SIM swapper gets 8 years in prison for account hacks, crypto theft

Amir Hossein Golshan, 25, was sentenced to eight years in prison by a Los Angeles District Court and ordered to pay $1.2 million in restitution for crimes involving SIM swapping, merchant fraud, support fraud, account hacking, and cryptocurrency theft.

Golshan pleaded guilty on July 19, 2023, for hijacking the Instagram account of a prominent social media influencer. He also confessed to carrying out a series of schemes from April 2019 to February 2023.

"From at least April 2019 to February 2023, Golshan knowingly executed multiple online schemes to defraud hundreds of victims through various online scams and unauthorized intrusions into victims' digital accounts, including social media account takeovers, Zelle payment fraud, and impersonating Apple support," reads the U.S. Department of Justice announcement.

"In total, Golshan's entire scheme caused approximately $740,000 in losses to hundreds of victims over several years."

Golshan attempted to hide his identity by using VPN (virtual private network) tools and multiple account names. Over time, he reportedly honed his craft to orchestrate increasingly more sophisticated online crimes.

Through social engineering, Golshan convinced carriers, including T-Mobile, to transfer cell phone numbers from legitimate subscribers to his SIM cards. This allowed him to bypass SMS-based two-factor authentication (2FA) and hijack social media accounts.

In one high-profile case from December 2021, he hijacked the Instagram account of a Los Angeles-based model through SIM swapping after contacting her from a hijacked friend's account.

Next, he abused his access to the account by using it to message many of her friends, asking them to send money to Zelle and PayPal accounts he controlled.

Additionally, Golshan extorted the model for $2,000, threatening to delete the social media account he had hijacked.

In other cases, Golshan advertised Instagram verification services, duping victims into sending him payments ranging from $300 to $500 in exchange for a verification badge on their accounts.

Through the above schemes, it is estimated that Golshan made $82,000 from roughly 500 victims.

Later, in August 2022, the prolific scammer posed as Apple Support personnel to gain unauthorized access to Apple iCloud accounts.

He deceived victims into believing he would enhance their account security, tricking them into sharing their six-digit security code, enabling the scammer to bypass existing protections.

By accessing other people's iCloud storage, Golshan was able to steal digital assets, including $319,000 worth of NFTs and $70,000 worth of cryptocurrency. The scammer resold these assets on an NFT marketplace within 24 hours for $130,000.

To defend against SIM swapping attacks, activate number porting security on your carrier, use a physical security key or authenticator app instead of SMS, and limit the sensitive information you share online.

The Federal Communications Commission (FCC) has recently adopted new rules to protect consumers from SIM-swapping attacks, making fraudulent number transfers harder.