Executive Summary

On October 10, 2025, European law enforcement agencies, coordinated by Europol, dismantled a sophisticated SIM box operation known as SIMCARTEL. This criminal network provided cybercriminals with access to over 40,000 phone numbers from more than 80 countries, enabling the creation of approximately 49 million fraudulent online accounts and facilitating at least 3,200 confirmed fraud cases. The operation resulted in seven arrests, the seizure of 1,200 SIM box devices, five servers, two websites (gogetsms.com and apisim.com), and the freezing of significant financial assets. The infrastructure enabled a wide range of cybercrimes, including phishing, smishing, investment fraud, impersonation, extortion, and more, causing confirmed financial losses of nearly €5 million, with €4.5 million in Austria and €420,000 in Latvia. The takedown was a collaborative effort involving law enforcement from Austria, Estonia, Finland, and Latvia, with support from the Shadowserver Foundation. The investigation is ongoing, with forensic analysis of seized servers expected to reveal further details about the network’s customers and global impact. [BleepingComputer, 2025-10-17, https://www.bleepingcomputer.com/news/security/europol-dismantles-sim-box-operation-renting-numbers-for-cybercrime/], [Security Affairs, 2025-10-18, https://securityaffairs.com/183556/security/simcartel-operation-europol-takes-down-sim-box-ring-linked-to-3200-scams.html], [Breached Company, 2025-10-17, https://breached.company/operation-simcartel-europe-dismantles-massive-cybercrime-as-a-service-network/]

Technical Information

The SIMCARTEL operation was a large-scale, cybercrime-as-a-service network that provided anonymized, geographically diverse phone numbers to criminal clients worldwide. The technical infrastructure consisted of approximately 1,200 SIM box devices, each capable of hosting dozens of SIM cards from over 80 countries. These devices were distributed across multiple locations and connected to five central servers, which managed the routing of calls and SMS messages. The service was accessible through two primary websites, gogetsms.com and apisim.com, which allowed customers to rent phone numbers for short-term use.

A SIM box is a hardware device that can hold multiple SIM cards and route calls or SMS messages through them, making it appear as though communications originate from legitimate, local phone numbers. This technology is often used to bypass anti-fraud and anti-abuse mechanisms on online platforms, as well as to evade detection by law enforcement and service providers. In this case, the SIM boxes were used to provide phone numbers for the creation and verification of fake accounts on social media, messaging services, financial platforms, and e-commerce sites.

The operation’s automation capabilities enabled the rapid creation of millions of accounts. Investigators estimate that approximately 49 million fake online accounts were generated using this infrastructure. These accounts were then used to conduct a variety of cybercrimes, including phishing (fraudulent attempts to obtain sensitive information), smishing (phishing via SMS), investment fraud, impersonation of individuals and authorities, extortion, marketplace scams, and even the distribution of child sexual abuse material.

The technical sophistication of the operation is evident in its scale, automation, and ability to provide services to a global clientele. The infrastructure was designed to mask the true identity and location of its users, making it extremely difficult for victims, online platforms, and law enforcement to trace malicious activity back to the perpetrators. The websites offered a professional interface for renting numbers, and the organizational effort required to acquire and manage hundreds of thousands of SIM cards across 80 countries demonstrates a high level of criminal coordination.

The operation’s takedown involved the seizure of all core infrastructure, including the SIM boxes, servers, and websites. Law enforcement also froze €431,000 in bank accounts and $333,000 in cryptocurrency accounts linked to the suspects, and seized four luxury vehicles. Forensic analysis of the seized servers is ongoing and is expected to yield further evidence about the network’s customers and the full extent of its criminal activities.

The technical methods employed by the SIMCARTEL group align with several MITRE ATT&CK techniques, including T1585.002 (Compromise Infrastructure: Botnet), T1583.003 (Acquire Infrastructure: Virtual Private Server), T1078 (Valid Accounts), T1566.001 (Phishing: Spearphishing via Email/SMS), T1589.002 (Gather Victim Identity Information: Email Addresses), and T1648 (Serverless Infrastructure). These techniques reflect the group’s use of criminal infrastructure, account creation with fake credentials, phishing and smishing attacks, and the use of web-based services to scale operations.

No specific malware families were identified in the operation; the primary tools were the SIM box devices, the web-based rental platforms, and likely automation scripts for account creation and SMS handling. The operation’s focus was on providing infrastructure and services to other criminals, rather than directly deploying malware.

The SIMCARTEL group operated as a service provider within the broader cybercrime ecosystem, supplying infrastructure to a wide range of criminal clients. This model is analogous to legitimate business supply chains, where specialized providers offer tools and services to enable the activities of others. The group’s activities were not limited to cybercrime; at least one suspect was already under investigation for traditional organized crime offenses, such as arson and extortion.

The operation targeted multiple sectors, including financial services (investment fraud, fake banking sites), e-commerce (marketplace scams, fake shops), personal and consumer targets (impersonation, extortion, “daughter-son” WhatsApp scams), migration and smuggling (use of fake accounts for illicit activities), and child protection (distribution of illegal material). The ability to provide local phone numbers from a wide range of countries made the service attractive to criminals seeking to bypass geographic restrictions and anti-fraud controls.

Attribution for the operation is strong at the criminal group level, with seven individuals arrested, including five Latvian nationals and two additional suspects. One of the main suspects was previously wanted in Estonia for other serious crimes. There is no evidence linking the group to known advanced persistent threat (APT) actors or nation-state operations; the motivation appears to be financial gain through organized cybercrime.

All technical claims and details in this section are corroborated by three independent, primary sources, each with explicit dates and URLs provided. The evidence quality is high, with direct confirmation of infrastructure, methods, and impact from law enforcement and reputable cybersecurity news outlets.

Affected Versions & Timeline

The SIMCARTEL operation was active until its takedown on October 10, 2025. The criminal infrastructure included 1,200 SIM box devices, 40,000 active SIM cards, five servers, and two websites (gogetsms.com and apisim.com). The service provided phone numbers from more than 80 countries and was used to create approximately 49 million fake online accounts. The operation is linked to at least 3,200 confirmed fraud cases, with 1,700 in Austria and 1,500 in Latvia, resulting in nearly €5 million in documented financial losses. The investigation is ongoing, and the full timeline of the operation’s activities is still being established through forensic analysis of the seized infrastructure. [BleepingComputer, 2025-10-17, https://www.bleepingcomputer.com/news/security/europol-dismantles-sim-box-operation-renting-numbers-for-cybercrime/], [Security Affairs, 2025-10-18, https://securityaffairs.com/183556/security/simcartel-operation-europol-takes-down-sim-box-ring-linked-to-3200-scams.html], [Breached Company, 2025-10-17, https://breached.company/operation-simcartel-europe-dismantles-massive-cybercrime-as-a-service-network/]

Threat Activity

The SIMCARTEL network enabled a wide range of cybercriminal activities by providing anonymized, geographically diverse phone numbers for rent. The primary threat activities facilitated by the operation included phishing and smishing campaigns, investment fraud, impersonation of individuals and authorities, extortion, marketplace scams, migrant smuggling, and the distribution of child sexual abuse material. Criminals used the rented phone numbers to create and verify fake accounts on social media, messaging, financial, and e-commerce platforms, allowing them to conduct attacks while hiding their true identities and locations.

The operation’s scale and automation capabilities allowed for the rapid creation of millions of fake accounts, which were then used to target victims across multiple sectors. Phishing and smishing attacks tricked victims into revealing sensitive information, such as passwords and banking credentials. Investment fraud schemes promised unrealistic returns to lure victims into transferring funds. Impersonation scams included “daughter-son” WhatsApp messages and fake police communications, often pressuring victims into making urgent payments. Marketplace scams involved the sale of non-existent goods or services on legitimate platforms, while fake online shops and banking sites were used to steal credentials and financial information.

The infrastructure also supported more serious criminal activities, such as migrant smuggling and the distribution of illegal material. The ability to provide local phone numbers from over 80 countries made it possible for criminals to bypass geographic restrictions and anti-fraud controls, increasing the effectiveness and reach of their attacks.

The takedown of the SIMCARTEL operation has disrupted a major supply chain for cybercrime, but the investigation is ongoing, and law enforcement agencies are continuing to analyze the seized infrastructure to identify additional customers and criminal activities. The operation highlights the industrialization of cybercrime and the importance of targeting service providers within the criminal ecosystem.

Mitigation & Workarounds

Critical recommendations for organizations and individuals to mitigate risks associated with SIM box-enabled cybercrime are as follows:

Organizations should implement multi-factor authentication (MFA) that does not rely solely on SMS-based verification, as phone numbers can be easily spoofed or rented through services like those provided by SIMCARTEL. Monitoring for suspicious account creation patterns, such as multiple registrations from the same IP address or phone number range, is essential. Financial institutions and e-commerce platforms should enhance fraud detection systems to identify and block transactions or account activities originating from known SIM box ranges or suspicious geographic patterns. Regularly updating anti-fraud algorithms to account for new tactics used by cybercriminals, including the use of temporary or foreign phone numbers, is recommended.

Individuals should be cautious when receiving unsolicited messages or calls, especially those requesting sensitive information or urgent payments. Verifying the identity of the sender through alternative channels before responding to requests for money or personal data is critical. Avoid relying solely on SMS-based authentication for securing important accounts.

Law enforcement and telecommunications providers should collaborate to detect and dismantle SIM box operations by monitoring for abnormal usage patterns, such as high volumes of SMS or calls from a single device or location. Sharing intelligence on known criminal infrastructure and suspicious activity across borders is vital for disrupting similar operations in the future.

The above recommendations are prioritized as follows: Critical for organizations to move away from SMS-based authentication and enhance fraud detection; High for individuals to verify requests and avoid SMS-based security; Medium for ongoing law enforcement and telecom collaboration; and Low for general awareness campaigns.

References

BleepingComputer, 2025-10-17: https://www.bleepingcomputer.com/news/security/europol-dismantles-sim-box-operation-renting-numbers-for-cybercrime/

Security Affairs, 2025-10-18: https://securityaffairs.com/183556/security/simcartel-operation-europol-takes-down-sim-box-ring-linked-to-3200-scams.html

Breached Company, 2025-10-17: https://breached.company/operation-simcartel-europe-dismantles-massive-cybercrime-as-a-service-network/

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their external partners and vendors. Our platform supports the identification of supply chain risks, detection of suspicious infrastructure, and rapid response to emerging threats. For questions about this report or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.