Full Report
Authorities raided a "SIM farm" operation that used tens of thousands of cards to enable fraud in several European countries, including Latvia and Austria.
Analysis Summary
# Incident Report: Takedown of International Scammer Phone Number Network
## Executive Summary
International law enforcement, led by Latvian police and Europol, dismantled a sophisticated network facilitating large-scale cyber fraud by selling access to tens of thousands of phone numbers registered across over 80 countries. The network enabled criminals to create over 49 million fake online accounts for use in phishing, fraud, extortion, and distribution of illicit material, resulting in over €5 million in reported losses, primarily affecting Austria and Latvia. The successful operation involved arrests, seizing servers, SIM cards, and SIM box devices, highlighting the threat posed by professionally organized illegal infrastructure supporting global cybercrime.
## Incident Details
- **Discovery Date:** Prior to the October 2025 arrests; investigation led to coordinated action "last week" (relative to Oct 17, 2025).
- **Incident Date:** The network operated over an undisclosed period leading up to the takedown.
- **Affected Organization:** Criminal network selling services to scammers; significant impact felt by victims in Austria and Latvia.
- **Sector:** Cybercrime enabled by Telecommunications Infrastructure.
- **Geography:** Operation coordinated by Latvian police; network procured SIMs globally and impacted victims across Europe, linking to over 80 countries.
## Timeline of Events
### Initial Access (To the Criminal Network's Service)
- **Date/Time:** Ongoing prior to the takedown.
- **Vector:** Criminals subscribed to or rented phone numbers via the network's polished online platform.
- **Details:** The service provided access to phone numbers globally, used for account verification and masking criminal identities.
### Lateral Movement (By End Users)
- Attackers used the rented numbers to create fake accounts across social media and messaging platforms.
- These accounts were then utilized to conduct phishing, fraud, extortion, migrant smuggling, and distribute child sexual abuse material.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Direct financial fraud losses exceeded 5 million euros ($5.8 million) across 3,000+ cyber fraud cases. Over 49 million online accounts were created using the illicit service.
### Detection & Response
- **How it was discovered:** Part of an ongoing international law enforcement investigation (Europol involvement noted).
- **Response actions taken:** International operation ("last week") resulting in five arrests in Latvia (including the alleged organizer), seizure of five servers, 40,000 active SIM cards, and 1,200 SIM box devices. The investigation is ongoing to identify end-users.
## Attack Methodology
*Note: Since this analyzes a criminal service infrastructure rather than a specific victim breach, the methodology describes the service provider's function.*
- **Initial Access:** The network established a professional, technically advanced platform (polished website) to sell access to SIMs.
- **Persistence:** Utilized 40,000 active SIM cards and SIM box devices to maintain a steady supply of verifiable phone numbers.
- **Privilege Escalation:** Not directly applicable to standard cyber kill chain, but the network provided **Identity Concealment** for malicious actors.
- **Defense Evasion:** Provided legitimate-looking phone numbers for verification steps, essential for bypassing security measures on social media and messaging platforms.
- **Credential Access:** Not directly used for stealing credentials, but enabled the creation of fraudulent accounts.
- **Discovery:** The network maintained a global logistics operation to procure SIM cards internationally.
- **Lateral Movement:** Enabled attackers to move across platforms (social media, messaging) by providing fresh identity linkages.
- **Collection:** N/A (Service focused on verification/identity, not data collection from victims).
- **Exfiltration:** N/A (Service facilitated the creation of accounts used for other crimes, including fraud).
- **Impact:** Enabled mass account creation (49M+), facilitating phishing, fraud, and severe crimes like child abuse material distribution.
## Impact Assessment
- **Financial:** Over €5 million ($5.8 million) in combined losses reported across 3,000+ fraud cases.
- **Data Breach:** No specific data breach of a single organization reported; the impact was the mass abuse of identity services.
- **Operational:** Disruption of a large-scale, unique criminal infrastructure described as "unprecedented in scale" for this type of service in Europe.
- **Reputational:** Potential reputational damage related to the widespread use of the service for crimes like extortion and distribution of CSAM.
## Indicators of Compromise
*Since this is a law enforcement action against an infrastructure provider, Indicators of Compromise (IoCs) are limited to seized assets.*
- **Network indicators:** Seized servers (Quantity: 5).
- **File indicators:** N/A
- **Behavioral indicators:** Utilization of 1,200 SIM box devices (hardware compromise indicators).
## Response Actions
- **Containment measures:** Coordinated international law enforcement operation resulting in the physical seizure of operational infrastructure (servers, SIM boxes, SIM cards).
- **Eradication steps:** Arrest of five suspects, including the alleged organizer, shutting down the online platform.
- **Recovery actions:** Investigation ongoing to identify users to mitigate further damage from the associated criminal activities.
## Lessons Learned
- The emergence of sophisticated, professionally organized criminal infrastructure, operating with the facade of a legitimate business, presents a significant new challenge for European law enforcement.
- The scale of the operation (40,000 active SIMs, 49 million created accounts) demonstrates how vital phone verification services are to modern cybercrime.
- Prior criminal associations (one suspect previously investigated in Estonia for arson/extortion) highlight potential cross-domain criminal activity.
## Recommendations
- Develop new, proactive European regulatory and investigative strategies specifically targeting "SIM farm" and illegal verification service infrastructure, as current methods proved challenging to address ("new and unique scheme").
- Enhance intelligence sharing regarding the procurement logistics of global SIM card supply chains to disrupt infrastructure before it becomes operational.
- Coordinate closely with telecommunications providers globally to flag and monitor bulk activation/use patterns indicative of SIM box deployment.