Sixth Member of International Hacking Community Sentenced in SIM Card Scheme

A U.S. court sentenced a member of an international hacking organization to 10 months in prison along with heavy fines in connection with a multi-million dollar hacking scheme.

The perpetrator, Garrett Endicott, 22, of Warrensburg, Mo., pleaded guilty to cyber crimes affiliated with a large-scale SIM hijacking plot, acting U.S. Attorney Saima Mohsin confirmed on Tuesday. Endicott is the sixth and final defendant to be tried in connection with an international hacking group known as The Community.

Members of The Community are known to engage in SIM hijacking or SIM swapping, which is an identity theft technique rooted in exploiting cell phone numbers. The group’s objective is to steal cryptocurrency from victims nationwide, with incidents spanning California, Missouri, Michigan, Utah, Texas, New York and Illinois.

SIM hijacking is usually carried out through bribing an employee of a cell phone provider to have access to certain phone numbers. In other instances, members of the group contacted a cellular service provider pretending to be a victim, and requested that a phone number registered to another user would be switched to a separate SIM card, effectively stealing the number and cell phone account.

From here, the hackers can access sensitive personal information, such as email addresses and financial criteria. Cryptocurrency exchange account information is particularly of interest to hackers within The Community. By having access to the victims’ cell phone numbers, The Community could pass stronger security measures such as a two-factor authentication.

In total, law enforcement officials estimate that the range of cryptocurrency theft value stands at over $9 million among sentenced defendants. 

“The actions of these defendants resulted in the loss of millions of dollars to the victims, some of whom lost their entire retirement savings,” Mohsin said.  “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”

Endicott was ordered to pay $121,549.37 in restitution fees. 

Other defendants convicted in association with The Community’s SIM hijacking schemes were based in Florida, South Carolina, and Iowa. A man hailing from Ireland was also charged and sentenced by an Irish court to three years in prison.

Given the international scope of the crimes, the investigation was spearheaded by Homeland Security Investigations, along with Irish law enforcement authorities. 

“The illegal activities of The Community were thwarted as the result of a complex international cryptocurrency and identity theft investigation,” said HSI Detroit Acting Special Agent in Charge James C. Harris. “As criminal organizations commonly use web-based schemes to further their illicit activities, this demonstrates how vulnerable our personal information can be, and the damage that can ensue when our information falls into the wrong hands.”

The Federal Communications Commission warned of SIM hijacking incidents and other related fraud activity back in September, citing data suggesting that 80 percent of SIM hacking attempts are successful. 

U.S. law enforcement has focused more resources on responding to cryptocurrency crimes recently, with the Department of Justice having launched a cryptocurrency enforcement response team in October. This robust response was also on the heels of the slew of ransomware attacks that hit major U.S. firms in the summer of 2021 that demanded ransom in cryptocurrency sums.