How can individuals protect themselves from SIM-swapping attacks?

Individuals can protect themselves by using authentication methods that do not rely on SMS, such as hardware-based authenticators or app-based authenticators, and by setting up additional security measures with their mobile carriers.

What role did international cooperation play in this case?

International cooperation was crucial, with Polish authorities collaborating with the FBI and Homeland Security Investigations to apprehend the suspects and address the cross-border nature of the cybercrime.

Poland's Crackdown on SIM-Swap Crypto Theft: A 2026 Case Study

In June 2026, a joint operation between Polish authorities and U.S. agencies led to the arrest of four individuals involved in a SIM-swapping scheme that stole and laundered millions in cryptocurrency.

Published: June 26, 2026

Share this on:

Executive Summary

In June 2026, Polish authorities, with support from the FBI and Homeland Security Investigations, arrested four individuals involved in a sophisticated SIM-swapping scheme targeting cryptocurrency exchanges. The perpetrators breached IT systems of entities collaborating with telecom operators, using specialized software and social engineering to access employee email accounts. This enabled them to hijack victims' phone numbers, intercept SMS messages, and gain control over cryptocurrency exchange accounts, resulting in the theft and laundering of digital assets exceeding tens of millions of Polish zloty. (thecoinomist.com)

This incident underscores the escalating threat of SIM-swapping attacks in the cryptocurrency sector, highlighting the need for enhanced security measures beyond SMS-based two-factor authentication. The collaboration between Polish authorities and U.S. agencies reflects the global nature of cybercrime and the importance of international cooperation in combating such threats.

Why This Matters Now

The rise in SIM-swapping attacks targeting cryptocurrency assets emphasizes the urgency for individuals and organizations to adopt more secure authentication methods and for telecom providers to strengthen their security protocols to prevent unauthorized number transfers.

Attack Path Analysis

The attackers initially compromised telecommunications partners and employee email accounts through social engineering and specialized software. They escalated privileges by gaining unauthorized access to internal systems, enabling them to manipulate SIM card assignments. Utilizing this access, they moved laterally within the network to intercept SMS messages and email communications. They established command and control by maintaining persistent access to compromised accounts. The attackers exfiltrated sensitive data, including authentication codes, to gain control over victims' cryptocurrency exchange accounts. Ultimately, they laundered the stolen funds through a distributed financial network, resulting in significant financial losses.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Attackers used social engineering and specialized software to gain unauthorized access to telecommunications partners and employee email accounts.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1451

SIM Card Swap

Defense Evasion

T1078

Valid Accounts

Initial Access

T1566

Phishing

Command and Control

T1071

Application Layer Protocol

Discovery

T1083

File and Directory Discovery

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Multi-Factor Authentication

Control ID: 8.3.6

The use of SMS-based authentication, susceptible to SIM swapping, violates the requirement for secure multi-factor authentication methods.

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

Control ID: 500.12

Failure to implement robust multi-factor authentication mechanisms exposes systems to unauthorized access through SIM swapping attacks.

DORA – ICT Risk Management Framework

Control ID: Article 6

Inadequate protection against SIM swapping indicates deficiencies in the ICT risk management framework required to ensure operational resilience.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

Reliance on vulnerable authentication methods like SMS undermines the principles of zero trust identity and access management.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident highlights a lack of appropriate technical measures to manage cybersecurity risks, as required by the directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Direct infrastructure breach enabling SIM-swapping attacks through compromised telecom partners, requiring enhanced zero trust segmentation and east-west traffic security controls.

Financial Services

Cryptocurrency exchange account takeovers via SIM-swapping resulted in millions stolen, demanding stronger egress security and encrypted traffic protection for digital assets.

Computer/Network Security

Sophisticated social engineering and specialized software attacks highlight need for enhanced threat detection, anomaly response, and multicloud visibility capabilities across security infrastructure.

Banking/Mortgage

Multi-jurisdictional money laundering through distributed financial networks exposes banks to compliance violations, requiring improved transaction monitoring and policy enforcement mechanisms.

Sources

Poland busts SIM-swapping gang tied to millions in crypto thefthttps://www.bleepingcomputer.com/news/security/poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft/
Verified

Polish police raid alleged crypto SIM-swap gang with FBI supporthttps://cryptobriefing.com/polish-police-crypto-sim-swap-gang-fbi/

Verified

Four arrested in Poland over crypto SIM-swap attacks; ZachXBT links 'Merry' to casehttps://www.theblock.co/post/406159/four-arrested-poland-sim-swap-attacks-crypto-exchanges-zachxbt-social-engineering-threat-merry

Verified

Frequently Asked Questions

A SIM-swapping attack involves fraudulently transferring a victim's phone number to a SIM card controlled by an attacker, allowing them to intercept calls and messages, including two-factor authentication codes.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit compromised accounts may be constrained, reducing the likelihood of unauthorized access to internal systems.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges may be limited, reducing the risk of unauthorized control over critical systems.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network may be constrained, reducing the risk of unauthorized access to sensitive communications.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to maintain persistent access may be limited, reducing the risk of ongoing unauthorized control over communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data may be constrained, reducing the risk of unauthorized data transfer.

Impact (Mitigations)

The attacker's ability to launder stolen funds may be limited, reducing the risk of significant financial losses.

Impact at a Glance

Affected Business Functions

Cryptocurrency Exchange Operations
User Account Management
Financial Transactions Processing

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $5,000,000

Data Exposure

Unauthorized access to user accounts and potential exposure of personal and financial information.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within the network.
• Enforce Multi-Factor Authentication (MFA) for all employee accounts to prevent unauthorized access.
• Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
• Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
• Conduct regular security awareness training to educate employees on social engineering tactics and phishing attempts.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Poland's Crackdown on SIM-Swap Crypto Theft: A 2026 Case Study

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

SIM Card Swap

Valid Accounts

Phishing

Application Layer Protocol

File and Directory Discovery

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Multi-Factor Authentication

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Telecommunications

Financial Services

Computer/Network Security

Banking/Mortgage

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads