Full Report
The agency says it found a network of some 300 servers and 100,000 SIM cards—enough to knock out cell service in the NYC area. Experts say it mirrors facilities typically used for cybercrime.
Analysis Summary
# Incident Report: Massive New York SIM Farm Disruption
## Executive Summary
The US Secret Service dismantled a massive, illegally operated SIM farm network across the New York tristate area, involving approximately 300 servers and 100,000 SIM cards. This operation, which was suspected of being used by organized crime and nation-state actors for spam and cybercrime, posed a significant threat of large-scale cellular disruption, potentially capable of disabling cell service in New York City. The investigation began following the farm's use in "swatting" attacks targeting US Congress members in late 2023.
## Incident Details
- Discovery Date: September 2025 (Disclosure date via US Secret Service announcement)
- Incident Date: Ongoing operation, linked to events in Christmas 2023.
- Affected Organization: N/A (Infrastructure threat targeting general telecommunications).
- Sector: Telecommunications / Critical Infrastructure.
- Geography: New York tristate area (within 35 miles of midtown Manhattan).
## Timeline of Events
### Initial Access
- Date/Time: Pre-Christmas 2023 (Operation was active).
- Vector: The operation was discovered subsequent to its use in swatting attacks. Specific initial access into the SIM farm infrastructure is not detailed, but the scale implies coordinated setup.
- Details: The network was used in "swatting" attacks targeting US members of Congress (Marjorie Taylor Greene and Rick Scott) around Christmas 2023.
### Lateral Movement
- Not explicitly detailed regarding movement *within* the SIM farm network, but the inherent structure of a SIM farm allows for rapid, large-scale network communication spoofing and sending.
### Data Exfiltration/Impact
- Potential Impact: Capability to send approximately 30 million text messages per minute, capable of flooding US cell towers and "essentially shut[ting] down the cell phone network in New York City."
- Confirmed Use: Spam, cybercrime, and high-profile swatting incidents.
### Detection & Response
- Detection: Followed tracking efforts related to the 2023 swatting incidents involving Romanian and American actors.
- Response Actions: The US Secret Service’s Advanced Threat Interdiction Unit seized the equipment across multiple sites just ahead of the UN General Assembly in September 2025 to prevent potential disruption.
## Attack Methodology
- Initial Access: Physical setup and provisioning of servers/SIM blocks to establish the large-scale network for telecommunication manipulation.
- Persistence: Ongoing operational management of the 100,000 active SIM cards via specialized servers/devices.
- Privilege Escalation: Not applicable in the traditional sense; the structure granted high-volume communication privileges.
- Defense Evasion: Anonymity provided by massive scale and distribution across the tristate area, facilitating use by organized crime and nation-state actors.
- Credential Access: Not applicable; the focus was on network disruption and communication overwhelming.
- Discovery: Reconnaissance by law enforcement following high-profile swatting attacks.
- Lateral Movement: Ability to rapidly pivot traffic across 100,000 unique (though illegally managed) identities/numbers.
- Collection: Sending mass automated texts/calls.
- Exfiltration: Not the primary goal, but the structure enabled anonymity for other illicit communications.
- Impact: Potential physical/operational disruption of cellular infrastructure.
## Impact Assessment
- Financial: Unknown direct costs, but potential for massive economic disruption if the NYC network had been disabled.
- Data Breach: No specific data breach mentioned, but the operation facilitated fraudulent communications and swatting.
- Operational: Significant risk of critical infrastructure failure (cellular service) across NYC.
- Reputational: Minor reputational damage to the Secret Service pending full investigation results, mitigated by the successful dismantling of the threat.
## Indicators of Compromise
- Network Indicators: High-volume SMS/call initiation originating from a centralized, provisioned block of carriers (defanged: `[IP_ADDRESS_BLOCK_SUSPECTED_OF_HIGH_VOLUME_COMMUNICATION]`).
- File Indicators: N/A (Primarily hardware/infrastructure-focused).
- Behavioral Indicators: Automated, high-frequency generation of text messages (estimated 30 million per minute) and originating calls linked to criminal activity like swatting.
## Response Actions
- Containment measures: Seizure of approximately 300 servers and 100,000 SIM cards located across multiple sites in the NY tristate area within a 35-mile radius of Manhattan.
- Eradication steps: Physical removal and neutralization of the SIM farm hardware. Ongoing investigation into calling/texting records.
- Recovery actions: Full restoration and verification of normal cellular network service stability.
## Lessons Learned
- SIM farm technology, when scaled up (100,000 cards), presents a tangible threat to critical communication infrastructure, not just a nuisance for spam.
- The link between seemingly low-level cybercrimes (like swatting) and sophisticated, high-capability infrastructure should not be ignored.
- Intelligence sharing between federal agencies (Secret Service) and investigation into specific criminal events (swatting) is key to uncovering large-scale physical infrastructures.
## Recommendations
- Increase monitoring and proactive threat hunting for large concentrations of telecom equipment disguised as standard server farms, particularly in metropolitan areas near critical infrastructure hubs.
- Enhance regulatory oversight or detection mechanisms for the bulk provisioning and activation of large volumes of SIM cards suspicious to common service patterns.
- Develop response protocols specifically tailored for coordinated disruption threats against telecommunications infrastructure, collaborating closely with carriers.