First hacker convicted for SIM swapping gets 10 years in prison

A college student is facing 10 years in prison for stealing millions in cryptocurrency using a method called “SIM swapping.”

According to , 20-year-old Joel Ortiz of Boston accepted a plea deal for stealing more than $5 million in cryptocurrency from around 40 victims. Ortiz plead guilty to and was sentenced to 10 years in prison as part of his plea deal. 

Ortiz was able to steal the cryptocurrency through a hacking method known as SIM swapping. Krebs on Security has reported on of SIM swapping throughout the past few months.

Over the last year, a number of brazen SIM hijackers have been arrested, such as 21-year old who allegedly stole a million dollars in cryptocurrency. However, authorities say Ortiz is the first person to be convicted of a crime involving SIM swapping.

SIM swapping is a technique that mainly involves the social engineering of a target’s mobile phone provider. Using personal information obtained on their target, a hacker will attempt to convince the target’s mobile phone provider to port their phone number over to a SIM card belonging to the hacker. 

Once the swap occurs, the hacker has essentially hijacked their target’s mobile phone number. One-time passwords, verification codes, and two-factor authorization that goes through a user’s mobile device via phone call or text message gets sent to the hacker.

Email, bank, and cryptocurrency accounts have often been the targets of SIM swapping. Social media accounts have also see a rise in hijacking through this method. Over the past few months, there’s been a significant uptick in high-profile stolen through methods like SIM swapping.

Two-factor authorization has especially been upended by the practice of SIM card hijacking. Many forms of require a user to send an SMS message to their mobile devices when signing in to an account along with their password. The process was often sold as a must-enable security protocol which would eliminate most forms of hacking. SIM swapping has caused many security experts to re-strategize when it comes to authentication methods involving text messages.

The long-held assumption was that hackers may be able to guess your password, but they can’t remotely steal your physical mobile device too. Hackers proved that line of thinking wrong by showcasing how they don’t need to steal the actual device — just the mobile number will do.