Ministry of Internal Affairs and Group-IB delayed organizers of a criminal group specializing in re-issuing SIM cards and stealing money from customers of Russian banks. The group operated for several years, the damage from its activities is estimated at tens of millions of rubles, and even those who were in prison were victims of fraudsters.
Group-IB researchers recall that the peak of SIM reissue fraud occurred in 2017-2018 – attackers hacked Instagram accounts, instant messengers, mailboxes of famous bloggers, entrepreneurs, show business and sports stars, and then extorted a ransom to return access. Also, such attacks are often used to steal large amounts of money in cryptocurrency and from the bank accounts of victims (after all, intercepting 2FA codes becomes completely uncomplicated).
One of the criminal groups specialized in VIP-clients of Russian banks. To collect information about the victim, fraudsters used special “breakout” services on Telegram channels or on underground hacker forums. As a rule, the owners of such services have established contacts with insiders in banks with a high level of access. So in real time they could receive not only personal data of the client, but also information about the state of his bank account.
At the next stage, scammers used the services of an employee of an underground SIM card recovery service, also a rather popular service in the shadow segment of the Internet. Having made a fake power of attorney (the form costs about 1,500 rubles on the forums, they also use fake prints or print forms on a color printer), the girl reissued the SIM card in the mobile phone shops of Moscow and Moscow Region. As an identity card, the girl used a fake driver's license.
Immediately after the activation of the clone SIM card, the victim’s cellular communication disappeared, but at that moment the new owner of the SIM card sent to the bank requests for one-time access codes for mobile Internet banking. In a number of cases, the fraudster’s accomplice didn’t even bother sending the SIM card — she simply sent or dictated the received codes by phone. Money (an average of 50,000-100,000 rubles) was withdrawn from the victim's account to third party accounts and cashed out in other cities, for example, in Samara, through a chain of transactions.
At the same time, if in 2017-2018 criminals withdrew large sums almost instantly, then, starting in 2019, after the banks intensified the fight against fraud, it took more time. So, fraudsters could make transactions only a day after the re-issue of SIM cards.
For this reason, fraudsters began to choose victims from among wealthy people who were in prison. A prerequisite is that the victim must have money in the account and mobile banking is connected. Experts note that, in FSIN institutions, those under investigation and convicts are, of course, forbidden to use cellular communications, but not only cases of “smuggling” smartphones behind bars, but also the work of entire prison call centers, which resulted in a joint initiative of the Ministry of Internal Affairs, the FSB and the FSIN for cell phone lock up places of imprisonment.
Numerous cases of embezzlement of money from customers of Russian banks became the reason for checking and initiating a criminal case. In the course of the investigation, employees of the Moscow MUR identified the organizers of the criminal group and attracted experts from Group-IB.
Two organizers of the group were detained in Solntsevo and Kommunarka, their accomplice from the “SIM-card recovery service” was in the Moscow Region. Another group member involved in cashing was caught in Samara. It is noteworthy that one of the members of the criminal group was tried for similar fraud with the re-issuance of SIM cards in 2014-2015, but when at large, he returned to his previous craft.
During the search, Group-IB operatives and specialists found numerous SIM-cards, laptops, smartphones and push-button telephones- “dialers”, fake documents – passports and driver’s licenses, as well as bank cards and SIM-cards attached to them, for which stolen money came .
To store confidential information, scammers used flash cryptocontainers. The detainees have already given confession – they were charged with Part 4 under Article 159 of the Criminal Code of the Russian Federation (Fraud). Several episodes appear in the case, the number of victims increases, and the total damage from the actions of the group is already estimated at several tens of millions of rubles.
“Unlike well-known schemes with telephone fraud – vishing, when villains try to get a CVV or SMS code from a victim, the scheme with re-issuing SIN cards is not so massive and is primarily aimed at respectable wealthy clients. More and more banks are agreeing with cellular operators on exchanging data to counter fraud: in the event of a re-issue of a SIM card, mobile banking is temporarily blocked and separate online banking is required, but this rule is not yet valid for everyone, ”comments Sergey Lupanin, Head of Department Group-IB investigations.