Threat Intelligence Tarot
cups · 2
Criminal (English-speaking, Western)
G1060★★★★★
risk 3/5
✦ The Sim Swap ✦
UNC3944
Scattered Spider (overlap) · 0ktapus · Muddled Libra
Telecom employeesCryptocurrency holdersIT service desk workersEnterprise cloud tenants
Active since ~2022 · SIM swapping, Telecom employee social engineering, Crypto theft and extortion
It calls a telecom store employee, invents a story about a lost phone, and transfers a victim's number to a SIM it controls. Then it resets every account tied to that number. The Sim Swap turns the phone carrier - the thing everyone uses to recover accounts - into the attack vector.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆0ktapus campaign - 130+ orgs via Okta credential phishing (2022)
- ◆Telecom employee SIM swap operations targeting crypto holders
- ◆MGM and Caesars (in coordination with Scattered Spider)
- ◆Azure and AWS tenant compromise via phished admin credentials
Defenses
- ▸Remove phone number as account recovery method - use authenticator appsNIST SP 800-63B ↗
- ▸FIDO2 hardware security keys for high-value accountsCISA guidance
- ▸Account port-out PINs and verbal verification at telecom providersFCC guidance
- ▸Cloud access monitoring for anomalous login locations and patternsNIST CSF: DE.AE ↗
Reversed: Their Weakness
SIM swapping's reliance on telecom employee social engineering creates a ceiling on scale - each attack requires a human to be deceived, limiting throughput. When telecoms implemented stronger internal verification procedures, the attack's effectiveness declined significantly.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.