European law enforcement has dismantled a large-scale SIM-farm ecosystem in an operation codenamed SIMCARTEL, disrupting a global pipeline for phishing, investment fraud, extortion, marketplace scams, and mass creation of fake accounts. According to Europol, the criminal infrastructure comprised roughly 1,200 SIM-boxes and 40,000 SIM cards, enabling industrialized telecom abuse across multiple regions.
Scale of the SIMCARTEL takedown and telecom infrastructure
The investigation—coordinated by Europol with support from the Shadowserver Foundation and authorities in Austria, Estonia, Finland, and Latvia—led to the shutdown of the number-rental services gogetsms[.]com and apisim[.]com. These platforms offered phone numbers registered to individuals in 80+ countries, allowing customers to mask identity and location, bypass platform controls, and automate account verification at scale.
Law enforcement links the network to more than 49 million fraudulent accounts created using rented numbers. Authorities report at least 1,700 cases in Austria and 1,500 in Latvia, with over 3,200 recorded incidents and minimum losses exceeding €4.5 million. Five Latvian nationals were arrested and two additional suspects identified; procedural seizures were also executed. Europol described the infrastructure as “technically sophisticated” and enabling a broad spectrum of telecom-enabled cybercrime.
SIM farms and SIM-boxes explained
SIM farms are clusters of SIM-boxes—GSM gateways loaded with dozens or hundreds of SIM cards from mobile operators. These devices programmatically send and receive calls and SMS, rotating SIMs to avoid carrier controls. The primary goal is to evade operator restrictions and anonymize traffic, which facilitates bulk phishing campaigns, one-time account registrations with “clean” numbers, and obfuscation of communication origins.
How criminals weaponize SIM farms: phishing, fake shops, and police impersonation
Investigators observed SIMCARTEL’s infrastructure being used for telecommunications-enabled cybercrime, including phishing, extortion, investment fraud, marketplace scams, WhatsApp payment requests, fake e-commerce and banking sites, and impersonation of police officers. Attackers localize caller IDs and SMS routes, making messages appear to originate from trusted, in-country numbers—significantly increasing victim response rates.
Why SMS OTP and phone-based KYC are fragile
The mass rental of phone numbers undermines traditional KYC and SMS-based one-time passwords (OTP). Disposable and virtual numbers become expendable assets for creating synthetic profiles, evading platform limits, and scaling social engineering. The outcome: waves of fake accounts, bonus abuse, money muling, and broader data compromise. While SMS OTP remains better than no second factor, it is neither phishing-resistant nor resilient against number rental, SIM farms, or OTP relaying.
Recommended controls for organizations
- Adopt phishing-resistant MFA: prioritize FIDO2 passkeys and hardware security keys; support TOTP authenticators and push approvals with number matching; reserve or phase out SMS OTP, especially for high-risk flows.
- Session risk scoring: combine device fingerprinting, behavioral analytics, IP/ASN and phone reputation, emulator/automation detection, velocity limits on sign-ups and OTP requests, and step-up authentication when risk rises.
- Phone-number intelligence and policy: use datasets that flag high-risk ranges and line types; block disposable/virtual numbers; cap verification attempts per number; where lawful, use carrier lookups (line type, SIM tenure, porting status) to validate ownership risk.
- Traffic trust and A2P monitoring: track OTP delivery anomalies by route/operator, detect spikes in failures, and collaborate with MNOs to identify SIM-box patterns such as rapid IMSI/IMEI churn and implausible geographic movement.
- Cross-sector collaboration: share indicators with carriers, fraud-intelligence providers, and industry ISACs; integrate takedown intelligence into registration and messaging controls.
Practical safety tips for consumers
- Be skeptical of calls and texts—even from “local” numbers. Independently verify requests via official channels.
- Check domains carefully; avoid shortened or lookalike links; access banking apps only through official app stores.
- Never share SMS codes or MFA prompts. Treat unsolicited payment or investment messages as high risk.
- Report suspected scams to your bank, platform, and national cybercrime hotline.
The SIMCARTEL takedown disrupts a major enabler of telecom fraud and OTP abuse, raising the cost of at-scale social engineering. Sustained progress, however, depends on coordinated action by law enforcement, mobile operators, and online platforms. Organizations should accelerate migration away from SMS as a primary factor, deploy risk-based verification, and continuously refresh anti-fraud models. These steps materially reduce account takeovers, synthetic sign-ups, and direct financial losses fueled by SIM-farm infrastructure.
