Overview
In a coordinated international operation, Poland's Cybercrime Bureau (CBZC) has arrested four members of an organized cybercrime group responsible for a prolific SIM-swapping campaign targeting cryptocurrency holders. The operation, conducted in partnership with the FBI and Homeland Security Investigations (HSI), dismantled a scheme that netted the gang tens of millions of Polish złoty — estimated at over $5 million USD — in stolen cryptocurrency.
Attack Methodology
The group exploited a combination of specialized software and social engineering techniques to carry out their attacks:
- Telecom Partner Infiltration: Attackers breached telecommunications partner systems, gaining access to internal networks and employee email accounts.
- SIM Hijacking: Using their access, the gang executed SIM swaps — transferring victims' phone numbers to attacker-controlled SIM cards.
- SMS Interception: With control of the victim's phone number, the attackers intercepted SMS-based two-factor authentication codes.
- Crypto Exchange Account Takeover: Using intercepted 2FA codes, the group accessed victims' cryptocurrency exchange accounts and drained funds into attacker-controlled wallets and international bank accounts.
The gang treated this operation as a regular income source, systematically targeting victims over an extended period before law enforcement caught up.
Arrests and Charges
Four individuals were taken into custody and placed in pre-trial detention. One identified suspect, Wojtek Kulisz (alias "Merry"), was among those named by authorities. The suspects face charges related to:
- Unauthorized access to telecommunications systems
- Account hijacking and identity fraud
- Cryptocurrency theft
- Money laundering
These charges carry a potential sentence of up to 25 years imprisonment under Polish law.
Defensive Takeaways
This case underscores the continued vulnerability of SMS-based authentication to SIM-swapping attacks. Key mitigations for organizations and individuals:
- Move away from SMS 2FA — use authenticator apps (TOTP) or hardware security keys (FIDO2/WebAuthn) wherever possible
- Enable account PIN locks on mobile carrier accounts to prevent unauthorized SIM swaps
- Use carrier-level SIM lock features (port freeze, account PINs) to add friction to attacker-initiated SIM swaps
- Monitor for sudden loss of cellular service, which can signal an in-progress SIM swap
- Cryptocurrency exchanges should implement velocity checks and cooling periods on withdrawals following authentication changes
International Cooperation
The operation highlights the increasing effectiveness of cross-border law enforcement collaboration in tackling cybercrime. The FBI and HSI's involvement reflects the international scope of the victims and the money flows, with stolen funds distributed across multiple countries and digital wallets.