What happened
Polish authorities arrested four members of an organized cybercrime group accused of carrying out SIM-swapping attacks tied to millions of dollars in cryptocurrency theft.
The operation was carried out by Poland’s Central Cybercrime Bureau with support from the FBI and Homeland Security Investigations in the United States.
Investigators said the suspects conducted sophisticated cyberattacks to obtain data needed for SIM-swapping attacks. The group allegedly gained unauthorized access to infrastructure belonging to entities that cooperate with telecommunications operators, as well as employee email accounts.
The stolen data enabled the attackers to illegally clone and take over victims’ phone numbers. Once they controlled the numbers, the attackers intercepted SMS messages and email communications, then used that access to compromise accounts at cryptocurrency exchanges.
Authorities estimated that millions of U.S. dollars were stolen through the scheme and laundered through a distributed financial network.
Polish authorities said the suspects treated the activity as a regular source of income. They allegedly used multiple bank accounts across different countries and digital wallets to transfer stolen funds.
The total value of laundered funds is estimated to exceed several tens of millions of Polish złoty, which would amount to at least $5 million.
All four arrested individuals were placed in pre-trial detention. They face charges related to participation in an organized criminal group, hacking IT systems to commit theft, and money laundering.
The maximum penalty for the offenses is 25 years in prison.
Who is affected
Victims whose phone numbers were hijacked through SIM-swapping attacks are directly affected.
The campaign is especially relevant to cryptocurrency exchange users because attackers allegedly used hijacked phone numbers and intercepted communications to gain control of crypto accounts.
Telecommunications partners and organizations whose employee email accounts or infrastructure were compromised are also affected because the attackers allegedly used access to those environments to obtain data needed for SIM swaps.
The broader risk extends to any organization relying on SMS-based authentication or phone-number control as a strong identity factor.
Why CISOs should care
This case shows how SIM swapping remains a high-impact identity attack, especially when attackers can compromise telecom-adjacent systems and employee email accounts.
For CISOs, the key lesson is that phone numbers should not be treated as secure identity anchors. If attackers can take control of a victim’s number, they may intercept SMS codes, password reset messages, account notifications, and other recovery communications.
The crypto theft angle also matters because cryptocurrency accounts are high-value targets where rapid account takeover can lead to irreversible financial loss. Once attackers control both the phone number and related communications, they can bypass weak recovery and verification workflows.
The case also highlights third-party and ecosystem risk. The alleged compromise involved entities cooperating with telecommunications operators, showing that attackers may target supporting organizations rather than telecom carriers directly.
3 practical actions
- Reduce reliance on SMS-based authentication: The attackers allegedly hijacked phone numbers and intercepted SMS messages. CISOs should move high-risk users and privileged accounts toward phishing-resistant MFA, authenticator apps, hardware keys, or passkeys.
- Harden account recovery workflows: SIM swapping is often used to defeat password resets and account recovery checks. Security teams should require stronger verification for phone-number changes, device changes, password resets, and high-value account actions.
- Monitor telecom and email compromise paths: Investigators said the group accessed telecom partner infrastructure and employee email accounts. Organizations should monitor employee mailbox access, telecom-related workflows, identity provider logs, and suspicious requests involving phone-number changes or account recovery.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.