AT&T and T-Mobile were tricked into granting access to customer info by teenagers who weren't even coders
Looks like good conversation skills were all it took to be a top SIM swapper.
In August, 20-year-old Noah Michael Urban was sentenced to 10 years in federal prison for a range of crimes, including SIM swapping. More details have now appeared about this cybercriminal, who deceived AT&T and T-Mobile employees to harm their customers.
Noah wasn't a hacker, but rather a highly skilled social engineer. He gained employee credentials to break into confidential systems. He stole information to gain unauthorized access to cryptocurrency accounts of victims.
In a long report published by Bloomberg, we are told about how easy it was for teenagers with no coding skills to conduct SIM swap attacks. These attacks allow criminals to transfer a victim's phone number to a SIM card they possess, allowing them to access multi-factor authentication codes, which are required to authenticate log-ins.
Born in 2004, Noah first heard of SIM swapping when he was 15, through people he met while playing Minecraft. He was well-versed in the art of tricking carrier employees to carry out his orders. He worked as a caller for Scattered Spider and was paid $3,000 by a gang leader in his first week by using his conversational skills to deceive victims into revealing personal information.
The teen wasn't cash-strapped and came from a fairly affluent family. The adrenaline rush that SIM swapping provided was hard to resist. His accomplices also gave the socially awkward kid a sense of community.
Noah was friends with Daniel Junk, who was sentenced last year for stealing millions of dollars in cryptocurrency using SIM swapping. They were part of a group known as the Com, which was affiliated with Scattered Spider.
Com members used to approach people they perceived as the "easiest-to-fool" AT&T and T-Mobile call center employees. They also hired kids to steal the iPads of phone store representatives.
Junk learned how to register his personal computer to T-Mobile's network and use remote-access software to access its SIM-activation tool. He would remain logged in for months, only losing access when T-Mobile kicked him out.
Noah was hired by Junk to call store staff and talk them into handing over their login details. He pretended to be an information technology employee on these calls, reading out from a script Junk prepared.
Eventually, Noah started employing his own callers, paying them anywhere between $60 and $1,000 for a successful login, depending on the level of security at the company they were breaking into. Those who convinced employees to install a remote-access tool were paid as much as $4,000.
By 2022, Noah was already a millionaire. The nature of his crimes continued to evolve until one of them finally led to a raid at his house and a year later, his arrest in 2024.
Cops seized nearly "$4 million in cryptocurrency, $100,000 in cash, and $100,000 worth of jewelry" from him. He was under the FBI's radar since 2021, when he was flagged as a "low-level participant in SIM swapping."
Even though he had no technical skills, he was recognized as one of the top swappers by law enforcement agencies. Investigators said he was adept at getting employees to swap phone numbers and obtaining sensitive information.
Noah was charged with hacking 13 companies, including AT&T, T-Mobile, and Verizon. He pleaded guilty, and his lawyer tried to defend him by claiming he was influenced by older co-conspirators, and that SIM swapping appeared more like a game than a serious crime to him. To make her point, the lawyer highlighted that even large corporations like AT&T and T-Mobile were outsmarted by teenage kids.
Noah apologized for his crimes, but that didn't move the judge enough to let him walk away after a few years in jail. He was sentenced to 10 years in prison.
It's not known whether Noah and Junk worked alongside the Canadian hacker and his accomplice who swindled T-Mobile customer Joseph "Josh" Jones out of millions of dollars of crypto.
With law enforcement tightening the noose around cybercriminals and carriers bolstering their security, customers shouldn't let the recent reports cause them anxiety.
In a long report published by Bloomberg, we are told about how easy it was for teenagers with no coding skills to conduct SIM swap attacks. These attacks allow criminals to transfer a victim's phone number to a SIM card they possess, allowing them to access multi-factor authentication codes, which are required to authenticate log-ins.
Noah was a member of the notorious cybercriminal group Scattered Spider, which attacked and extorted a dozen companies in the US and UK.
Born in 2004, Noah first heard of SIM swapping when he was 15, through people he met while playing Minecraft. He was well-versed in the art of tricking carrier employees to carry out his orders. He worked as a caller for Scattered Spider and was paid $3,000 by a gang leader in his first week by using his conversational skills to deceive victims into revealing personal information.
He was very, very good at tricking employees into swapping victim phone numbers and obtaining personal information on folks so he could commit crime.
–Douglas Olson, Special Agent in Charge
Com members used to approach people they perceived as the "easiest-to-fool" AT&T and T-Mobile call center employees. They also hired kids to steal the iPads of phone store representatives.
Junk learned how to register his personal computer to T-Mobile's network and use remote-access software to access its SIM-activation tool. He would remain logged in for months, only losing access when T-Mobile kicked him out.
Noah was hired by Junk to call store staff and talk them into handing over their login details. He pretended to be an information technology employee on these calls, reading out from a script Junk prepared.
Eventually, Noah started employing his own callers, paying them anywhere between $60 and $1,000 for a successful login, depending on the level of security at the company they were breaking into. Those who convinced employees to install a remote-access tool were paid as much as $4,000.
By 2022, Noah was already a millionaire. The nature of his crimes continued to evolve until one of them finally led to a raid at his house and a year later, his arrest in 2024.
Cops seized nearly "$4 million in cryptocurrency, $100,000 in cash, and $100,000 worth of jewelry" from him. He was under the FBI's radar since 2021, when he was flagged as a "low-level participant in SIM swapping."
Even though he had no technical skills, he was recognized as one of the top swappers by law enforcement agencies. Investigators said he was adept at getting employees to swap phone numbers and obtaining sensitive information.
...but there were Fortune 500 companies like AT&T and T-Mobile who were essentially tricked by a bunch of teenage kids.
–Kathryn Sheldon, Noah's lawyer
It's not known whether Noah and Junk worked alongside the Canadian hacker and his accomplice who swindled T-Mobile customer Joseph "Josh" Jones out of millions of dollars of crypto.
Follow us on Google News
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: