Former mobile carrier worker sentenced for role in SIM-swapping attacks

A former mobile carrier employee has been sentenced for his role in a SIM-swapping conspiracy that targeted at least nineteen people. Florida resident Stephen Defiore accepted bribes of around $500 from someone every time he swapped a customer’s SIM.

The US Department of Justice (DoJ) writes that Defiore accepted multiple bribes for performing the switches. The act usually requires some form of social engineering but can be carried out with a lot more ease if criminals involve cellular provider employees, as was the case here.

Once a victim’s phone number has been ported to another SIM, all their calls and texts go to that number. One of the main reasons cybercriminals do this is to intercept two-factor authentication (2FA) texts that allow access to secure services such as banks and crypto wallets.

The SIM swapping incidents occurred between 2017 and 2019 while Defiore was a sales representative for an unnamed carrier. In each incident, a co-conspirator sent Defiore a customer’s phone number, a four-digit PIN, and a SIM card number to which the number was to be swapped. He received a total of $2,325 for his actions across a series of twelve payments.

How SIM-swapping attacks are usually carried out when carrier employees aren’t involved

It’s noted that one of the victims had their number swapped to a SIM card in an Apple iPhone 8 that was in the possession of Richard Li, who was charged with his role in the offense in June 2020 and was charged in a superseding indictment in August 2021.

Defiore pleaded guilty to one count of conspiracy to commit wire fraud. He was sentenced on October 19 and will serve three months’ probation, a year of home confinement, and must perform 100 hours of community service. He must also pay $77,417.50 in restitution and along with a mandatory special assessment fee payment of $100.

SIM swapping remains a prevalent crime. In 2018, it was reported that a 20-year-old college student hacked 40 phones and stole $5 million using the technique—he later received a 10-year plea deal. There was also the case of an investor who tried to sue AT&T for $224 million over a $24 million theft of his cryptocurrency, but a judge threw out the case.

According to a report by Princeton researchers last year, five of the largest US carriers are doing little to protect you from SIM swapping attacks.