Five U.S. citizens and one from Ireland connected to a hacking group known to its members as “The Community” ended up charged in a fifteen count indictment with conspiracy to commit wire fraud, wire fraud and aggravated identity theft.
In addition, a criminal complaint was unsealed charging three former employees of mobile phone providers with wire fraud in relation to the conspiracy, said United States Attorney Matthew Schneider.
Charged in the indictment were: Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25 of Pasco County, Florida; Colton Jurisic, 20 of, Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri, and Ryan Stevenson, 26, of West Haven, Connecticut.
Charged in the criminal complaint were: Jarratt White, 22 of Tucson, Arizona; Robert Jack, 22 of Tucson, Arizona, and Fendley Joseph, 28, of Murrietta, California.
The men are members of “The Community” and participated in thefts of victims’ identities in order to steal cryptocurrency via a method known as “SIM Hijacking,” according to the indictment. Cryptocurrencies, also known as virtual currencies or digital currencies, are online media of exchange. The most famous of these is Bitcoin. Like traditional currency, they act as a store of value and can be exchanged for goods and services. They can also be exchanged for dollars.
“SIM Hijacking” or “SIM Swapping” is an identity theft technique that exploits a common cyber-security weakness – mobile phone numbers. This tactic enabled “The Community” to gain control of victims’ mobile phone number, resulting in the victims’ phone calls and short message service (“SMS”) messages being routed to devices controlled by “The Community,” according to the indictment. “SIM Hijacking” was often facilitated by bribing an employee of a mobile phone provider. Other times, SIM Hijacking was accomplished by a member of “The Community” contacting a mobile phone provider’s customer service — posing as the victim — and requesting the victim’s phone number be swapped to a SIM card (and thus a mobile device) controlled by “The Community.”
Once “The Community” had control of a victim’s phone number, the phone number was leveraged as a gateway to gain control of online accounts such as a victim’s email, cloud storage, and cryptocurrency exchange accounts, according to the indictment. For example, “The Community” would use their control of victims’ phone numbers to reset passwords on online accounts and/or request two-factor authentication (2FA) codes that allowed them to bypass security measures.
The members of “The Community” charged in the indictment gained control of victims’ cryptocurrency wallets or online cryptocurrency exchange accounts in an effort to steal victims’ funds, according to the indictment. The defendants executed seven attacks that resulted in the theft of cryptocurrency valued at approximately $2,416,352, according to the indictment.
White, Jack and Joseph were employees of mobile phone service providers and helped members of “The Community” steal the identities of subscribers to their employers’ services in exchange for bribes, officials said.
“Mobile phones today are not only a means of communication but also a means of identification,” Schneider said. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”
“The allegations against these defendants are the result of a complex cryptocurrency and identity theft investigation led by Homeland Security Investigations, which spanned two continents,” said Acting Special Agent in Charge Angie Salazar of U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) Detroit. “Increasingly, criminal groups are turning exclusively to web-based schemes to further their illicit activities, which is why HSI has developed capabilities to meet these threats head on.”
If convicted on the charge of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years in prison. A conviction of aggravated identity theft in support of wire fraud carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud.