Skip to main content

Two SIM swappers phished a phone company so they could steal $16K in crypto

Two SIM swappers phished a phone company so they could steal $16K in crypto

/

The thief set up a SWAT attack against his partner

Share this story

A stylized illustration of a Bitcoin in purple and black shadows.
Cryptocurrency thief pleads guilty in SIM swapping scheme
Illustration by Alex Castro / The Verge

Twenty-year-old Kyell Bryan of Pennsylvania has pleaded guilty to aggravated identity theft for a SIM swapping and cryptocurrency theft scheme, according to the United States Attorney’s Office of the District of Maryland.

According to the initial indictment statement, in June 2019, Bryan, who was 19, conspired with Jordan K. Milleson, then 21, and others. The group engaged in phishing and vishing (voice phishing) to trick employees at an unnamed wireless operator into coughing up their login credentials.

As Brian Krebs reported when Bryan and Milleson were indicted, they were active participants of the OGUsers trading forum, which has spawned similar phishing attacks against Twitter and others, usually with the intent of stealing and trading social media handles. Leaked messages from OGUsers reveal that in 2019, Bryan asked another member for help crafting a site that would look like T-Mobile’s employee login page.

They used those credentials to conduct unauthorized SIM swaps, redirecting their target’s phone number to bypass the two-factor authentication process that is supposed to protect accounts. SIM swapping attacks are why AT&T faced a now-dismissed lawsuit alleging negligence for failing to stop them in 2018, and the method opened up a way to temporarily hijack Twitter CEO Jack Dorsey’s handle in 2019.

According to the prosecutors, after performing the swap, Bryan instructed Milleson to transfer cryptocurrency valued at $16,847.47 out of the victim’s account.

The scheming partnership turned into a mission to find Milleson’s true identity when Bryan and other accomplices suspected Milleson cheated them out of their share. After finding out his aliases and personal information from another co-conspirator, Bryan attempted to “swat” him at his home.

Bryan called the Baltimore County Police claiming he was at Milleson’s home address with a handgun, saying he’d shot his father and threatening to shoot himself. In the call, he threatened to shoot if confronted by police, attempting to set up the kind of dangerous encounter that has already killed some swatting victims.

BCPD didn’t find a gunman at the house, but officers spoke to Milleson’s relative, who told them about a phone call made earlier claiming that Milleson stole $20,000.

Milleson was sentenced to two years in federal prison and ordered to pay restitution of $34,329.01 in May.

Bryan is set to be sentenced in January 2022 and faces two years in federal prison following one year of supervised release. As part of his plea agreement, Bryan will be ordered to pay $16,847.47 in restitution.