Threat Intelligence Tarot
cups · 2
Criminal (English-speaking, Western)
G1060★★★★★
risk 3/5
✦ The Sim Swap ✦
UNC3944
Scattered Spider (overlap) · 0ktapus · Muddled Libra
Telecom employeesCryptocurrency holdersIT service desk workersEnterprise cloud tenants
Active since ~2022 · SIM swapping, Telecom employee social engineering, Crypto theft and extortion
It calls a telecom store employee, invents a story about a lost phone, and transfers a victim's number to a SIM it controls. Then it resets every account tied to that number. The Sim Swap turns the phone carrier - the thing everyone uses to recover accounts - into the attack vector.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆0ktapus campaign - 130+ orgs via Okta credential phishing (2022)
- ◆Telecom employee SIM swap operations targeting crypto holders
- ◆MGM and Caesars (in coordination with Scattered Spider)
- ◆Azure and AWS tenant compromise via phished admin credentials
Defenses
- ▸Remove phone number as account recovery method - use authenticator appsNIST SP 800-63B ↗
- ▸FIDO2 hardware security keys for high-value accountsCISA guidance
- ▸Account port-out PINs and verbal verification at telecom providersFCC guidance
- ▸Cloud access monitoring for anomalous login locations and patternsNIST CSF: DE.AE ↗
Reversed: Their Weakness
SIM swapping's reliance on telecom employee social engineering creates a ceiling on scale - each attack requires a human to be deceived, limiting throughput. When telecoms implemented stronger internal verification procedures, the attack's effectiveness declined significantly.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.