Fraudsters Arrested for Stealing Money from VIP Bank Clients Using SIM Card Clones

The Russian Ministry of Internal Affairs (MVD) and cybersecurity firm Group-IB have arrested the organizers of a criminal group specializing in SIM card reissuance and theft of funds from clients of Russian banks. The group operated for several years, causing losses estimated in the tens of millions of rubles. Even individuals serving prison sentences became victims of these fraudsters.

How the SIM Card Cloning Scam Worked

Group-IB researchers note that the peak of SIM card reissuance scams occurred in 2017-2018. During this period, criminals hacked Instagram accounts, messengers, and email inboxes of well-known bloggers, entrepreneurs, celebrities, and athletes, then demanded ransom to restore access. These attacks were also frequently used to steal large sums in cryptocurrency and from victims’ bank accounts, as intercepting two-factor authentication (2FA) codes became much easier.

One criminal group focused specifically on VIP clients of Russian banks. To gather information about their targets, the scammers used special “lookup” services available on Telegram channels or underground hacker forums. Typically, the owners of these services had contacts with insiders at banks who had high-level access, allowing them to obtain not only personal data but also real-time information about the victim’s bank account balance.

SIM Card Reissuance and Theft

Next, the fraudsters used the services of a female employee from an underground SIM card recovery service, a popular offering in the dark web. Using a forged power of attorney (templates cost about 1,500 rubles on forums, with fake stamps or color-printed forms), she reissued SIM cards at mobile phone stores in Moscow and the surrounding region. As identification, she used fake driver’s licenses.

Immediately after activating the cloned SIM card, the victim’s mobile service would stop working. At that moment, the new SIM card holder would send requests to the bank for one-time codes to access mobile internet banking. In some cases, the accomplice didn’t even bother sending the SIM card itself—she simply relayed the received codes by phone. The stolen money (typically 50,000–100,000 rubles per incident) was transferred from the victim’s account to third-party accounts and then laundered through a chain of transactions in other cities, such as Samara.

Targeting Incarcerated Victims

While in 2017-2018 criminals could withdraw large sums almost instantly, since 2019, after banks strengthened anti-fraud measures, the process began to take longer. For example, scammers could only make transactions a day after the SIM card was reissued. As a result, they started targeting wealthy individuals who were serving prison sentences. The main requirement was that the victim had money in their account and mobile banking enabled. Experts note that while inmates are officially prohibited from using mobile phones, there have been cases of smartphones being smuggled into prisons and even entire prison call centers operating, prompting joint efforts by the MVD, FSB, and Federal Penitentiary Service to block mobile communications in correctional facilities.

Investigation and Arrests

Numerous cases of theft from Russian bank clients led to a criminal investigation. During the investigation, Moscow police identified the organizers of the criminal group and involved Group-IB experts. Two organizers were arrested in Solntsevo and Kommunarka, their accomplice from the SIM card recovery service was detained in the Moscow region, and another member involved in cashing out the stolen funds was caught in Samara. Notably, one of the group members had previously been convicted for similar SIM card fraud in 2014-2015, but after being released, returned to his old ways.

During searches, law enforcement and Group-IB specialists found numerous SIM cards, laptops, smartphones, basic “feature phones,” fake documents (passports and driver’s licenses), as well as bank cards and linked SIM cards used to receive stolen funds. The fraudsters stored confidential information on encrypted USB drives. The suspects have already confessed and have been charged under Article 159, Part 4 of the Russian Criminal Code (Fraud). The case includes several incidents, with the number of victims growing and total damages already estimated at several tens of millions of rubles.

Expert Commentary and Bank Countermeasures

“Unlike the well-known vishing schemes, where criminals try to obtain a victim’s CVV or SMS code, the SIM card reissuance scam is less widespread and primarily targets wealthy, high-profile clients. More and more banks are partnering with mobile operators to share data and combat fraud: if a SIM card is reissued, mobile banking is temporarily blocked and requires separate online banking activation. However, this rule is not yet universal,” commented Sergey Lupanin, Head of Investigations at Group-IB.