Telecoms Manager Admits to Taking Bribes to Help Carry Out SIM Swapping Attacks

A New Jersey man faces five years in prison after taking hefty bribes and commissions to help cybercriminals in SIM swapping attacks.

Cybercriminals use SIM swapping, or SIM jacking, to port a victim’s number to a SIM card in their control and take over their accounts by intercepting two-factor authentication codes.

Attackers typically use a telecom insider to do this.

Jonathan Katz, aka “Luna,” 42, of Marlton, New Jersey, acted as such an insider while working at an unnamed telecommunications company from Burlington County, according to the US Department of Justice.

In May of 2021, Katz swapped some customers’ numbers into phones controlled by others, for $1,000 per swap, facilitating account takeovers, including email, social media, and cryptocurrency accounts, according to the DOJ.

“Katz was employed as a manager at a telecommunications store and accessed several customer accounts by using managerial credentials,” reads the announcement. “Katz swapped the SIM numbers associated with the customers’ phone numbers into mobile devices controlled by another individual, enabling this other individual to control the customers’ phones and access the customers’ electronic accounts.”

In exchange for the swaps, Katz was paid in Bitcoin, which was traced back to Katz’s cryptocurrency account, leading to his arrest.

Court documents say Katz helped his co-conspirators victimize five customers of the telecoms company, receiving $5,000 ($1,000 per SIM swap) plus an unspecified percentage of the profits earned from the account takeovers.

He is charged with one count of “conspiracy to gain unauthorized access to a computer” which carries a maximum of five years in prison and a fine of $250,000, or twice the proceeds gained from his actions, whichever greater.

Katz is scheduled for sentencing in July.

SIM swapping attacks exploit a weakness in the practice of asking a telecoms provider to port a number to a new SIM card – i.e. in case of device theft or loss.

At Bitdefender, we recommend you move away from SMS-based multi-factor authentication and instead adopt a trusted authenticator app, which makes it much harder for bad actors to intercept one-time authentication codes to your accounts. For peace of mind, consider also using a dedicated security solution on all your personal devices, including your phone.