Poland SIM Swapping Bust Highlights the Growing Risk of Telecom Account Takeovers

Introduction

The Poland SIM swapping bust has exposed how SIM-swapping groups can abuse trusted identity infrastructure to facilitate large-scale financial theft. Publicly reported details focus on unauthorized access to telecom-related infrastructure and compromised employee email accounts, which allegedly enabled the attackers to take control of victims’ phone numbers.

Poland’s Central Bureau for Combating Cybercrime (CBZC) led the operation. The FBI and Homeland Security Investigations (HSI) provided support. Officers arrested four suspects for participating in an organized cybercrime group.

Authorities allege the group used SIM-swapping attacks to intercept SMS messages. They then accessed cryptocurrency exchange accounts and stole millions of dollars.

The investigation centers on cryptocurrency theft. However, these techniques have broader implications for enterprises. Many organizations depend on mobile numbers for account recovery. They also use SMS-based multi-factor authentication (MFA) and help desk verification. This case demonstrates a major security risk. Compromising upstream identity dependencies creates opportunities for account takeover. This occurs even when public reports do not mention endpoint exploitation.

What Happened in the Poland SIM Swapping Bust

Polish authorities arrested four individuals accused of participating in an organized cybercrime group that allegedly carried out SIM-swapping attacks resulting in millions of dollars in cryptocurrency theft. Investigators claim the group used social engineering, gained unauthorized access to infrastructure supporting telecommunications operations, and compromised employee email accounts to facilitate phone number takeovers. Authorities also allege that the attackers laundered the stolen funds through bank accounts and digital wallets.

Confirmed Details of the Investigation

Authorities confirmed the arrest of four suspects in Poland following an investigation led by the Central Bureau for Combating Cybercrime (CBZC) with support from the FBI and Homeland Security Investigations (HSI).

Investigators allege the group gained unauthorized access to telecom-related infrastructure and compromised employee email accounts to obtain information needed for SIM-swapping attacks. Authorities report that victims’ phone numbers were taken over, allowing SMS messages and email communications to be intercepted. The investigation also alleges that the attackers used this access to compromise cryptocurrency exchange accounts, with estimated losses reaching millions of U.S. dollars.

What Remains Unclear About the Investigation

Several operational details have not been publicly disclosed. Authorities have not identified the telecommunications partners involved or explained how access to telecom-related infrastructure was obtained. It also remains unclear whether insider involvement played any role, how many victims were affected, whether enterprise organizations were directly targeted, or which cryptocurrency exchanges were impacted.

Until investigators release additional findings, these details remain unknown.

How the SIM Swapping Attack Worked

Based on publicly available information, the attack appears to have unfolded in several stages that enabled the attackers to move from initial access to cryptocurrency account takeover.

1. Social engineering and unauthorized infrastructure access

Investigators allege the group used social engineering and specialized software to gain unauthorized access to infrastructure used by organizations cooperating with telecommunications operators. Public reporting has not disclosed the specific systems or software involved.

2. Employee email compromise

Authorities also allege the attackers compromised employee email accounts to obtain information required for SIM-swapping attacks. The investigation has not confirmed how those email accounts were compromised or whether phishing, credential theft, or another technique was used.

3. SIM swapping

Using the information obtained during the earlier stages, the attackers reportedly transferred victims’ phone numbers to SIM cards under their control. This enabled them to receive SMS messages and other communications intended for the legitimate subscriber.

4. Cryptocurrency account takeover

Control of victims’ phone numbers reportedly allowed the attackers to access cryptocurrency exchange accounts that relied on SMS-based authentication or phone number recovery. Authorities allege the stolen assets were subsequently moved through bank accounts and digital wallets as part of a money-laundering operation. Public reporting has not disclosed the specific laundering techniques or financial infrastructure involved.

Based on publicly reported details, the attack chain appears to have relied on compromising processes that support identity verification rather than on a disclosed software vulnerability. This demonstrates how weaknesses in authentication and account recovery workflows can be exploited to gain access to high-value accounts.

Featured resource

IAM using Hexnode – The complete guide to manage access

Learn how to strengthen enterprise identity and access management with best practices for securing users, devices, and corporate resources.

Download the whitepaper

Why the Poland SIM Swapping Bust Matters to Enterprises

Although the reported attacks targeted cryptocurrency accounts, the techniques have implications for organizations across industries. Many enterprises still rely on mobile phone numbers as a trusted identity factor for critical workflows, including:

• SMS-based multi-factor authentication (MFA)
• Password and account recovery
• Help desk identity verification
• Administrative account changes
• Banking and payment approvals

A successful SIM-swapping attack can allow threat actors to intercept one-time passcodes, password reset messages, and other authentication communications. Even when primary credentials remain protected, reliance on SMS-based verification can increase the risk of account takeover if a user’s mobile identity is compromised.

The case also highlights an often-overlooked risk: attackers may target trusted service providers or supporting identity infrastructure rather than the enterprise itself. Compromising upstream systems or processes can create indirect paths to high-value accounts without requiring malware deployment or exploitation of enterprise endpoints.

To reduce the risk of identity-based attacks, organizations should:

• Review where SMS-based authentication is still used and transition to stronger authentication methods where feasible.
• Strengthen account recovery and identity verification procedures.
• Monitor high-risk identity events, such as MFA resets and phone number changes.
• Treat telecommunications providers and other identity dependencies as part of the broader enterprise attack surface.

How Hexnode Helps Reduce Identity Takeover Risk

While organizations cannot prevent SIM swapping performed through a telecommunications provider, they can strengthen the controls surrounding enterprise devices, authentication, and access to corporate resources. A layered approach helps reduce the likelihood that compromised mobile identities lead to broader enterprise account compromise.

Enforce Device Trust with Hexnode UEM

Hexnode UEM can help organizations enforce device compliance policies for access decisions when integrated with Conditional Access workflows such as Microsoft Entra ID. By using device compliance in Conditional Access workflows, organizations can help restrict access to supported corporate resources from devices that do not meet policy requirements. Centralized policy enforcement also helps maintain consistent security standards across managed devices.

Strengthen Authentication with Hexnode IdP

Hexnode IdP enables organizations to strengthen authentication through multi-factor authentication (MFA), role-based access control (RBAC), and conditional access policies based on device compliance. These capabilities help enforce access rules based on user identity, device compliance, and security context, supporting more resilient identity and access management practices.

Investigate Endpoint Activity with Hexnode XDR

If an endpoint is suspected of being involved in malicious activity, Hexnode XDR can support investigations through endpoint-focused detection, endpoint visibility, and query-driven threat hunting. Security teams can review endpoint activity, investigate threats using Hexnode XDR’s query-driven threat hunting capabilities, and respond by isolating affected devices, terminating malicious processes, or quarantining malicious files when appropriate.

Together, these capabilities help organizations strengthen identity security, improve endpoint visibility, and reduce the operational impact of identity-focused attacks, even when the initial compromise occurs outside the enterprise environment.

Key Takeaways from the Poland SIM Swapping Bust

The Poland SIM swapping bust demonstrates how attackers can exploit trusted identity processes rather than technical vulnerabilities alone. By allegedly abusing telecom-related infrastructure and compromising employee email accounts, the suspects turned legitimate authentication and account recovery mechanisms into pathways for cryptocurrency account takeover.

Although the reported attacks centered on cryptocurrency theft, the lessons apply across industries. Organizations should evaluate where mobile phone numbers remain a trusted factor for authentication and account recovery, strengthen identity verification procedures, and reduce reliance on SMS-based authentication wherever stronger alternatives are available.

As identity attacks continue to evolve, protecting enterprise devices is only part of the equation. Securing the identity workflows, recovery processes, and trust mechanisms that support user authentication is equally important for reducing the risk of account takeover.