A University of California San Diego student named Richard Yuan Li was charged Aug. 26 with a SIM-swapping scheme that involved stealing phone numbers and accounts and extorting at least 40 people for cryptocurrency and other payments, according to a new release that the US Department of Justice shared on Monday.
According to the indictment (PDF), Li convinced Apple customer service in 2018 to send him a replacement iPhone 8 for an iPhone he claimed was lost in the mail. Li and others then persuaded carriers to port victims’ phone numbers to the iPhone 8 to take control of their accounts — and in some cases emptied their crypto wallets right away.
“Li and his co-conspirators contacted the victims and demanded that they pay a ransom to prevent further damages, including additional account compromises, the loss of additional cryptocurrency, and the disclosure of confidential victim information obtained by the conspirators,” the writes wrote. the DOJ.
If Li is convicted of all charges, including wire fraud, aggravated identity theft, and “conspiracy to engage in interstate communications with the intent to extort and commit computer fraud and abuse,” he could serve 20 years in prison and pay a fine of up to $ 250,000, among other possible costs.
SIM swapping is the practice of stealing someone’s identity by taking their phone number. Typically, unsuspecting victims’ numbers are transferred to burner phones – often by asking carriers to do so – and then scammers use those phones to impersonate the victim and seize control of their online accounts. The case of Li is an unfortunate reminder of how common SIM swapping is. In 2019 it even happened to Twitter CEO Jack Dorsey.
Phone numbers are the main ingredient for identity theft and have a lot to do with the usual way two-factor authentication is set up. Many online services offer two-factor authentication by default, but use a mobile phone as a second method of identifying someone. With stolen phone numbers, that can just as well become a foothold to take over someone’s account.