This past week, Red Sky Alliance conducted a webinar detailing the US Secret Service take down of a SIM related espionage campaign during a recent United Nations session in New York City. Well, the use of SIM farms and cards are also occurring in other parts of the World. On 10 October 2025, in Latvia, the arrests of five cyber-criminals of Latvian nationality and the seizure of infrastructure were conducted. The infrastructure was used to enable crimes against thousands of victims across Europe. During the operation codenamed ‘SIMCARTEL’, law enforcement arrested two further suspects, took down five servers and seized 1 200 SIM box devices alongside 40,000 active SIM cards. Investigators from Austria, Estonia and Latvia, together with their colleagues at Europol und Eurojust, were able to attribute to the criminal network more than 1 700 individual cyber fraud cases in Austria and 1 500 in Latvia, with a total loss of several million euros. The financial loss in Austria alone amounts to around EUR 4.5 million, as well as EUR 420 000 in Latvia.[1]
See past report: https://redskyalliance.org/xindustry/the-secret-service-hunt-for-llm-enabled-malware
The criminal network and its infrastructure were technically and highly sophisticated which enabled perpetrators around the world to use this SIM-box service to conduct a wide range of telecommunications-related cybercrimes, as well as other crimes. The online service created by the criminal network offered telephone numbers registered to people from over 80 countries for use in criminal activities. It allowed perpetrators to set up fake accounts for social media and communication platforms, which were subsequently used in cybercrimes while obscuring the perpetrators’ true identity and location.
Results of the law enforcement actions on 10 October:
- 26 searches carried out;
- 5 individuals arrested;
- approximately 1200 SIM-box devices seized which operated 40 000 SIM cards;
- hundreds of thousands of further SIM cards seized;
- 5 servers with infrastructure of the illegal service seized;
- 2 websites (gogetsms.com and apisim.com) offering the illegal service taken over by law enforcement and “splash pages” displayed;
- EUR 431 000 in suspects’ bank accounts frozen;
- USD 333 000 in suspects’ crypto accounts frozen;
- 4 luxury vehicles seized.
The true scale of this network is still being uncovered. Measured by volume, more than 49 million online accounts were created on basis of the illegal service provided by suspects. The damage caused by the renters of the telephone numbers to their victims amounts to several million euros.
Enabling a multitude of serious crimes - The criminal network offering this service enabled its clients to commit a multitude of serious crimes that would not have been possible at all without masking the perpetrators’ identities. ‘Phishing’ and ‘smishing’ are methods applied by criminals to gain access to victims’ e-mail and banking accounts. Phishing is a cybercrime where attackers pose as trusted sources through emails, calls, texts, or websites to steal sensitive data like passwords, bank details or credit card numbers, often leading to identity theft, financial loss or malware infections. Smishing is a subtype of phishing carried out via text messages, typically disguised as urgent notices from legitimate sources to trick victims into clicking malicious links or sharing personal information.
Other offences facilitated by this criminal service include fraud, extortion, migrant smuggling and the distribution of child sexual abuse material. Some examples-by no means an exhaustive list-of the criminal activities enabled by the network’s offerings are:
- Fraud on online second-hand marketplaces
- Some perpetrators specialized in fraud on second-hand marketplaces. They used the SIM card service to create a vast number of fake accounts, which then served as starting points for fraud enabled by phishing and smishing.
- Daughter–son scam - This type of perpetrators contacts victims via WhatsApp, posing as a daughter or son and claiming to have a new phone number. Citing alleged spontaneous accidents or emergencies and evoking panic with the victim, they demand urgent payments usually in the four-figure range.
- Investment fraud - Victims are usually contacted by telephone and encouraged to deposit larger sums and “invest.” The perpetrators often use remote-access software to gain access to the victim’s device.
- Fake shops and fake bank websites - Rented telephone numbers of the perpetrators were also used in the legal notice and alleged responsible-party details of fake shops and in calls connected to fake bank pages.
- Fake police officers - In this further large-scale phenomenon, the perpetrators used the telephone numbers to convince their mostly Russian-speaking victims of their legitimacy. This crime had an additional concerning element, as perpetrators posed as police officers with forged IDs and personally collected funds from the victims.
- Criminal sophistication and technical ingenuity - The now-dismantled criminal network undertook great efforts to provide its criminal clients with the requested service. This included the professional design and appearance of its website, which was taken offline by law enforcement during the action day. There was also the massive organisational effort of multiple accomplices acquiring thousands of SIM cards in almost 80 countries worldwide to be rented to other criminal organizations. As a side note: one of the main suspects behind this now-dismantled criminal structure had already been under investigation in Estonia for arson and extortion.
- Joint investigative effort - To prepare for the action day in Latvia, Eurojust and Europol leveraged their strengths to enhance the international law enforcement effort. They assisted in planning and administering the action day, with support from Joint Investigation Team partners Austria, Estonia and Latvia, as well as Finland. Europol deployed specialists to Riga to aid Latvian authorities, and both agencies provided financial support for technical equipment, travel and translation costs.
During the law enforcement operation, the technical infrastructure of the organized criminal network was dismantled in collaboration between Europol and the Shadowserver Foundation. A splash page was displayed on the landing page of the criminal service, which had been offering crime-as-a-service using foreign phone numbers for smishing and phishing. Europol provided analytical support, OSINT analysis for mapping the online criminal service and organized weekly meetings between law enforcement authorities, prosecutors and Eurojust desks. Europol also offered on-the-spot forensic support to secure digital evidence, took down the digital infrastructure and provided large file exchange services for transmitting data evidence.
Participating countries:
Austria: Federal Criminal Intelligence Service (Bundeskriminalamt), Criminal Investigation Department Salzburg (Landeskriminalamt Salzburg); Vienna Public Prosecutor's Office (Staatsanwaltschaft Wien)
Estonia: Estonian Police (Politsei); Northern District Prosecutor’s Office (Põhja ringkonnaprokuratuur)
Finland: Finnish Police (Poliisi); National Cyber-enabled Crimes Unit (NCCU Finland); National Bureau of Investigation (Keskusrikospoliisi)
Latvia: Latvian State Police (Valsts policija); Rīga Judicial Region Prosecution Office (Rīgas tiesas apgabala prokuratūra); Rīga Northern Prosecution Office (Rīgas Ziemeļu prokuratūra)
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.europol.europa.eu/media-press/newsroom/news/cybercrime-service-takedown-7-arrested
Comments