SIM swap, cryptocurrency busts highlight new frontier for Bay Area tech cops
September 10, 2018
Standing near the LAX security check, Santa Clara County Sheriff’s Sgt. Samy Tarazi waited for the suspected bitcoin thief to emerge.
He had been tracking the 20-year-old Boston college student for months and now Tarazi and his team were about to make one of the first arrests of its kind in the country.
When his investigation started, Tarazi knew little of the famed cryptocurrency or notorious SIM swapping tactic that hackers use to take over people’s smartphones — and essentially their digital lives.
He learned on the fly after a Bay Area bitcoin investor reported a theft earlier this year. Now here he was watching Joel Ortiz appear from behind the security line, decked out in Gucci clothing, flashing the lavish lifestyle — including posh mansion rentals — that he reportedly enjoyed thanks to the millions of dollars he is charged with pilfering from more than a dozen victims from the Bay Area to Southern California.
“These are kids with millions in their pockets for five minutes of work,” Tarazi said. “In this case, the suspects weren’t covering their tracks incredibly well.”
Tarazi is a detective for the Santa Clara County-based Regional Enforcement Allied Computer Team — one of a small number of similar task forces in the country. There are only five in California where local law enforcement officers take on sophisticated tech crimes that historically have been the domain of federal agencies like the FBI or U.S. Secret Service.
“Right now when you’re a victim, in most cases when you go to local law enforcement, they’re not going to do much for you,” said Professor Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University. “Maybe if there’s a physical store where the SIM swapping is happening, but short of that, they don’t seem to get involved.”
Deputy District Attorney Erin West said the REACT task force is one example of local police and prosecutors trying to turn that tide.
“These crimes can happen to anyone who has a cell phone. It’s invasive,” she said. “REACT is really on the forefront of having investigatory skills and personnel to be able to handle a crime like this, that is so widespread but not prosecuted nearly as much as it should be.”
In SIM swapping, a hacker convinces a mobile phone carrier to transfer access of a targeted person’s phone number from the registered SIM card — the small portable chip that houses identification information connecting an account to the cell network — to another SIM card the hacker provides. In some reported cases, a suspect had inside connections at the carrier and took over a phone that way.
But numerous phone takeovers have occurred when a hacker impersonated the account holder, answering the carrier’s verification questions by combing through a person’s social media and other readily available public information. Phishing emails and chain-style posts on Facebook are common ways to elicit that information from people.
Once an intruder transfers SIM access, the victim’s phone immediately deactivates. Some of the reported victims of Ortiz and his alleged accomplice — 19-year-old Tracy native Xzavyer Narvaez — noticed a lapse in service, but did not report it because they weren’t hacked, at least initially.
Being able to send and receive texts as a person becomes a skeleton key, allowing an impersonator to circumvent digital security barriers to banking, social media and cryptocurrency accounts.
A Santa Clara County resident contacted REACT earlier this year and recounted how in February his cell phone carrier, AT&T, told him that someone walked into a store impersonating him and transferred his account to another SIM, and reset some of his email passwords. The resident eventually regained control, but did not observe any noticeable loss.
But the intruder tried again in March, and the resident discovered his email account had been accessed, then noticed his social media and cryptocurrency accounts were compromised.
And about $10,000 worth of bitcoin was gone.
It didn’t end there: Within a few days, the presumed hacker called his wife and sent text messages to his daughter including the message “TELL YOUR DAD TO GIVE US BITCOIN.”
The commandeered accounts also sent messages to the victim’s friends and acquaintances asking for loans of cryptocurrency.
REACT Lt. John Rose handed the case to Tarazi, a San Jose State University criminal-justice grad who before the investigations described himself as a hobbyist at best when it came to computer crimes.
“I learned on the job, whatever we had to learn,” Tarazi said.
Tarazi, Rose said, is being modest. “He is a prodigy. And just a really good cop who knows how to ask the right questions and see clues others don’t see.”
Tarazi and his REACT colleagues obtained search warrants to pinpoint the hacker’s SIM and smartphones used to access the Santa Clara County man’s accounts. For two months, they couldn’t land a suspect.
But an instance of carelessness put investigators onto Ortiz’s trail: his Google email address was used on one of the hacker phones. Things began to unravel from there. Included among the emails was a photo Ortiz purportedly used to verify his identity with one of his digital bank accounts; it showed him clearly holding his Massachusetts ID card.
That led to warrants that uncovered other cryptocurrency accounts linked to Ortiz that revealed at least $1.5 million in activity and large payments including $59,000 toward Airbnb housing rentals.
Once Ortiz became the primary suspect, the investigation went into overdrive and the detectives identified 40 other potential victims whose phone numbers had been accessed by the smartphones linked to Ortiz. They contacted at least 20 people.
Tarazi and the other detectives eventually learned that some of the victims had attended the same May cryptocurrency conference in New York. Some victims noticed that unauthorized text messages were sent from their accounts with no monetary loss. Others reported big losses, including one theft of $1.7 million.
From there it wasn’t too hard for the detectives to spot their targets, whose ostentatious lifestyle that included mansions in the glitzier parts of Los Angeles didn’t exactly fall under the radar.
Narvaez reportedly bought high-end sports cars like a McLaren and Audi R8, which fetch prices of between $130,000 and $200,000.
“They were openly talking about it online,” he said. “They were doing what a 20-year-old would do with millions of dollars in Hollywood.”
A telltale Airbnb rental gave investigators an idea of where Ortiz was. On July 10, they presented the latest evidence to West, who wrote the arrest warrants. On July 12, Tarazi and another detective flew to LAX to intercept Ortiz, fearful he might leave the country. The arrest was first reported by Motherboard.
Ortiz has since been charged with 41 criminal counts, many of them repeat charges encompassing grand theft, identity theft and assorted computer crimes linked to 13 known victims, with many more suspected. He is being held in the Elmwood men’s jail in Milpitas on $1 million bail.
His arrest, and subsequent examination of his phones, turned up another lead with an email address linked to Narvaez. A June traffic citation in Beverly Hills connected Narvaez to the purchase of the high-end sports cars and eventually cryptocurrency accounts that contained as much as $3 million at bitcoin’s peak valuation. He was arrested Aug. 17 and charged with seven counts of crimes similar to Ortiz, involving reported victims in Santa Clara, Contra Costa and San Diego counties.
The broader hacker network in this case is thought to be far larger. Tarazi and his teammates continue to chase leads across the country, knowing there could be more local ties.
“Silicon Valley residents are being hit,” he said. “They’re attacking our community here.”