Bitcoin Cryptocurrency News Security

19-Year-Old Hacker SIM-‘Sweeps’ $1m In Crypto Under His Victims’ Noses

December 22, 2019
Ross Peili


19-Year-Old Hacker SIM-‘Sweeps’ $1m In Crypto Under His Victims’ Noses

NEW YORK – A 19-year old teen ‘crook’ as characterized by the New York Post, allegedly ‘SIM-swapped’ the digital identities of 75 US victims from whom he managed to mint a fortune of over $1 mn dollars in cryptocurrency, all from his apartment in Brooklyn, and just with the help of his smart hand-held device and a laptop. 

According to NYC authorities, the young man who was identified to be Yousef Selassie used what the police described as a ‘sophisticated SIM-Swapping schene’ to basically redirect phone calls and SMS’ meant to reach his victims’ devices unto his own tampered device from where he managed to perform cryptocurrency transactions in their behalf. 

Findings revealed by the Manhattan District Attorney’s Office suggest that a total number of 70 victims, hailing for 20 different US states were infected between Jan. 20 and May 19, 2019.   

Furthermore, details of Sellasie’s operations revealed the exact method he used to perform his cyberattack which essentially redirected his victims’ phone numbers to his own iPhone, empowering him to reset/change their passwords, as well as gain access to their Gmail accounts, cryptocurrency exchange markets, and other sensitive financial accounts, while similar to typical SIM-Swapping attacks, the victims’ devices would temporarily go offline during the period of the ‘attack’.

Read More: Bank of America: Bitcoin Was The Most Profitable Investment Of The Decade

The young hacker pleaded not guilty 

The young hacker was arrested earlier this month on December 5th in Corona, California, from where he was transferred back to New York and had a trial this Wednesday in Manhattan Supreme Court. 

Most likely the authorities found him due to his failure to cover his own internet tracks, as well as findings in both of his residencies, which included six iPhones, a couple of Rolexes, a monogrammed Gucci wallet and other top-shelf jewelry which allegedly were paid for with his stolen cryptocurrency. 

Despite the fact that 70 netizen identities were affected, the police said that the stolen funds ($1mn USD) were accumulated from just two victims, while Sellasie himself pleaded not guilty when charged with 87 counts of grand larceny, identity theft, and other cybercrimes. 

Judge Mark Dwyer requested the 19-year-old plaintiff to hand over his passport and check-in weekly with a supervised release program until the conclusive order was issued, while bail was not set in Sellasie’s case, due to the nature of his own wrongdoings. 

Read More: NIKE’s Decision To Go ‘Crypto’ Will Benefit Ethereum More Than The Shoemaker

Is SIM-swapping the new ‘hacking’?

This is not the first time we encounter cryptocurrency-related cybercrimes tethered to SIM-swapping attacks, with a civil complaint filed earlier this October with the United States District for the Central District of California, suing US telecom giant AT&T with analogous charges. 

Just a week before, the Department of Justice published a press release subjecting a 29-year-old Singaporean who faces 34 years in jail for allegedly mining cryptocurrencies using Amazon’s AWS and Google Cloud on behalf of his victims, whose identities were electronically stolen by the subject. 

In general, over the past couple of years, we’ve been spammed to use SIM-backed 2FA, or apps like Google Auth to ensure our digital identities’ security, but it seems that exactly these measures are the backdoors hackers have been exploiting to gain access to their victims’ accounts in the first place. 

Personally, I am not using Google Auth since 2018, and I have changed my SIM this Summer, which’s number I haven’t used anywhere as a ‘security measure’. So far, so good.

I think it’s wiser to change your passwords regularly and never use the same or even similar passwords across different websites, and that should keep you out of the need for 2FA-like ‘security measures’, considering that if these measures are breached then basically all your internet presence is practically infected.