Crowd Machine, a California-based cryptocurrency startup has fallen victim to a $14 Million hack. The Oklahoma police have arrested two men who reportedly stole millions of dollars from Crowd Machine, reported CCN.
Fletcher Robert Childers, 23, and Joseph Harris, 21, both of Missouri, were arrested by Police at a west side hotel on Monday. According to search warrants and Court documents, hackers used a SIM swapping technique to steal the victims’ passwords and identity.
In a post on its website, Crowd Machine stated that access to its crypto wallet was compromised and Crowd Machine Compute Tokens (CMCTs) were stolen. The company has also posted the thief’s wallet address 0x290d615eE921706ec8cCB2593F09B2D2e0F8B67c and asked customers not to deal with them. It further said that most exchanges have suspended trading in the currency.
Crowd Machine Founder and CEO Craig Sproule told local media,
The criminal investigation is ongoing so we’re not in a position to comment other than to confirm that two arrests have been made. We’ve been working closely with law enforcement agencies to help with the ongoing investigation.
SIM Swapping, also known as SIM splitting is a kind of account takeover scam that normally targets a vulnerability present in a two-factor authentication & two-step verification, where the second factor or step is an SMS or a call placed to a mobile phone. The scam revolves around exploiting a mobile phone operator’s functioning to swiftly port a phone number to a new SIM. This property is generally used where a client has lost their phone.
The scam starts with a hacker gathering information about the victim, either by using phishing emails or by purchasing them from the dark web. Once the attackers have gained these details then they contact the victim’s mobile service provider. After this, they use social engineering techniques to convince the provider to port the victim’s phone number to the fraudster’s SIM. For example, by impersonating the victim and claiming that they have lost their phone.
This is not the first time that Sim swapping and cryptocurrency are in the news. In the month of August 2018, Bitcoin investor and cryptocurrency entrepreneur Michael Terpin had sued telecommunications company AT&T for $224 million over a theft of cryptocurrency. According to Terpin, hackers were continuously targeting cryptocurrency investors and despite knowing this AT&T failed to secure his phone number. Attackers were able to steal his phone numbers in a fraud called as SIM swapping, SIM hijacking, or “port out scam.”
According to Bitcoin investor, it was AT&T’s fault and it provided his phone number to hackers without sticking to its security policies that enabled the cryptocurrency theft to happen. It was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the legitimate owner. He also stated that AT&T’s clients are subject to SIM swap fraud (also called SIM swapping, SIM hijacking, or “port out scam”) carried out by hackers. This attack was due to the active participation of AT&T’s own employees and hackers.
Crowd Machine CEO Update on CMCT Theft
According to Oklahoma City Police documents, Childers and Harris were arrested in Santa Clara County for grand theft, identity theft, and computer intrusion. Commenting on the hack, Crowd Machine founder and CEO, Craig Sproule further said: “It is highly recommended that no one purchase CMCTs until the criminal investigations have ceased, at which time, we expect closed exchanges to re-open. Purchases of stolen tokens by those not involved with the theft will be honored. We will let the community know when temporary trading suspensions are lifted.
According to documents, investigators found that the victim’s cell phone account was transferred to another device situated in an area near the SpringHill Suites hotel, 510 S. MacArthur Blvd. They also found the cell phone was purchased at a nearby WalMart and surveillance footage displayed two white males visiting the store, with one purchasing the phone, on September 18. The hotel’s room was rented by Harris on September 17 with a check-out date of the 25.
How to Protect Yourself from SIM Swapping?
- Always ask phone service providers to make appropriate checks before sending SMS or voice calls.
- Make sure that all the devices have proper firewall/anti-virus protection.
- Always download programs, apps and from known and trusted sources.
- Use strong passwords.