The SIM Hijackers
Meet the hackers who flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victim’s weakness? Phone numbers.
Rachel did what most people would have done in that situation: she turned the phone off and on again. It didn’t help.
She walked upstairs and told her husband Adam that her phone wasn’t working. Adam tried to call Rachel’s number using his cell phone. It rang, but the phone in Rachel’s hands didn’t light up. Nobody answered. Rachel, meanwhile, logged into her email and noticed someone was resetting the passwords on many of her accounts. An hour later, Adam got a call.
“Put Rachel on the phone,” demanded a voice on the other end of the line. “Right now.”
Adam said no, and asked what was going on.
“We’re fucking you, we’re raping you, and we’re in the process of destroying your life,” the caller said. “If you know what’s good for you, put your wife on the phone.”
“We’re going to destroy your credit,” the person continued, naming some of Rachel and Adam’s relatives and their addresses, which the couple thinks the caller obtained from Rachel’s Amazon account. “What would happen if we hurt them? What would happen if we destroyed their credit and then we left them a message saying it was because of you?”
“We’re fucking you, we’re raping you, and we’re in the process of destroying your life.”
The couple didn’t know it yet, but they had just become the latest victims of hackers who hijack phone numbers in order to steal valuable Instagram usernames and sell them for Bitcoin. That late summer night in 2017, the Ostlunds were talking to a pair of these hackers who’d commandeered Rachel’s Instagram, which had the handle @Rainbow. They were now asking Rachel and Adam to give up her @Rainbow Twitter account.
In the buzzing underground market for stolen social media and gaming handles, a short, unique username can go for between $500 and $5,000, according to people involved in the trade and a review of listings on a popular marketplace. Several hackers involved in the market claimed that the Instagram account @t, for example, recently sold for around $40,000 worth of Bitcoin.
By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.
“That was a very tense night,” Adam remembered. “I can’t believe they had the gall to call us.”
AN OVERLOOKED THREAT
In February, T-Mobile sent a mass text warning customers of an “industry-wide” threat. Criminals, the company said, are increasingly utilizing a technique called “port out scam” to target and steal people’s phone numbers. The scam, also known as SIM swapping or SIM hijacking, is simple but tremendously effective.
First, criminals call a cell phone carrier’s tech support number pretending to be their target. They explain to the company’s employee that they “lost” their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim’s Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.
“With someone’s phone number,” a hacker who does SIM swapping told me, “you can get into every account they own within minutes and they can’t do anything about it.”
From there, the victim loses service, given only one SIM card can be connected to the cell phone network with any given number at a time. And the hackers can reset the victim’s accounts and can often bypass security measures like two-factor authentication by using the phone number as a recovery method.
Certain services, including Instagram, require that users provide a phone number when setting up two-factor, a stipulation with the unintended effect of giving hackers another method of getting into an account. That’s because if hackers take over a target’s number, they can skirt two-factor and seize their Instagram account without even knowing the account’s password. its, like the time he hacked into the email account of CloudFlare’s CEO in 2012. Taylor, who now works at security firm Path Network, told me that having a phone number linked to any of your online accounts makes you “vulnerable to basically 13- to 16-year-old kids taking over your accounts just by taking over your phone within five minutes of calling your fucking provider.”
“It happens all the time,” he added.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Roel Schouwenberg, the director of intelligence and research at Celsus Advisory Group, has done research on issues like SIM swapping, bypassing two-factor authentication, and abusing account recovery mechanisms. In his opinion, no phone number is completely safe, and consumers need to realize that.
“Any type of number can be ported,” Schouwenberg told me. “A determined and resourced criminal actor will be able to get at least temporary access to a number, which is often enough to successfully complete a heist.”
That’s troubling because cell phone numbers have become “master keys” to our whole online identity, as he argued in a blog post last year.
“Most systems aren’t designed to deal with attackers taking over phone numbers. This is very, very bad,” Schouwenberg wrote. “Our phone number has become an almost irrevocable credential. It was never intended as such, just like Social Security Numbers were never meant as credentials. A phone number provides the key to the kingdom for most services and accounts today.”
What hackers do once they have control of your phone number depends on precisely what they’re after.
‘I TAKE THEIR MONEY AND LIVE MY LIFE’
If your bike gets stolen, you should check Craigslist to see if someone is selling it on the black market. If your Instagram account gets stolen via a SIM swap, you should check OGUSERS.
At first glance, OGUSERS looks like any other forum. There’s a “spam/joke” section and another for chatting on topics like music, entertainment, anime, and gaming. But the largest and most active section is the marketplace where users buy and sell social media and gaming handles—sometimes for thousands of dollars.
In a recent post, someone sold the Instagram account @Bitcoin for $20,000, according to one of the forum’s administrators. In a listing that was still online as of June 13, a user was advertising the sale of @eternity on Instagram for $1,000.
These are just two examples of the kind of accounts for sale on OGUSERS. The forum was launched in April 2017 to give people a place to purchase and sell “OG” usernames. (The forum takes its name from the slang term OG, short for “original gangster.”) An OG on social media is any username that is considered cool, perhaps because it’s a unique word like @Sex, @Eternity, or @Rainbow. Or perhaps because it’s a very short handle, such as @t or @ty. Celebrities have also been targeted.
In August of last year, for example, hackers hijacked the Instagram account of Selena Gomez and posted nude photos of Justin Bieber. The first name on Gomez’s account name was also changed to “Islah”, identical to that used at the time by someone on OGUSERS who went by the username Islah. According to hackers in OGUSERS, the people claiming to be behind the Gomez hack said they did so by taking over the cell phone number associated with the singer-actress’s Instagram account, which had 125 million followers when it was seized.
“Damn they legit hacked the most followed person on Instagram,” an OGUSERS member commented in a thread titled “RIP SELENA GOMEZ.”
A spokesperson for Gomez declined to comment via email.