Cybercriminals hack the phones of 20 cryptocurrency executives via SMS spoofing attack

In early September, 20 cryptocurrency executives in Israel were victims of a cyberattack that resulted in identity theft, which attackers eventually tried to exploit to steal considerable amounts of virtual assets.

This attack appears to have been deployed by a sophisticated hacking team possibly sponsored by a state actor. The incident also involved a telecommunications company, a cybersecurity company called Pandora and probably a local company.

“On September 7, we were in talks with a potential customer, a deputy director of a company that claimed that his mobile device had been hacked, committing his Telegram account and other platforms,” says a researcher at Pandora, a company that often collaborates in investigating relevant security incidents.

Apparently the hackers sent messages to the victim’s contacts from their Telegram account in order to request the sending of cryptocurrencies. Threat actors could have gained access to the account through a SIM duplication attack or via a malware infection: “In total there were about 20 victims, all CEOs of cryptocurrency projects,” the expert report says. 

The attackers performed a verification process using the compromised SIM cards, all operated by the same telecommunications company. This access was made possible by abusing SMS verification functions, considered as a secure mechanism by the cybersecurity community. 

Although this is a likely cause, specialists have also found another possible explanation: “It is difficult to hijack a user’s SMS messages; it is possible in theory, although the attacker must be in a location close to the victim.” That’s why some experts believe that an attack variant known as SMSC impersonation was used, using a smartphone’s roaming feature to compromise the device.

“This is a very rare attack. Hackers require sending a message from a foreign network by updating the customer’s location, therefore it is possible to abuse roaming mode on the phone,” the experts mention.

Some threat actor from abroad could have hacked a mobile network in the UK, which completely compromised the SIM cards of those affected. Israeli authorities classify telecommunications networks as critical infrastructure and the security of their data is monitored by the National Cyber Security Authority, which is mandated by a secret security organization, so this incident is considered particularly troubling.