CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SIM-box operation dismantled, enabling global telecom fraud

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

European law enforcement dismantled a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm, enabling over 49 million fake online accounts and facilitating over 3,200 fraud cases resulting in at least 4.5 million euros in losses. The service provided phone numbers for various telecommunication crimes, including phishing, investment fraud, impersonation, extortion, migrant smuggling, and the distribution of child sexual abuse material (CSAM). The operation, codenamed 'SIMCARTEL,' involved multiple countries and seized significant infrastructure and assets. The SIM-box service operated through two websites, gogetsms.com and apisim.com, which have been seized. The service rented out phone numbers registered in over 80 countries, enabling the creation of fraudulent online accounts. The operation resulted in the arrest of seven individuals, including five Latvian nationals, and the seizure of 1,200 SIM-box devices, 40,000 SIM cards, five servers, and luxury vehicles. Financial assets totaling EUR 431,000 and $333,000 in crypto were also frozen.

Timeline

  1. 17.10.2025 20:01 2 articles · 1d ago

    SIM-box operation dismantled, enabling global telecom fraud

    The operation involved 26 searches, resulting in the arrest of seven suspects, including five Latvian nationals. The SIM farm network enabled the creation of over 49 million fake online accounts. The service facilitated over 1,700 cyber fraud cases in Austria and 1,500 in Latvia. The service offered telephone numbers registered in over 80 countries for criminal activities, including phishing, smishing, investment fraud, extortion, migrant smuggling, and the distribution of child sexual abuse material (CSAM). The service was marketed as a way to get fast and secure temporary phone numbers for over 160 online services and allowed users to monetize existing SIM cards. The platform was designed for anonymous communication and payments, impacting 3,200 people in various countries.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Crypto fraud ring dismantled by European authorities

A joint operation by European law enforcement agencies has dismantled a cryptocurrency investment fraud ring that defrauded over 100 victims of €100 million ($118 million). The operation, coordinated by Eurojust and supported by Europol, involved authorities from Spain, Portugal, Bulgaria, Italy, Lithuania, and Romania. The ring operated since at least 2018, targeting investors across 23 countries, including France, Germany, Italy, and Spain. The fraudsters used professionally designed online platforms to promise high returns on cryptocurrency investments. Funds were funneled into bank accounts in Lithuania, and victims were charged additional fees to recover their assets. The fraudulent websites eventually went offline, leaving investors with significant losses. Five suspects were arrested, and bank accounts and financial assets were frozen during the operation. The main perpetrator has been accused of large-scale fraud and money laundering.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Open in new tab

Large-scale Phishing-as-a-Service (PhaaS) operation using expired domains on Google Cloud and Cloudflare

A large-scale phishing-as-a-service (PhaaS) operation has been operating undetected for over three years on Google Cloud and Cloudflare platforms. The campaign involved 48,000 hosts and more than 80 clusters using expired domains to impersonate high-profile brands, including Fortune 500 companies. The operation delivered malware and gambling content, exposing victims to credential theft and data breaches. The phishing sites were discovered to be using cloaking techniques to manipulate search engine rankings and hide illicit content. The operation involved multiple impersonations of major brands and utilized both Google Cloud and Cloudflare infrastructure. The campaign was discovered by Deep Specter Research, who found that the operation had been active since at least 2022, with the core infrastructure continuing to evolve.

Open in new tab

VerifTools Fake-ID Marketplace Seized and Relaunched

Authorities in the Netherlands and the United States have seized the VerifTools marketplace, which sold fraudulent identity documents. Two domains and a blog were taken down, and $6.4 million in illicit proceeds were linked to the platform. However, the operators relaunched the service on a new domain. The VerifTools marketplace sold counterfeit driver's licenses, passports, and other identification documents. These documents could bypass identity verification systems and gain unauthorized access to online accounts. The FBI began investigating the service in 2022 after discovering a criminal operation to leverage stolen identities to access cryptocurrency accounts. The seizure involved the confiscation of physical and virtual servers in Amsterdam. The Dutch National Police described VerifTools as one of the largest providers of false identity documents, which could be used for various fraudulent activities, including bank helpdesk fraud and phishing.

Open in new tab

Cybercriminals exploit Lovable vibe coding service for malicious websites

Cybercriminals are increasingly abusing the Lovable vibe coding service to create malicious websites for phishing attacks, crypto scams, and other threats. Proofpoint researchers have identified tens of thousands of Lovable URLs involved in malicious activities since February 2025. The service, launched in late 2024, has been used to generate convincing and effective websites in minutes, lowering the barrier of entry into cybercrime. Lovable, based in Stockholm, Sweden, has been targeted by multiple campaigns leveraging its AI-powered platform to distribute MFA phishing kits, malware, and phishing kits targeting credit card and personal information. The company has responded by implementing new security protections, including Security Checker 2.0, an AI-powered platform safety program, and taking down hundreds of malicious domains. Since February, cybersecurity company Proofpoint observed tens of thousands of Lovable URLs that were delivered in email messages and were flagged as threats. Four malicious campaigns have been identified, including a large-scale operation using the phishing-as-a-service platform Tycoon, a payment and data theft campaign impersonating UPS, a cryptocurrency theft campaign impersonating Aave, and a malware delivery campaign distributing the remote access trojan zgRAT. Additionally, DPRK hackers have leveraged ClickFix-style lures to deliver BeaverTail and InvisibleFerret malware, targeting marketing and trader roles in cryptocurrency and retail sector organizations. The campaign uses a fake hiring platform web application created using Vercel to distribute the malware, which is delivered in the form of a compiled binary for Windows, macOS, and Linux systems.

Open in new tab