Executive Summary
In June 2024, law enforcement agencies from multiple countries executed a coordinated operation that dismantled a large-scale SIM box fraud network. This criminal enterprise facilitated the use of SIM boxes—devices housing dozens or hundreds of SIM cards—to provide fake phone numbers from over 80 countries to criminals. The network enabled anonymous communications for threat actors, facilitating various cybercrimes such as phishing, scams, and the circumvention of telecommunication safeguards. The takedown targeted both the technical infrastructure and the operators, disrupting ongoing fraudulent operations and preventing further abuse.
This operation underscores an increased focus among law enforcement on telecom fraud infrastructure, which has proliferated alongside the rise in organized cybercrime and financial scams leveraging global communications. Recent trends show cybercriminals rapidly adopting new tools like SIM farms for voice spoofing, making such police action both timely and necessary.
Why This Matters Now
SIM box fraud not only enables large-scale financial crimes and social engineering attacks but also undermines trust in digital communications. The rapid evolution of telecom abuse platforms and their links to global fraud rings highlight an urgent need for enhanced detection, policy enforcement, and international collaboration.
Attack Path Analysis
The adversaries established infrastructure to enable SIM box fraud by compromising cloud and telecom resources, likely leveraging exposed or weakly secured services. They escalated privileges to manage large pools of phone numbers and orchestrate multi-country fraud operations. Lateral movement enabled access across multiple cloud workloads and regions supporting global coverage. Command and control was maintained via encrypted management channels and covert traffic. Data and communications were exfiltrated to criminal ecosystems to facilitate ongoing fraud. Ultimately, the impact involved large-scale illicit telephony, fraud enablement, and financial loss across multiple countries.
Kill Chain Progression
Initial Compromise
Description
Attackers gained a foothold in cloud-based telecom or network infrastructure, likely exploiting misconfigurations or exposed management services to deploy SIM box nodes.
Related CVEs
CVE-2025-15099
CVSS 6.9Improper authentication vulnerability in simstudioai sim up to version 0.5.27 allows remote attackers to bypass authentication via manipulation of the INTERNAL_API_SECRET.
Affected Products:
simstudioai sim – <= 0.5.27
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Acquire Infrastructure: Cellular Networks
Establish Accounts: Social Media Accounts
Compromise Accounts: Phone Numbers
Valid Accounts: Cloud Accounts
SIM Card Swap
Account Manipulation
Active Scanning: Wireless Scanning
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Respond to Suspected Fraud
Control ID: 12.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Mitigate Illicit Account Creation and Use
Control ID: Identity Pillar: Prevent Account Abuse
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
SIM box fraud infrastructure directly targets telecom operators, enabling criminals to bypass legitimate routing and exploit encrypted traffic vulnerabilities across international networks.
Banking/Mortgage
Financial institutions face increased fraud risks from fake phone numbers used in identity verification, SMS authentication bypasses, and money laundering operations.
Law Enforcement
International criminal networks using SIM box infrastructure complicate investigations, requiring enhanced threat detection capabilities and cross-border coordination for effective enforcement.
Government Administration
Government agencies must implement stronger egress security and anomaly detection to prevent SIM box exploitation of citizen services and identity verification systems.
Sources
- International Sting Takes Down SIM Box Criminal Networkhttps://www.darkreading.com/cybersecurity-operations/international-sting-sim-box-criminal-networkVerified
- Vilnius Criminal Police Operation Strikes SIM Box Networkhttps://vilnius.policija.lrv.lt/en/news/vilnius-criminal-police-operation-strikes-sim-box-network-VB9Verified
- Large-scale SIM card scam group busted in Latviahttps://eng.lsm.lv/article/society/crime/17.10.2025-large-scale-sim-card-scam-group-busted-in-latvia.a618800/Verified
- Massive International SIM Box Technology Cyber Fraud Busted In Andhra Pradeshhttps://www.ndtv.com/andhra-pradesh-news/massive-international-sim-box-technology-cyber-fraud-busted-in-andhra-pradesh-9984336Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF capabilities such as Zero Trust Segmentation, East-West Traffic Security, egress policy enforcement, and threat detection would have limited unauthorized lateral movement, stopped covert command & control, and curtailed exfiltration, making it far more difficult to orchestrate or monetize SIM box fraud at scale.
Control: Zero Trust Segmentation
Mitigation: Unauthorized entry points segmented and blocked, reducing risk of compromise.
Control: Multicloud Visibility & Control
Mitigation: Attempts to escalate privileges detected and alerted on in real time.
Control: East-West Traffic Security
Mitigation: Internal propagation of attacker traffic blocked or alerted.
Control: Cloud Firewall (ACF)
Mitigation: Malicious external communications prevented via URL/FQDN filtering and signature-based inspection.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved data flows to external destinations blocked and audited.
Rapid detection and incident response to anomalous fraud indicators limited operational impact.
Impact at a Glance
Affected Business Functions
- Telecommunications
- Financial Services
- Online Platforms
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive customer data, including personal identification information and financial details, due to fraudulent activities facilitated by the SIM box network.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access to telecom and management resources in cloud environments.
- • Enforce East-West Traffic Security and workload-level policy to prevent lateral movement by unauthorized users or applications.
- • Deploy egress filtering and DNS/FQDN controls to block malicious outbound traffic and data exfiltration.
- • Maintain continuous multicloud visibility and real-time anomaly detection for rapid threat response and compliance.
- • Regularly audit and refine cloud firewall and privilege controls to minimize attack surfaces exploited by SIM box fraud networks.
