A 21-year-old man from New York is facing charges over the alleged theft of $1 million from a Silicon Valley executive after taking control of his phone number in a scam known as “SIM swap” and going on to invade his accounts with two digital currency exchanges, according to a CNBC report citing court records and officials.
Nicholas Truglia is said to have lifted $500,000 from each of two accounts that Robert Ross, a father of two from San Francisco, held in US dollars at the Coinbase and Gemini cryptocurrency exchanges. He went on to convert the haul into digital money and to deposit it into his personal account, according to authorities, which said that the robbery had taken place on October 26. Truglia was arrested on November 14.
The Manhattan resident is now facing a grand total of 21 felony charges, including identity theft, fraud, embezzlement, and attempted grand theft. In fact, according to reports, Truglia exploited the same tactic to target five more executives in the cryptocurrency arena. He reportedly managed to take over their phone numbers too, although his attempts to rob them ultimately failed.
Officials obtained a warrant and searched Truglia’s condo, and were eventually able to recover $300,000 worth of cryptocurrency from his hardware wallet. It’s not immediately clear what’s happened to the rest of the loot.
In a SIM swap (aka SIM splitting) scheme, a criminal impersonates a target to dupe the cellphone provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the attacker. This usually requires answering a few security questions to verify the victim’s identity, but the criminal is often well prepared, having obtained the information through social engineering or mined it from social media, among other methods.
This access to the victim’s phone number can then help the attacker circumvent various security measures, including SMS-based two-factor authentication. Victims don’t usually realize that something is amiss until phone calls and messages won’t go through. By that time, however, the attacker may have invaded their bank or cryptocurrency accounts, including, for example, by resetting the password to any account associated with the phone number.