HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

International Police Bust SIM‑Swap Gang Behind Tens of Millions in Crypto Theft

Polish authorities, with U.S. partners, arrested four members of a SIM‑swap criminal ring that hijacked phone numbers and email accounts to steal cryptocurrency worth tens of millions of zlotys. The case underscores the importance of strong SOC 2 access‑control policies and continuous audit evidence for credential management.

LiveThreat™ Intelligence · 📅 June 26, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
helpnetsecurity.com

SIM‑Swapping Gang Arrested After International Operation Exposes Credential Theft and Crypto Fraud

What Happened — Polish cyber‑crime investigators, in coordination with the U.S. FBI and HSI, arrested four members of an organized group that used SIM‑swap attacks, social‑engineering, and custom tooling to hijack phone numbers, email accounts, and cryptocurrency exchange credentials. The operation enabled the theft of digital assets valued at tens of millions of zlotys and subsequent money‑laundering through personal and international payment accounts.

Why It Matters for Compliance & Audit Readiness

  • SIM‑swap attacks are a textbook example of credential compromise that bypasses traditional password controls, highlighting the need for robust SOC 2 Access Controls (CC6.1, CC6.2) and MFA enforcement.
  • Continuous monitoring of authentication logs and third‑party telecom relationships provides audit‑ready evidence that access‑control policies are being enforced and tested.
  • Demonstrating a documented incident‑response workflow for credential‑theft scenarios satisfies the SOC 2 “Security” principle and reduces audit‑finding risk.

Who Is Affected — Financial services (crypto exchanges), telecommunications providers, and any organization that relies on SMS‑based authentication or email for account recovery.

Recommended Actions

  • Review and tighten MFA policies: deprecate SMS‑based OTPs where possible, adopt authenticator apps or hardware tokens.
  • Implement continuous credential‑access monitoring (failed/successful logins, SIM change alerts) and retain logs for audit evidence.
  • Update incident‑response playbooks to include SIM‑swap detection, account‑recovery hardening, and coordination with telecom carriers.

Source: Help Net Security

Technical Notes — The gang leveraged specialized software and social‑engineering to infiltrate telecom‑partner infrastructure and employee email accounts, then performed SIM swaps to intercept SMS‑based OTPs and gain control of cryptocurrency exchange accounts. No specific CVE was disclosed; the attack vector centered on credential theft and telecom manipulation. Source: same as above

📰 Original Source
https://www.helpnetsecurity.com/2026/06/26/poland-sim-swap-gang-arrests-cryptocurrency-theft/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →