Roaming Exploit Used to Hack Phones of 20 Israeli Crypto Executives

About twenty executives from Israeli cryptocurrency exchanges have fallen victim to cybercriminals. Early last month, hackers broke into their phones, stole all their personal data, and began sending messages to their contacts asking for money transfers. According to Haaretz, the cyberattack—which did not result in any stolen funds—may have been carried out by hackers working for a government.

The investigation into the cyberattack involved a major telecommunications company, the cybersecurity firm Pandora Security, and even Israel’s Shin Bet security service. The National Cyber Directorate and Mossad were also brought in to help investigate the incident.

How the Attack Unfolded

The story began on September 7 of this year, when Tsahi Ganot, co-founder of Pandora Security (a company specializing in protecting top corporate executives), reported that they had a “new client.” The client was the deputy CFO of a company who complained that his mobile phone had been hacked overnight, and that his Telegram and other accounts might have been compromised.

At that point, the attackers had already sent messages from the victim’s Telegram account to his contacts, asking them to transfer cryptocurrency. Ganot provided the “client” with a price list for their services, but also began to consider how the phone had been hacked—whether through a fake SIM card or malware. While crypto-related hacks are common, a Telegram account breach is less typical.

The next morning, Ganot was flooded with similar complaints. According to him, hackers had compromised the phones of about twenty Israelis who were presidents or vice presidents of cryptocurrency companies. In addition to their involvement in crypto, the victims had something else in common—they were all customers of the same telecom provider, the Israeli company Partner.

How Did the Hackers Pull It Off?

Many services, including Telegram, use verification codes sent via SMS to identify users. Typically, attackers “clone” (duplicate) the victim’s SIM card to intercept these messages. However, this time, it appears the hackers managed to intercept SMS messages sent by the telecom operator itself.

The investigation revealed that the hackers used a technique called SMSC spoofing, which involves exploiting roaming. They gained access to a foreign mobile network that interacts directly with Israeli networks and sent a message from the foreign network to the Israeli one, thereby updating the client’s location.

The message might have read something like: “The subscriber has just landed in Tbilisi and registered on our network. Please forward all his messages through this network.” As Ganot explained, the attackers’ plan worked because such a location update is a “necessary procedure for people entering a foreign country whose phones are in roaming mode.”