A Hamilton, Ont. youth has been arrested in connection with a large digital currency theft estimated to be around $46 million, according to police.
The joint investigation, which dates back to March 2020, involves the Federal Bureau of Investigations (FBI) and the United States Secret Service, which probed a cryptocurrency theft from a single person located in the United States.
Investigators say the fraud is tied to account takeovers targeting security weaknesses in two-step verification protocols used in mobile phones.
“The victim had been targeted by a SIM swap attack, a method of hijacking valuable accounts by manipulating cellular network employees to duplicate phone numbers so threat actors can intercept two-factor authorization requests,” Hamilton police (HPS) said in a release on Thursday.
“As a result of the SIM swap attack, approximately $46 million (CAD) worth of cryptocurrency was stolen from the victim.”
Technology journalist Carmi Levy told Global News that SIM swap attacks are very simple but “devastating” in terms of the cyber attacks that exists.
He says it starts when a perpetrator gets basic personal information harvested from social media or via a simple phone call to the potential victim.
“Then what they’ll do with that information, is call your phone provider and pretend to be you using all that information,” Levy said.
“You know, the street where you grew up, your mother’s maiden name and things like of birth, and they’ll try to convince the phone company that they are in fact you.”
HPS says the incident is the biggest cryptocurrency theft reported from one person in Canada.
Multiple cryptocurrency seizures of $7 million (value as of Nov. 17) were made amid the arrest.
Investigators say the suspect was tracked down after some of the digital currency was used to purchase a rare username in a gaming community.
The youth, whose name cannot be revealed under the Youth Criminal Justice Act, is facing a charge for theft over $5,000 and possession of property obtained by crime.
Levy says watching what one shares on social media and avoiding unsolicited online subscriptions or surveys is a good starting point to avoid a potential cyber theft.
“Clean up your profile as well to make sure no one harvests that information from you and then practice a safe password protocol with hard to guess passwords,” said Levy.
“Change them frequently and never use the same password for multiple systems.”