$794K SIM swap hacker PlugwalkJoe sentenced to 5 years in prison

The hacker managed to steal $794,000 worth of crypto from an exchange via a SIM swap attack on an executive, but didn’t cover his tracks well.

British Hacker Joseph O’Connor, also known online as PlugwalkJoe, has been sentenced to five years in a United States prison for his role in stealing $794,000 worth of cryptocurrency via a SIM swap attack on a crypto exchange executive in April 2019.

O’Connor was initially arrested in Spain in July 2021 and was extradited to the U.S. on April 26, 2023. In May, he pled guilty to a slew of charges relating to conspiracy to commit computer intrusions, conspiracy to commit wire fraud and conspiracy to commit money laundering — to name a few.

plugwalkjoe is getting his sentence in 5 days, so it’s time to bring this gem back pic.twitter.com/OOBqD2FaFA

— rip @ironic (@ripironic) June 18, 2023

The prison sentence was highlighted in a June 23 statement from the U.S. Attorney’s Office for the Southern District of New York.

“In addition to the prison term, O’Connor was sentenced to three years of supervised release. O’Connor was further ordered to pay $794,012.64 in forfeiture,” the statement reads.

The hacked crypto exec has not been named; however, after SIM swapping them, O’Connor gained unauthorized access to accounts and computing systems belonging to the exchange where the exec worked.

“After stealing and fraudulently diverting the stolen cryptocurrency, O’Connor and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services.”

“Ultimately, a portion of the stolen cryptocurrency was deposited into a cryptocurrency exchange account controlled by O’Connor,” the statement adds.

O’Connor’s sentence also covers offenses relating to the major Twitter hack of July 2020, which ultimately fetched him and his crew around $120,000 worth of ill-gotten crypto gains.

1/ Time for a story that combines the craziness of crypto, the perils of hacking, and the consequences of shady actions. Buckle up as we explore the case of Joseph James O’Connor, aka PlugwalkJoe, the mastermind behind the infamous Twitter hack of July 2020!#Crypto

— Crypto Camel (@CamelChronicles) June 24, 2023

The hackers deployed a series of “social engineering techniques” and SIM-swapping attacks to hijack around 130 prominent Twitter accounts, along with two large accounts on TikTok and Snapchat.

“In some instances, the co-conspirators took control themselves and used that control to launch a scheme to defraud other Twitter users. In other instances, the co-conspirators sold access to Twitter accounts to others,” the statement reads.

As part of this scheme, O’Connor attempted to blackmail the Snapchat victim by threatening to publicly release private messages if they didn’t make posts promoting O’Connor’s online persona.

Additionally, O’Connor also “stalked and threatened” a victim, and “orchestrated a series of swatting attacks” on them by falsely reporting emergencies to authorities.

SIM swaps are still a big issue

A SIM swap attack involves a bad actor taking control of a victim’s phone number by linking it to another sim card controlled by them.

As a result, the bad actors can re-route the victim’s calls and messages to a device controlled by them, gaining access to any accounts for which the victim uses SMS-based two-factor authentication.

The scheme is generally used to dupe followers of prominent accounts into clicking phishing links that ultimately end up swiping their crypto assets.

Related: Darknet hackers are selling crypto accounts for as low as $30 a pop

Despite O’Connor’s antics occurring roughly three years ago, SIM-swapping attacks continue to be a significant issue in the crypto sector.

Earlier this month, blockchain sleuth ZachXBT identified a group of scammers that SIM-swapped at least eight accounts belonging to well-known figures in crypto, including Pudgy Penguins founder Cole Villemain, DJ and NFT collector Steve Aoki and Bitcoin Magazine editor Pete Rizzo.

According to ZachXBT, the group stole almost $1 million by promoting phishing links from the hacked accounts.

Magazine: ‘Moral responsibility’ — Can blockchain really improve trust in AI?