SIM swap scammer pleads guilty to Instagram account hijacks, crypto theft

Declan Harrington, a Massachusetts man charged two years ago for his alleged involvement in a series of SIM swapping attacks, pleaded guilty to stealing cryptocurrency from multiple victims and hijacking the Instagram account of others. 

SIM swapping (aka SIM hijacking) attacks make it possible for malicious actors to take control of their targets’ mobile phone numbers by tricking or bribing employees of mobile phone service providers to reassign the numbers to attacker-controlled SIM cards.

This allows the crooks to completely take control of victims’ phone numbers and use them to bypass SMS-based multi-factor authentication (MFA), steal credentials, and hijack online accounts.

Swim swap and death threat combo

Harrington was charged with Eric Meiggs in November 2019 for targeting the owners of high-value (‘OG’ or ‘Original Gangster’) Instagram and Tumblr accounts.

They also went after cryptocurrency companies’ executives and several other targets with significant quantities of cryptocurrency in their Coinbase or Block.io wallets.

In all, through multiple SIM swapping attacks and death threats, the two defendants stole more than $530,000 worth of cryptocurrency from at least ten victims across the US and took control of multiple OG social media accounts.

According to court documents, tactics and methods allegedly used by the two defendants during their attacks included:

• Identifying potential victims who likely had significant amounts of cryptocurrency and researching the potential victims using online tools.
• Engaging in “SIM swapping” in order to take control of victims’ cell phone numbers.
• Leveraging the victims’ hijacked phone numbers to gain unauthorized access to their online accounts, including email accounts, social media accounts, and cryptocurrency accounts.
• Using their access to victims’ accounts to take over and steal their account handles and their cryptocurrency.
• Selling or otherwise transferring victims’ log-in credentials, account handles, and cryptocurrency.
• Using victims’ hacked online accounts to ask for money and cryptocurrency from victims’ friends and families.
• Using multiple online accounts to hide their identities and evade detection by law enforcement.

Meiggs, Harrington’s co-conspirator, also pleaded guilty on April 28, 2021, and is scheduled to be sentenced next year, on May 24. A sentencing date for Harrington is yet to be scheduled by the Court.

How to protect against SIM swapping attacks

The US Federal Trade Commission (FTC) issued guidance on how to protect against SIM swapping attacks in October, listing the following list of protection measures:

• Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. 
• Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites.
• Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. 
• Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use multi-factor authentication (MFA), keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

The FBI issued a SIM swapping alert with guidance on defending against such attacks after warning of an increase in the number of SIM jacking attacks.

The FTC also provides detailed guidance on how to secure personal information on your phone and keep personal info secure online.