threat-wire

Poland Arrests Four in SIM-Swap Gang That Stole Millions in Crypto

Polish police and the FBI arrested four people on 25 June after a joint investigation into a SIM-swapping network that drained cryptocurrency exchange accounts by compromising telecom partner systems. Prosecutors put the laundered total at over five million US dollars.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-26 · 4 min read

Polish police arrested four members of a SIM-swapping network on 25 June 2026 after a joint investigation with the FBI and US Homeland Security Investigations. The group used social engineering and purpose-built software to compromise systems at companies with partner access to telecom infrastructure, redirected victims' phone numbers to SIM cards they controlled, intercepted SMS authentication codes, and drained cryptocurrency exchange accounts. Prosecutors put the laundered total at an amount equivalent to over five million US dollars.

How the operation worked

The four did not break into mobile carriers directly. They targeted companies that process number portability requests on carriers' behalf, using a mix of social engineering and specialised software to get inside those partner systems. Once they had redirected a victim's number to a SIM card they controlled, any SMS the victim's bank or crypto exchange sent for authentication went to the gang instead. From there the process was simple: request a password reset, intercept the code, log in, and transfer funds.

Blockchain investigator ZachXBT identified one suspect as Wojtek Kulisz, online handle Merry, based on imagery from police raid footage. All four face charges of participating in organised crime, computer-facilitated theft, and money laundering. The maximum penalty under Polish law is 25 years.

The risk is not limited to crypto accounts

Any account protected only by SMS-based authentication carries the same exposure. That includes business bank accounts, company email administrator accounts, payroll portals, domain registrars, and any service where a password reset code arrives by text message. A business owner with a public LinkedIn profile gives an attacker enough detail to impersonate them convincingly to a telecom partner employee.

Steps to cut your SIM-swap exposure

• Audit every business account that relies on SMS for two-factor authentication or password reset. Prioritise business banking, company email admin, payroll systems, and your domain registrar. Switch each to an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) or, for higher-risk accounts, a hardware security key.
• Call your business mobile provider and ask whether they offer a SIM lock or port freeze that requires a secondary PIN before your number can be ported. Many carriers provide this free of charge.
• If your business uses VoIP numbers to receive authentication codes, stop. VoIP numbers are significantly easier to reroute than physical SIM numbers. Move those accounts to a TOTP authenticator app or a hardware key.
• Ask your business bank whether they can flag your accounts to require in-branch or telephone-verified consent before acting on any instruction to change registered contact details or approve a large transfer.
• Remove phone numbers as account recovery options wherever an authenticator app is available. On Google: myaccount.google.com > Security > 2-Step Verification. On Microsoft 365: the Security info panel under your account settings.

The Polish operation is part of a broader enforcement push. US and European authorities have arrested multiple SIM-swapping groups since 2024, often with losses running into eight figures. The FBI's involvement here reflects how often the victims and the money are American even when the suspects are based elsewhere.

• BleepingComputer: Poland arrests SIM-swap gang
• Polish Cyber Bureau (CBZC)