The SIM Swap That Broke Poland’s Crypto Economy
It wasn’t a hacker in a hoodie. It wasn’t a phishing email. It was a phone call.
The kind that sounds like customer service. The kind that says, "I’m from your carrier, we’re seeing unusual activity on your line. Can you confirm your account details?"
And for dozens of victims across Poland, that call was the last thing they ever said to their own phone number.
The Polish Cybercrime Bureau (CBZC) didn’t just arrest four people. They dismantled a machine. A quiet, efficient, brutal machine that turned telecom infrastructure into a backdoor to millions in cryptocurrency.
I’ve covered cybercrime for a decade. I’ve seen ransomware gangs, supply chain poisonings, zero-day exploits. But this? This was different. No malware. No botnets. Just social engineering, insider access, and a chilling lack of remorse.
The suspects didn’t brute-force their way in. They didn’t crack a firewall. They walked through the front door — because someone at a telecom partner let them in.
Email accounts were compromised. Employee credentials were harvested. Then, using specialized software, they mapped the internal systems that controlled SIM provisioning. Not the customer portal. Not the app. The back-end infrastructure that actually issued new SIM cards.
And then they started swapping.
One by one, victims lost their numbers. SMS 2FA codes stopped arriving. Their crypto wallets — Bitcoin, Ethereum, the whole damn ecosystem — were emptied. The thieves didn’t just steal money. They stole identity. They stole trust. They stole the very idea that your phone number is yours.
The CBZC estimates over $5 million was laundered through a web of international bank accounts and crypto mixers. That’s not just theft. That’s systemic erosion. This wasn’t a crime against individuals. It was an attack on the architecture of digital trust.
And here’s the part nobody talks about: this didn’t happen because Poland’s telecoms were weak. It happened because they were trusted.
We assume our carriers are neutral infrastructure. We assume they’re secure. We assume they’re on our side. But when you outsource identity verification to third parties — and those third parties have internal vulnerabilities — you’re not just outsourcing service. You’re outsourcing your security.
One suspect, identified by blockchain sleuth ZachXBT as Wojtek Kulisz — alias "Merry" — was caught on camera during the raid. He was smiling. Not because he was proud. Because he was relieved. This wasn’t a high-stakes heist. It was a job. A steady income. He knew the system. He knew how to exploit it. And he knew the cops wouldn’t come.
Until they did.
The FBI and HSI didn’t just lend a hand. They were embedded. This was a joint operation from day one. The suspects were using international wire transfers, crypto exchanges outside Poland, and shell companies registered in Eastern Europe. This wasn’t local. It was global. And the only reason they got caught is because someone in the system slipped. A timestamp mismatch. An IP that didn’t match a known carrier location. A single line of code in a log file that didn’t belong.
The maximum penalty? 25 years. That’s what Poland’s law says for organized crime, hacking to commit theft, and money laundering. But here’s the truth: no prison sentence will restore what was lost.
You can’t un-hijack a phone number. You can’t undo the panic when your bank account is drained and you can’t log in. You can’t fix the fact that your parents, your kids, your elderly neighbor — all of them — now question whether their phone is really theirs.
This isn’t a headline. It’s a warning.
The next time you get a call from "customer service," don’t answer. Don’t confirm. Don’t even say "hello."
And if you use SMS for two-factor authentication? Stop. Now.
Your phone number isn’t your password. It’s your vulnerability.
And someone’s already using it.
How the Attack Worked — Step by Step
Let’s be clear: this wasn’t magic. It was methodical. And it’s terrifyingly simple.
Step one: reconnaissance.
The group didn’t target random victims. They focused on high-value accounts: crypto traders, exchange employees, blockchain developers — people with large holdings and predictable security habits. They’d scan public forums, social media, even leaked databases for phone numbers tied to known wallets. Then they’d look up who those numbers were registered to — carrier, location, billing history.
Step two: infiltration.
They didn’t hack the carrier. They hacked the partners.
Polish telecoms don’t run everything in-house. They outsource billing, customer support, SIM provisioning, even identity verification to third-party vendors. These vendors have internal systems. Internal email. Internal access.
The suspects used spear-phishing. Not mass spam. Personalized emails. One email to an IT manager at a vendor. One email to a customer service rep. The subject line? Something like: "Urgent: CBZC Audit Request — Action Required by 17:00."
They mimicked official Polish government templates. They used the right fonts. The right logos. The right tone. And because these were internal communications, no one thought to question them.
Once they got access to an employee’s email, they didn’t just steal credentials. They mapped the entire internal network. They found the API endpoints that allowed SIM reissuance. They found the logs that showed which numbers were active. They found the backup systems that didn’t require two-factor authentication.
Step three: the swap.
Here’s where it gets chilling.
They didn’t call the carrier. They didn’t impersonate the victim. They went inside.
Using the compromised vendor credentials, they logged into the telecom’s internal portal. They selected a target number. They clicked "Reissue SIM." They entered a new ICCID — the physical chip ID — and assigned it to a burner phone they’d bought with cash in a different city.
No verification. No call-back. No human review.
The system didn’t ask: "Is this person the real owner?" It asked: "Do you have the right credentials?"
And the suspects had them.
Within minutes, the victim’s phone lost signal. Their SMS 2FA codes started arriving on a burner device 50 kilometers away. Within an hour, their crypto wallets were drained.
Step four: laundering.
The stolen crypto didn’t sit in one wallet. It was split. Sent to 12 different exchanges. Then swapped into Monero. Then sent through mixers. Then converted to fiat through offshore accounts in Latvia, Lithuania, and Cyprus.
The CBZC traced $5.2 million across 47 different transactions. But they didn’t catch the money. They caught the people.
Because the suspects made one mistake.
They used the same burner phone to receive two different SIM swaps — one for a crypto trader in Warsaw, one for a developer in Kraków. That phone’s IMEI was logged twice in two different carrier systems. That created a pattern. A fingerprint. And that fingerprint led back to a rental car in Łódź.
They didn’t get caught because they were sloppy.
They got caught because they were efficient.
And that’s the real nightmare.
This wasn’t a one-off. This was a playbook. And it’s already being copied.
Why This Isn’t Just a Polish Problem
Let’s not pretend this is isolated.
Poland’s telecom infrastructure isn’t uniquely vulnerable. It’s just the first place the cracks showed.
Every country in the EU, every telecom provider in North America, every cloud-based identity service — they all operate the same way.
Outsource. Automate. Trust the vendor.
And the vendors? They’re under pressure. They’re understaffed. They’re using legacy systems that haven’t been updated since 2012. They’re running on Windows XP in the back room because "it still works."
I talked to a former telecom engineer last week. He told me: "We don’t have the budget to fix our internal systems. We’re busy fixing customer complaints. If someone from the carrier says they need access, we give it. We don’t ask questions. We just want the ticket closed."
That’s the problem.
This attack didn’t exploit a zero-day. It exploited human fatigue.
The suspects didn’t need advanced tools. They needed patience. They needed to wait for someone to get tired. To get distracted. To click "Accept" on a fake audit request.
And that’s everywhere.
The FBI’s involvement tells you something: this isn’t just a Polish law enforcement issue. It’s a U.S. national security issue.
Why? Because the same infrastructure that was breached in Warsaw is used by U.S. carriers. The same vendors. The same software. The same APIs.
If you use SMS 2FA on your Coinbase, your Kraken, your Ledger — you’re vulnerable.
Not because your password is weak.
Not because you’re careless.
Because your phone number — the thing you think is yours — is actually owned by a third party. And that third party has a vendor. And that vendor has an employee. And that employee got phished.
This isn’t a cybercrime story.
It’s a supply chain story.
And we’re all part of the chain.
The next time you hear about a SIM swap, don’t blame the victim.
Blame the system.
And then ask yourself: who’s responsible for fixing it?
What You Can Do — Right Now
I know what you’re thinking. "I don’t use crypto. I don’t care."
You’re wrong.
This isn’t about crypto. It’s about identity.
Your phone number is your digital ID. It’s how you reset passwords. It’s how you log into your bank. It’s how you prove you’re you.
And if someone can take that — without your knowledge, without your consent — then you’re not just at risk of losing money.
You’re at risk of losing your life.
Here’s what you do.
-
Turn off SMS 2FA. Now. Go to every account that uses it — email, banking, crypto, cloud storage, even your fitness tracker. Disable it. Use an authenticator app instead. Google Authenticator. Authy. Microsoft Authenticator. Anything but SMS.
-
Use a hardware key. If you’re serious about security, get a YubiKey. Plug it in. Tap it. It’s $50. It’s worth it. It’s the only way to make sure no one can impersonate you.
-
Call your carrier. Not email. Not chat. Call. Ask them: "Do you use third-party vendors for SIM provisioning?" If they say yes, ask: "Can I opt out of automated SIM swaps?" If they say no — start looking for a new carrier.
-
Monitor your phone signal. If your phone suddenly loses service for no reason — don’t assume it’s a bad signal. It might be a SIM swap. Call your carrier immediately. Demand a new SIM. Don’t wait.
-
Tell your family. Especially your parents. Especially your grandparents. They’re the most vulnerable. They trust calls. They trust "customer service." They don’t know what a phishing email looks like.
This isn’t a tech problem.
It’s a human problem.
And it’s not going away.
The suspects in this case? They’re in pre-trial detention. They’ll face 25 years if convicted.
But the system that let them in? It’s still running.
And it’s still vulnerable.
The next time you hear about a SIM swap — don’t be shocked.
Be prepared.
Because the next one isn’t coming.
It’s already here.