Full Report
Europol on Friday announced the disruption of a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm and enabled its customers to carry out a broad spectrum of crimes ranging from phishing to investment fraud. The coordinated law enforcement effort, dubbed Operation SIMCARTEL, saw 26 searches carried out, resulting in the arrest of seven suspects and the seizure of
Analysis Summary
# Incident Report: Takedown of Global SIM Farm Network (Operation SIMCARTEL)
## Executive Summary
Europol, conducting Operation SIMCARTEL, dismantled a highly sophisticated Cybercrime-as-a-Service (CaaS) platform that utilized a massive SIM farm infrastructure to facilitate global criminal activities. The network enabled customers to register over 49 million fake online accounts, leading to significant fraud losses, including phishing, investment scams, and emergency scams. The operation resulted in seven arrests, the seizure of 1,200 SIM box devices, and the takeover of associated service websites.
## Incident Details
- Discovery Date: Implicitly leading up to the enforcement action on October 17, 2025 (Europol announcement on Friday).
- Incident Date: Ongoing criminal activities utilized the infrastructure prior to the takedown. Arrests/Takedown occurred October 10, 2025, or earlier for the website takeover.
- Affected Organization: The criminal infrastructure operated as a CaaS platform (gogetsms[.]com, apisim[.]com).
- Sector: Cybercrime Infrastructure facilitating various sectors (Finance, Telecommunications).
- Geography: International operation involving Austria, Estonia, Finland, and Latvia, with the platform serving customers globally across 80+ countries.
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated when the service first became operational. The CaaS platform operated globally for an indeterminate time.
- Vector: Customers utilized the CaaS platform (SIM farm) to acquire temporary/anonymous phone numbers.
- Details: The infrastructure offered phone numbers registered to people in over 80 countries to receive SMS verification codes for over 160 online services.
### Lateral Movement
- Not directly applicable in the context of a service provider takedown, but the resulting criminal activities (phishing, fraud) required the acquired phone numbers to bypass KYC/verification controls.
### Data Exfiltration/Impact
- The service was used to send phishing/smishing attacks and execute investment fraud schemes.
- Other reported uses included extortion, migrant smuggling, and distribution of CSAM.
- Affected 3,200 people globally; caused reported losses of approximately €4.5 million in Austria and €420,000 in Latvia.
### Detection & Response
- Detection: Coordinated investigation by Europol, Eurojust, and national law enforcement agencies (Austria, Estonia, Finland, Latvia).
- Response actions taken: Operation SIMCARTEL involved 26 searches, 7 arrests (5 Latvian nationals), seizure of 1,200 SIM box devices (40,000 active SIM cards), dismantling of 5 servers, and the takeover of gogetsms[.]com and apisim[.]com, which displayed a seizure banner on October 10, 2025. Assets totaling over €700,000 were frozen.
## Attack Methodology
- Initial Access: Customers accessed the platform (gogetsms[.]com / apisim[.]com) to procure disposable phone numbers.
- Persistence: The physical SIM farm infrastructure (SIM boxes) maintained ongoing connectivity for receiving verification codes.
- Privilege Escalation: Not applicable to the CaaS provider's infrastructure itself, but enabled customers to register accounts anonymously, effectively bypassing standard account creation controls.
- Defense Evasion: The primary function was to evade identity tracing and geographic restrictions by using real, high-volume telecommunication resources registered in numerous countries.
- Credential Access: Not detailed, but necessary for victims who fell for emergency or financial scams initiated via channels linked to these numbers.
- Discovery: Criminals researched victim pools for schemes (investment fraud, emergency alerts).
- Lateral Movement: Enabled customer-side activities like creating 49 million fake social media/communication platform accounts.
- Collection: Data collected by end-users involved gathering funds via fraudulent investment schemes or extortion payments.
- Exfiltration: Not directly related to the CaaS provider, but relevant to the services *enabled* by the service (e.g., transfer of fraudulently obtained funds).
- Impact: Financial fraud, identity concealment, and facilitating severe crimes like CSAM distribution.
## Impact Assessment
- Financial: Total losses reported in Austria and Latvia alone reached nearly €5 million. Suspects' bank and crypto accounts totaling over $812,000 USD were frozen.
- Data Breach: Creation of 49 million fake online accounts used to mask criminal activity.
- Operational: Disruption of a major CaaS platform used by cybercriminals globally.
- Reputational: Negative impact on the legitimacy of mobile verification processes used by numerous online services.
## Indicators of Compromise
- Network indicators: Servers associated with gogetsms[.]com and apisim[.]com (Takedown confirmed).
- File indicators: None provided.
- Behavioral indicators: Use of a SIM farm infrastructure to receive high volumes of SMS verification codes from legitimate online platforms.
## Response Actions
- Containment measures: Law enforcement executed coordinated searches across multiple countries.
- Eradication steps: Seizure and removal of 1,200 SIM box devices and 40,000 active SIM cards. Dismantling of 5 associated criminal servers.
- Recovery actions: Takeover of primary advertising websites (gogetsms[.]com and apisim[.]com) displaying seizure banners.
## Lessons Learned
- Criminals are leveraging commercially available, technically sophisticated infrastructure (CaaS) to scale traditional fraud methods (e.g., "grandparent scams") and bypass modern security controls (2FA/SMS verification).
- The monetization model for SIM cards (allowing owners to earn revenue for forwarded SMS) incentivizes ordinary individuals to participate in criminal enablement.
## Recommendations
- Telecom providers must enhance monitoring for traffic patterns indicative of large-scale SIM box usage.
- Online service providers relying solely on SMS verification should integrate alternative or stronger multi-factor authentication methods, especially for high-value or new account creation.
- Continued international cooperation (via Europol/Eurojust) is critical to dismantle cross-border CaaS infrastructures.