The US has charged six people for using "SIM swapping" attacks to help them steal $2.4 million in cryptocurrency from various victims.

The six defendants were allegedly part of a hacking group called "The Community," which broke into several online cryptocurrency accounts and plundered the funds inside, according to an indictment unsealed on Thursday.

To break in, the suspects went beyond trying to crack passwords. They focused on taking over the mobile phone numbers of the people in control of the cryptocurrency accounts.

Mobile phone numbers are particularly valuable because they're often tied to your online accounts, particularly email. Forget a password, and the service provider can often send a one-time passcode to your phone number over SMS to help you unlock access. Many cryptocurrency platforms also use mobile phone numbers as a way to protect user accounts through two-factor authentication.

Unfortunately, the numbers can also be stolen. According to federal investigators, the hacking group pulled this off by sometimes impersonating the owner of a mobile phone number, and then tricking the cellular provider to transfer the number to a different smartphone.

At other times, the suspects resorted to bribing staffers at the cellular providers. In addition to Thursday's indictment, US attorneys unsealed a criminal complaint against three former mobile phone provider employees for allegedly helping the hacking group pull off the SIM-swapping attacks.

"Mobile phones today are not only a means of communication but also a means of identification," said US Attorney Matthew Schneider in a statement. "This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it."

The US is charging the six suspects with launching seven different attacks from December 2017 to May 2018, one of which allowed them to steal $1.9 million from a single victim. The stolen funds were then divided among the hacking group's members.

To protect yourself from SIM swapping, you can consider talking to your mobile phone provider about implementing a special passcode or PIN number needed to make significant changes to your account, including porting your phone number. Unfortunately, the security safeguards might not work in the event someone is able to bribe a mobile phone provider's employee into giving up access to your account.

Still, you can consider unlinking your mobile phone number from your most important online accounts. We also recommend substituting any SMS-based two-factor authentication with an authenticator app or hardware-based security key. To do this, you'll have to go into the security settings of your online accounts.

Further Reading

Security Reviews