Hackers began stealing mobile phone numbers of Russian users to access online banking transactions. The breach centers on the eSIM, a digital SIM that replaces the traditional physical card in many modern smartphones. Fraudulent activity has been reported to socialbites.ca by the press service of FAC.CT, a company focused on developing technologies to detect and disrupt cybercrime in real time.
Since late 2023, FACCT’s Fraud Protection analysts have documented more than a hundred attempts by a single financial institution to compromise customer accounts in online services. The attackers leverage the eSIM replacement or restoration process to hijack a victim’s mobile number, transferring the number from the original SIM to a fraudulent device via eSIM. To do this, the perpetrators obtain an eSIM profile and use a compatible smartphone to signal the telecom operator to reassign the line, thereby tying the victim’s number to the attacker’s device. The attackers also attempt to access the victim’s account through government and operator portals that supply the required eSIM activation credentials. The necessary prerequisite is an active eSIM profile alongside a device capable of operating within the telecom operator’s system or widely used government services on the victim’s phone.
“Cybercriminals abroad have relied on a similar hijacking approach for at least a year. In the past, fraudsters tried to re-issue the SIM card without the subscriber’s knowledge with insider help from some operator staff, but operators and banks have since tightened controls to counter this form of fraud,” FAC.CT notes. The shift now is toward more autonomous methods that do not require direct operator collaboration, increasing the range of possible targets and complicating detection efforts for traditional security teams.
In the newer hijacking method, attackers seek to obtain a QR code or activation code for the SM-DP+ address, which manages eSIM profiles. They construct an application on an operator’s website or app that facilitates transferring a number from a physical SIM to an eSIM. Once the process is completed, the original SIM becomes inactive for the user, and access to the number is severed. This disruption often leaves consumers without control over essential services tied to their mobile identity, including authentication channels and service alerts.
“By exploiting hold of the victim’s phone number, cybercriminals can intercept access codes and two-factor authentication for a range of services, including banks and instant messaging platforms. That foothold opens many doors for attackers to execute fraudulent plans, from high-value financial theft to data exfiltration,” explains Dmitry Dudkov, an Anti-Fraud specialist at FACCT. His comments reflect the evolving risk landscape where mobile identity becomes a critical vector for digital crime.
To mitigate this threat, security experts advise users to adopt strong, unique passwords for mobile operator apps, enable two-factor authentication across services, and maintain vigilant monitoring of SMS communications from mobile providers. They also emphasize the importance of regular reviews of device and SIM settings, prompt reporting of any unexpected SMS messages, and staying informed about updates from telecom operators and banks regarding SIM swap fraud prevention.
In related activity, scammers have launched mass attacks targeting vendors in various marketplaces, underscoring the broader risk landscape and the need for layered security controls across sectors.