Joel Ortiz is believed to be the first person in the USA to be convicted of ‘Sim Swapping’
The college student from Massachusetts was arrested in California last year at the Los Angeles International Airport apparently on his way to Europe. He was indicted on 28 charges overall (3 counts of identity theft, 13 counts of hacking, and 2 counts of grand theft). He recently accepted a plea deal of 10 years in prison but it is not known yet to what charges he pled guilty to.
Ortiz is thought to be part of a group of criminals who stole over $5 million in cryptocurrency.
‘Sim Swapping’ is an act of fraud in which a criminal tricks a telephone provider into swapping over the targets phone number to a SIM card the criminal controls. After this they can break into accounts (such as cryptocurrency accounts) or change/reset passwords for accounts that use the telephone number for autorisation.
Ortiz is accused of being a prolific member of the SIM hacking community targeting cyrptocurrency accounts but also hacking social media accounts to sell for bitcoin. He was a member of OGUSERS a website where members trade valuable Twitter and Instagram accounts (Ortiz apparently owned a number of one letter twitter and instagram accounts, they are extremeley rare as they would have to be made when the company started).
In one attack Ortiz targetted a cryptocurrency entrepreneur and stole $1.5 million “I looked at my phone and it was dead,” the entrepreneur, told Motherboard. He was aware of what was happening as it happened to a friend of his the day before ‘“We were having a meeting and all of a sudden he says ‘fuck my phone just stopped working,’” he later texted him to say “My fucking SIM got hacked.”
Ortiz was eventually caught when one victim –an investor involved in blockchain projects- told police that hackers stole his phone number. This started a police investigation
Ortiz hijacked the victims phone twice, reset his email and cryptocurrency accounts and added his own two-factor authentication. He even harrased the victim’s daughter telling her to ‘TELL YOUR DAD TO GIVE US BITCOIN’
Investigators served a warrant to AT&T and found the victim’s number had been used on two samsungs the day he was hacked (which the victim did not have). The phones were identified by their IMEI numbers and a new warrant was issued to Google for DATA related to the phones , they found several email accounts and through searching these accounts found a photo of Ortiz holding up his I.D (attached) linking him to the account, along with suspicious and criminally linked activity such as youtube uploaded tutorials on exploiting social media and phone company websites and the purchase of the domain www.tw-tter.com thought to be used in phishing attacks.
The investigators issued another warrant to AT&T to find ‘any and all accounts’ linked to his phone and found 40 possible victims, a warrant on the cryptocurrency exchanges he used found he moved over $1 million worth of various cryptocurrency.
Ortiz will be formally sentanced at a hearing on March 14th.