception is the REACT Task Force, based in San Jose. REACT, Santa Clara County’s multijurisdictional cybercrimes team, took on their first SIM swap case in March 2018 and haven’t slowed down since. REACT includes representations from federal, state and local law enforcement agencies. The lead detectives on REACT come from the Santa Clara County Sheriff’s Office, and West serves as the lead prosecutor on the team. SIM swap investigations have taken the REACT task force across the country, from the Bay Area to Oklahoma City to Midtown Manhattan, and detectives say other cases may even take them overseas.
“We will find you, we will drag you out in your pajamas, and we will seize those assets that you have stolen from the victims of Santa Clara County,” West said.
How it Works
Detectives call SIM swapping a new twist on an old con. Cyber thieves first hijack your mobile phone number by getting your phone carrier to electronically switch the SIM card in your phone to a SIM card they control. Court records show hackers typically pull this off by impersonating the victim or by bribing an employee at the phone company. Once the SIM swap is pulled off, the victim loses cell service because the phone falls under the hackers’ control.
At that point, hackers can begin changing the passwords to victims' email, social media, banking, or cryptocurrency accounts by exploiting two-factor authentication, which typically sends a verification code to the victim’s phone, now controlled by the hackers.
According to court records and law enforcement officials who spoke with NBC Bay Area, hackers have set their sights on potential victims who maintain large amounts of cryptocurrency or other electronically accessible assets, such as Shapiro. Hackers learn which victims may have cryptocurrency stashed away in digital wallets by following those potential victims through social media, blog posts and internet chat rooms. In some cases, hackers obtained rosters of attendees at cryptocurrency conferences in search of potential targets.
“It’s a major new way of doing an old crime,” West said. “It’s a new way of stealing all your money.”
Detectives say the loose networks of hackers working together to commit SIM-swap crimes often began as virtual friendships formed over years of playing online video games together as kids. The hackers are typically young men, ranging in age from teenagers to early 20s. Most are males, many with no criminal history before their foray into cybercrime, according to detectives.
“The culture is fascinating,” said Samy Tarazi, a sergeant with the Santa Clara County Sheriff’s Office assigned to the REACT Task Force. “A lot of these guys have known each other for years. Before they were ever criminals; before they had any criminal thoughts in their mind, they were just playing games together, some as early as 12-years-old.”
They come from all backgrounds, all walks of life. Ortiz, for instance, was raised by a single mom in Boston public housing. According to his attorney, Ortiz was diagnosed with autism, but rose to the top of his high school class before enrolling at Boston University.
West has four other SIM-swap cases pending in Santa Clara County, including Kalvin Ung, accused of stealing $500,000 in cryptocurrency while living above his parents’ doughnut shop in Fresno, and Nicholas Truglia, accused of stealing more than $24 million, including $1 million from San Francisco resident Robert Ross. The REACT Task Force arrested Truglia at his apartment in Midtown Manhattan. Both Ung and Truglia entered not-guilty pleas and have, so far, declined to be interviewed.
“They don’t care about the damage they are doing to other people’s lives,” Ross said.
Detectives say many accused SIM swap hackers haven’t been subtle with their stolen loot. Before Tarazi arrested Ortiz, who was decked out in Gucci clothing and carrying wads of cash, last year at LAX, Tarazi says Ortiz and his friends had been partying at Las Vegas nightclubs and had spent $150,000 for a monthlong Airbnb rental at a swanky home in the Hollywood Hills. Tarazi says they posted videos of their exploits spending the stolen money on social media.
One video shows Ortiz and his friends pouring expensive bottles of champagne on $50,000 watches at a Las Vegas nightclub.
“It definitely makes it look all the worse when you see images of them wasting money, and that’s what they were doing. But they’re kids,” said Dennis Dawson, Ortiz’s attorney.
Dawson said his client got a harsh deal for a nonviolent offense because the court system wanted to make an example of Ortiz as the first defendant to be sentenced strictly for a SIM-swap cryptocurrency theft in the United States. Dawson advised Ortiz not to agree to an interview because of potential charges in other jurisdictions that he might face. But Dawson agreed to speak for his client in the Santa Clara County case.
Ortiz’s criminal sentence “shouldn’t have been 10 years,” Dawson said. “Not even close.”
“As Joel explained [in his apology letter], he doesn’t have any friends,” Dawson said. “He just has internet friends. So, this (cryptocurrency theft) seemed cool, they were including him, and I think those are the factors the court should have taken into consideration.”
But some of Ortiz’s victims say 10 years in prison isn’t long enough.
“It’s been very hard on the kids,” said Shapiro’s wife, Ann Marie Michaels. “It’s been very hard on our marriage. There’s been many times where we didn’t know if we were going to make it.”
Authorities were only able to recover $75,000 of Shapiro’s money. The rest has been spent, or as Shapiro believes, stashed away in a digital hiding place where authorities will never find it.
The REACT Task Force says it continues to search for assets stolen by hackers. But cryptocurrency is hard to trace, making that a difficult task.
Detectives say they’re pursuing more cases that haven’t yet been charged. Meanwhile, federal authorities in Michigan just indicted nine suspected hackers earlier this month who they say are part of the hacker group known as The Community. In addition, they charged three former employees of mobile phone providers who they accused of aiding the alleged hackers.