Executive Summary

On October 10, 2025, an international law enforcement operation codenamed "SIMCARTEL" successfully dismantled a major Cybercrime-as-a-Service (CaaS) network based in Latvia. This operation, a collaboration between Austria, Estonia, Finland, and supported by Europol and Eurojust, led to seven arrests and the seizure of critical infrastructure. The network provided anonymization services to criminals worldwide by renting out phone numbers from over 80 countries, enabling an estimated 49 million fake online accounts and facilitating financial losses exceeding €4.9 million in Austria and Latvia alone. The takedown marks a significant disruption to the cybercrime ecosystem that relies on such services for fraudulent activities.

Threat Overview

The "SIMCARTEL" platform operated a sophisticated CaaS model, providing criminals with the tools to bypass identity verification on online platforms. The core of their operation was a massive farm of approximately 1,200 SIM box devices holding 40,000 active SIM cards, with hundreds of thousands more seized. Customers could rent these phone numbers through the websites gogetsms[.]com and apisim[.]com to receive verification codes, allowing them to create anonymous accounts on social media, messaging apps, and other online services.

This anonymity was then leveraged to commit a wide range of serious crimes, including:

• Large-scale phishing and smishing campaigns
• Investment fraud
• Fake "daughter-son" scams on platforms like WhatsApp
• Extortion
• Distribution of child sexual abuse material

The operation is directly linked to over 3,200 individual cyber fraud cases, with estimated financial damages of €4.5 million in Austria and €420,000 in Latvia. The seizure of servers, websites, and financial assets (over €431,000 and $333,000 in crypto) has effectively crippled the group's ability to operate.

Technical Analysis

The threat actors utilized a large-scale infrastructure built around SIM box devices. A SIM box is a piece of hardware that contains multiple SIM cards, which are connected to a cellular network and the internet. It allows for the automated sending and receiving of SMS messages, making it ideal for bulk account verification. The criminals behind "SIMCARTEL" offered this capability as a service, accessible via an API through their websites.

MITRE ATT&CK Techniques:

• T1583.006 - Web Services: The criminals acquired and set up web services (gogetsms[.]com, apisim[.]com) to market and sell their fraudulent services.
• T1583.004 - Digital Certificates: The websites likely used SSL/TLS certificates to appear legitimate to their criminal clientele.
• T1566 - Phishing: The infrastructure directly enabled phishing and other social engineering attacks by providing anonymous communication channels.
• T1071.001 - Web Protocols: The CaaS platform was accessed via standard web protocols (HTTP/HTTPS) through their websites and APIs.

Impact Assessment

The dismantling of "SIMCARTEL" delivers a significant blow to the cybercrime underground. The primary impact is the disruption of a key enabler for fraud, making it more difficult and costly for criminals to obtain anonymous accounts for malicious activities. For businesses, particularly social media and communication platforms, this reduces the influx of fraudulent accounts used for spam, scams, and abuse. The financial impact is substantial, with millions in direct losses prevented and the seizure of criminal assets. The public splash pages now displayed on the seized domains serve as a strong deterrent to other cybercriminals.

IOCs

Detection & Response

Detecting the abuse of such services requires a multi-layered approach.

For Online Platforms:

1. Phone Number Reputation: Analyze the velocity and diversity of accounts being registered with a single phone number or a block of numbers from the same provider. Numbers used for hundreds of verifications in a short period are highly suspicious.
2. IP and Geolocation Analysis: Correlate the IP address making the registration request with the geolocation of the phone number's country code. Mismatches can be an indicator of fraud.
3. Behavioral Analysis: Monitor new accounts for immediate engagement in spamming or fraudulent activity. Accounts created via SIM farms often exhibit automated, non-human behavior.

D3FEND Techniques for Detection:

• User Behavior Analysis: Implement techniques like D3-UGLPA - User Geolocation Logon Pattern Analysis to detect inconsistencies between user location and phone number origin.
• Network Traffic Analysis: Use D3-NTA - Network Traffic Analysis to identify patterns indicative of automated registration bots connecting from specific data centers or VPNs.

Mitigation

Mitigating the threat of CaaS platforms like "SIMCARTEL" involves both technical controls and user awareness.

Strategic Mitigations:

• Enhanced Account Verification: Move beyond simple SMS verification. Implement multi-factor authentication (MFA) using authenticator apps or hardware tokens, which are harder to automate at scale.
• Rate Limiting: Aggressively rate-limit registration and verification attempts from suspicious IP ranges or against phone numbers showing high usage.
• Collaboration: Technology companies should continue to collaborate with law enforcement to identify and report fraudulent infrastructure.

Tactical Mitigations for Users:

• Be Skeptical of Unsolicited Messages: Be wary of urgent requests for money or personal information, even if they appear to come from a known contact (e.g., the "daughter-son" scam).
• Verify Requests Through Another Channel: If you receive a suspicious message, contact the person through a different, known-good communication method (e.g., call them on their known phone number) to verify the request.

D3FEND Countermeasures:

• Harden: Employ D3-ACH - Application Configuration Hardening by strengthening registration and authentication workflows to make them more resistant to automated abuse.