Two SIM swappers phished a phone company so they could steal $16K in crypto

According to the United States Attorneys Office of the District of Maryland, Kyell Bryan, a twenty-year-old from Pennsylvania, pleaded guilty for aggravated identity theft in connection to a SIM swapping scheme and cryptocurrency theft scheme.
According to the indictment, Bryan was 19 when he conspired with Jordan K. Milleson (then 21) and other people. To trick employees of an unnamed wireless operator into giving their login credentials, the group engaged in phishing (voice-phishing) and vishing.

Brian Krebs reported that Bryan and Milleson were both active participants in the OGUsers trading forum. This forum has been the target of similar phishing attacks on Twitter, often with the intent to steal and trade social media handles. According to OGUsers, Bryan requested help from another member in 2019 to create a website that looked like the login page for T-Mobile employees.

They used these credentials to perform unauthorized SIM swaps. SIM swapping attacks were why AT&T was facing a lawsuit alleging negligence for failing in 2018 to stop them. The method also allowed AT&T to temporarily hijack Twitter CEO Jack Dorseys account in 2019.

According to the prosecution, Bryan instructed Milleson, after performing the exchange, to transfer $16,847.47 cryptocurrency out of the victims' account.

When Bryan and his accomplices discovered Milleson was cheating them, the scheming partnership became a mission to discover Millesons true identity. Bryan tried to attack Milleson at his home after learning his aliases from another conspirator.

Bryan called Baltimore County Police, claiming that he was at Millesons house with a gun and that he had shot his father. He also threatened to shoot himself. He threatened to shoot police if they confront him, trying to create a dangerous situation that would result in the death of some swatting victims.

BCPD did not find a gunman in the house. However, officers spoke with Millesons relative who revealed that Milleson had stolen $20,000.

Milleson was sentenced in May to two years federal prison. He was also ordered to pay $34,329.01 restitution.

Bryan will be sentenced January 20, 2022. He faces two years in federal prison after one year of supervised freedom. Bryan will have to pay $16,847.47 as restitution under his plea agreement.