European law enforcement dismantled and seized an expansive cybercrime operation used to facilitate phishing attacks via mobile networks for fraud, including account intrusions, credential and financial data theft, Europol said Friday.

Investigators from Austria, Estonia and Latvia linked the cybercrime networks to more than 3,200 fraud cases, which also involved investment scams and fake emergencies for financial gain. Financial losses amounted to about $5.3 million in Austria and $490,000 in Latvia, authorities said.

The operation dubbed “SIMCARTEL” netted seven arrests and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards that were used to conduct various cybercrimes over telecom networks. Officials described the infrastructure as highly sophisticated, adding that the online service it supported provided telephone numbers for criminal activities to people in more than 80 countries.

“It allowed perpetrators to set up fake accounts for social media and communications platforms, which were subsequently used in cybercrimes while obscuring the perpetrators’ true identity and location,” Europol said in a news release.

The law enforcement operation largely occurred Oct. 10 in Latvia, spanning 26 searches that also resulted in the seizure of hundreds of thousands of additional SIM cards, five servers and two websites. Officials also seized four luxury vehicles and froze a combined $833,000 in suspects’ bank and cryptocurrency accounts. 

Europol said the full scale of the cybercrime network is still under investigation, but they’ve already traced the operation to more than 49 million accounts that were created and provided by the suspects. 

The services provided by the cybercriminal organization were also allegedly used to commit extortion, migrant smuggling and various scams involving second-hand marketplaces, fake investments, shops and websites. 

The coordinated takedown underscored the global prevalence of SIM farms, which allow cybercriminals to conduct and sell services for scams and various criminal activities via mobile network infrastructure. The Secret Service last month disrupted a network of electronic devices in the New York City area that included more than 300 servers and 100,000 SIM cards spread across multiple sites in the region. 

Unit 221B on Thursday warned that SIM boxes and SIM farms are growing rapidly, placing any phone user, bank, network carrier or retailer at risk. Ben Coon, Unit 221B’s chief intelligence officer, has identified at least 200 SIM boxes operating across dozens of locations across the United States, the company said on LinkedIn.

Europol published a video of the Latvian police takedown: ​​https://youtu.be/Z-ImysXws-0

The post Europol dismantles cybercrime network linked to $5.8M in financial losses appeared first on CyberScoop.

Vietnamese-speaking hackers are carrying out a “highly evasive, multi-stage operation” to steal information from thousands of victims in more than 62 countries, researchers said in a report published Monday.

The attackers emerged late last year but have evolved with novel techniques this year, with SentinelLABS of SentinelOne and Beazley Security ultimately identifying 4,000 victims, most commonly in South Korea, the United States, the Netherlands, Hungary and Austria.

“The evolving tradecraft in these recent campaigns demonstrates that these adversaries have meticulously refined their deployment chains, making them increasingly more challenging to detect and analyze,” reads the report.

In particular, attacks just last month demonstrated tailored capabilities to bypass antivirus products and mislead security operations center analysts, according to the companies.

The hackers’ motives, apparently, are financial in nature.

“The stolen data includes over 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies, giving actors ample access to victims’ accounts and financial lives,” according to the two companies.

The hackers have been known to make money off the stolen data through “a subscription-based ecosystem that efficiently automates resale and reuse” through the Telegram messaging platform. It’s sold to other cybercriminals who then engage in cryptocurrency theft or purchase access to infiltrate victims, the report states.

The infostealer they use, PaxStealer, first garnered the attention of cybersecurity analysts after Cisco Talos published a report on it last November. Cisco Talos concluded that the hackers were targeting governmental and educational organizations in Europe and Asia.

Both the November report and Monday’s report identified clues in the infostealer’s coding of the hackers’ use of the Vietnamese language. Cisco Talos wasn’t sure in the fall whether the attackers were affiliated with the CoralRaider group that materialized in early 2024, or another Vietnamese-speaking group.

Jim Walter, a senior threat researcher for SentinelOne, told CyberScoop the group was “a long-standing actor” and “appears to be out of Vietnam,” but “beyond that analysis is ongoing and we’ll refrain from further [attribution] comments on the specific actor. It’s the same actor that has been highlighted by Cisco Talos and others as well.”

In the activity highlighted in Monday’s report, Walter said the targeting “seems wide and indiscriminate / opportunistic. Corporate and home users, whole spectrum of ‘user types.’”
Other Vietnamese hackers have been known to target activists inside the country with spyware, lace AI generators with malware or carry out ransomware attacks.

The post ‘Highly evasive’ Vietnamese-speaking hackers stealing data from thousands of victims in 62+ nations appeared first on CyberScoop.