Hackers Circle as Individual Investors Pour Cash Into Crypto

Rosa Maguina plowed a big chunk of her savings into cryptocurrency early this year, joining other individual investors trying to strike while bitcoin was hot. The funds vanished after a hacker hijacked her phone number for just two hours.

Ms. Maguina, who runs an events logistics business with her husband in Doral, Fla., said she was about to go to sleep on July 5 when she noticed her phone lost its signal. By the time Ms. Maguina’s service was restored, she said, an unauthorized user had changed her passwords for trading platforms Binance and Coinbase and initiated transactions that emptied her accounts of crypto valued at around $80,000 at the time.

“It was like someone coming through the window or backdoor into your house,” Ms. Maguina said. “You feel that there’s nothing you can do.”

Criminals have a history of stealing money from wealthy or well-known crypto investors through SIM swaps, or switching a phone number from one device’s subscriber identity module to another. But the crypto boom among mom-and-pop investors has led hackers to increasingly circle targets like Ms. Maguina, according to cybersecurity experts, lawyers and law-enforcement officials.

The attacks on small investors have sparked legal battles with cellphone carriers, led customers to change plans and pushed some telecom companies to tweak security measures. Law-enforcement agencies are trying to team up across jurisdictions in response to a broadening pool of potential victims. The Federal Communications Commission is honing rules for wireless carriers aimed at limiting SIM-swap fraud, proposing tighter restrictions on how they switch numbers between devices and carriers.

Some wireless companies say federal rules could make matters worse for consumers.

AT&T Inc. on Monday said the agency’s proposed regulations could give hackers a blueprint for attacks and add friction for legitimate customers who need to switch devices or carriers. AT&T said customers make hundreds of thousands of such requests a month. A fraction of 1% of them—potentially totaling thousands—are fraudulent, the company said.

“Carriers must be agile and innovative in fighting fraud and should not be anchored by prescriptive requirements tied to specific technologies or methods,” AT&T said.

The company warned against some measures floated by the FCC, such as notifications to phone users of SIM-swap requests and potential 24-hour delays to execute them.

Customers conduct SIM swaps when they take their numbers to new phones, while the related act of “porting out” switches numbers to different carriers. Hackers can impersonate phone users with various types of account information or personal data, said Kevin Lee, lead author of a 2020 Princeton University study on SIM swaps.

The process can take “no more than 10 minutes, barring the customer-hold music and stuff like that,” said Mr. Lee, whose team was able to exploit authorization measures for prepaid plans offered by AT&T, T-Mobile US Inc. and Verizon Communications Inc. Mr. Lee said most customers for the firms, which dominate the domestic wireless market, have postpaid plans that could have different security measures.

AT&T told the FCC that it uses data-analytics tools to gauge the risk of postpaid customers’ SIM-swap requests. A spokesman for Verizon said it requires postpaid customers to use a one-time passcode when attempting to switch to another carrier. T-Mobile allows customers requesting SIM swaps by phone to use their account PIN, a one-time passcode or two-factor authentication, a representative said. The firm discontinued the use of logs showing recent incoming or outgoing call numbers in its authentication process following the Princeton study.

US Mobile, an upstart New York-based carrier with about 150,000 customers, has prohibited SIM swaps by phone and directs customers to its app, where it can vet their internet-protocol addresses and biometric data, Chief Executive Ahmed Khattak said.

“A lot of these hacking things are happening because of social engineering,” he added, referring to hackers tricking or co-opting wireless employees.

Criminals use the hijacked phone numbers to access victims’ financial or social-media accounts, often duping multifactor authentication measures based on text messages. A British man in 2019 allegedly stole $784,000 from a crypto-infrastructure firm in New York using a SIM swap, according to an indictment unsealed this month. The man allegedly took over an executive’s phone number, accessed internal computer systems and transferred funds from a clients’ digital wallet.

Ahmed Khattak, chief executive and founder of US Mobile.

Photo: US Mobile

Hackers’ apparent shift toward individual investors has added a layer of complexity to ensuing investigations, said David Berry, an agent at React Task Force, a Bay Area investigative group focused on cybercrime.

“If you come to [prosecutors] with a $1 million loss, you’ll get their attention,” he said. “If you come to them with a $10,000 or $20,000 loss, you might not.”

Such losses can nevertheless be huge for investors like Richard Harris, an independent contractor in Philadelphia.

“It felt as if someone had taken my 401(k) or my Social Security,” he said.

Mr. Harris sued T-Mobile in July, alleging the company’s practices didn’t meet federal standards and allowed a hacker to take over his phone number in 2020 and steal bitcoin worth nearly $15,000 at the time, and more now.

T-Mobile declined to comment on the suit but motioned to move the case to arbitration. Like Verizon and AT&T, the company requires arbitration to resolve disputes in its terms of service, often leading to closed-door settlements.

If you come to [prosecutors] with a $1 million loss, you’ll get their attention. If you come to them with a $10,000 or $20,000 loss, you might not.

— David Berry, an agent at React Task Force, an investigative group focused on cybercrime

Amid mounting complaints, the FCC in September proposed regulations mandating wireless companies verify users’ passwords or send one-time passcodes. The rules would also require companies to tighten procedures for changing lost or stolen passwords, and restrict what data employees could divulge by phone or in stores.

An official for the FCC, which warns that consumer data breaches can give fraudsters information they need for SIM swaps, said the rule making could take several months.

Wireless industry trade group CTIA called for flexibility in the regulations and urged financial institutions and social-media companies to similarly bolster how they verify users.

Coinbase, the largest U.S.-based cryptocurrency exchange, uses machine-learning models to predict risks to users who request password changes, restricting trades on suspicious accounts, a company official said. Real-time SIM-swap data from carriers would help Coinbase’s screening process, the official added, but not all providers share information quickly. He declined to name them.

The official said Coinbase’s account-takeover rate has remained consistent as the platform has gained users, declining to provide detailed numbers. Binance, the world’s largest crypto exchange, didn’t respond to a request for comment.

Since Ms. Maguina’s phone number was taken over on July 5, bitcoin has climbed more than 70% in price to about $59,000 apiece as of Saturday.

“I don’t follow it anymore,” the 53-year-old said. “I don’t need to make this worse than what it is.”

Write to David Uberti at david.uberti@wsj.com

Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8