Bitcoin Bandit Sentenced to a Decade Behind Bars in Nation’s First SIM-Swap Conviction

When Mitch Liu’s cellphone suddenly stopped working on a Monday in mid-February last year, the CEO of Cupertino-based streaming platform SLIVER.tv knew to act fast.

The 48-year-old Los Altos resident called AT&T, which informed him that someone claiming his identity and armed with his Social Security number walked into one of the mobile provider’s stores to request a new SIM card. By texting from the stolen phone number, the SIM thief reset the password to one of Liu’s secondary Gmail accounts before AT&T regained control.

Five weeks went by before the next hack. At 11:55am on March 19, 2018, Liu got a text from AT&T notifying him of another password change—this time to his primary emails, which held a fount of personal and financial information. Using Google’s two-factor authenticator, the hacker began resetting passwords to Liu’s cryptocurrency exchanges. Some $10,000 went missing.

A day later, Liu’s wife got a call from her husband’s number. Liu answered to hear a voice at the other end of the line that sounded deep and robotic—clearly disguised.

Liu hung up.

The caller persisted, sending texts to Liu’s daughter. “TELL YOUR DAD TO GIVE US BITCOIN,” one read. Police say the hacker also slid into Liu’s social media accounts. Posing as Liu, the identify thief began hitting up contacts about borrowing cryptocurrency. REACT—short for the Regional Enforcement Allied Computer Team—responded by hacking the hacker.

Using call details obtained from AT&T by a search warrant, they mapped out the suspect’s whereabouts, which centered around Boston. Records further revealed that the Samsung device to which the hacker switched Liu’s number was associated with an email for Joel Ortiz, a then-18-year-old high school valedictorian who still lived with his mom about a mile-and-a-half from Harvard University.

Turned out, Liu was merely a test run.

REACT detectives discovered that Ortiz stole more than $7.5 million from upward of 40 victims—two of whom reside in Silicon Valley. The young man—who spent his ill-gotten gains lavishly on $100,000 nights at Los Angeles clubs, Airbnb mansion rentals, private helicopter rides to music festivals and designer luggage and clothing—agreed to pay restitution and pleaded no contest on Jan. 24 to 10 felony counts of theft. On Friday, Santa Clara County Judge Edward Lee sentenced him to a decade in prison.

The case, first reported by the Mercury News, proved remarkable—and not just the youth of the perpetrator and the flamboyantly reckless way he frittered away his loot and bragged about it online. It was a first in more ways than one.

For REACT—a small unit of local officers managed by the Santa Clara County District Attorney’s Office and one of just five such task forces in California—it was the first investigation of its kind. Officers pursuing Ortiz say they knew next to nothing about illegal SIM-swaps when they launched the probe, which turned into the kind of interstate operation typically handled by federal agencies.

By the time officers caught up with Ortiz at LAX last summer, it became the first arrest of its kind—not just for REACT, but nationally. And when Ortiz copped to the crimes earlier this year, he became one of the first in the country to be convicted of pilfering digital money through cellphone hacking.

Ultimately, Ortiz’s irresistible urge to gloat about his heists led to his capture—and a few critical missteps led the REACT unit to other suspects.

Xzayver Narvaez, a 19-year-old from Tracy, was arrested in mid-August last year after police noticed that a cellphone used by Ortiz for SIM-swapping had been used to log into a Google account identified as [email protected] Narvaez, who allegedly spent the proceeds of his crypto-heists on high-end sports cars, is now on supervised release at his Central Valley home and due in court May 2 for a preliminary hearing.

On Sept. 24, REACT arrested Kansas City native Joseph Harris on suspicion of pillaging $14 million in cryptocurrency tokens from San Jose-based Crowd Machine CEO Craig Sproule. A few months later, detectives busted Fresno’s Kalvin Ung for allegedly stealing $500,000 in cryptocurrency from a dozen victims. New York City’s Nicholas Truglia was subsequently arrested for numerous alleged SIM swap-related thefts throughout the US, including one that took $1 million from a Cupertino dad’s college fund for his daughters.

Deputy DA Erin West said the accused SIM-swappers have almost nothing to show for their alleged crimes. Police seized $400,000 from Ortiz, but say the rest of those millions were either spent or hidden.

“These are not Robin Hoods,” West said in a news release announcing the sentencing this week. “These are crooks who use a computer instead of a gun. They are not just stealing some ethereal, experimental currency. They are stealing college funds, home mortgages, people’s financial lives.”

All three men are held at the Elmwood Correctional Facility in Milpitas.

Cybersecurity expert Brian Krebs, a former Washington Post reporter who runs the site KrebsOnSecurity.com, told San Jose Inside that the only way for consumers to protect themselves from heists like the one pulled by Ortiz and his ilk is to disconnect their cellphones from anything they care about online. That’s because PINs and security questions can be bypassed if somebody pays off a mobile phone company clerk to override those safeguards.

“So many places online require you to provide a phone number when you set up an account, which means that if somebody gets control of your phone number, they can then reset the password for a ridiculous number of accounts,” he said. “And all these mobile companies say they can put passcodes and PINs in place, but none of that matters if there’s crooked employee.”

Krebs advises people to use a Google Voice number for account sign-ups instead.

“Mere mortals cannot get Google on the phone, so, in a weird way, that’s a benefit,” he said. “There’s no employee there to bribe.”

Jennifer Wadsworth is the news editor for San Jose Inside and Metro Silicon Valley. Email tips to [email protected]. Follow her on Twitter at @jennwadsworth.

5 Comments

  1. So sorry for those families. I just hope the DA office will investigate public official corruption particularly the The Santa Clara Family Court. This legal entity also takes savings, mortgages, college funds, and people’s financial lives from majority middle class families. They do this, by making cases long, giving custody to parents with sexual deviations and other concerning problems, creating family discord so parents fight longer, and so on. Families pay in average $350 per hour to an average family law attorney. They not only take people’s financial lives but also their mental and physical health. SANTA CLARA COUNTY DA Office is much worst than these criminals. RECALL DA JEFF ROSEN!

  2. > By the time officers caught up with Ortiz at LAX last summer, it became the first arrest of its kind—not just for REACT, but nationally.

    Oh WOW!

    Looks like actual real journalism.

    Good work, Jennifer.

    The definition of “news” is: stuff that people didn’t know. Almost no one knows who these hackers are or if they’re ever caught.

    The good news is: finally some real consequences for the dark underworld of cyber criminals.

    The bad news is: it really, really shows how are behind the crooks the law enforcers are.

  3. > That’s because PINs and security questions can be bypassed if somebody pays off a mobile phone company clerk to override those safeguards.

    . . . . “And all these mobile companies say they can put passcodes and PINs in place, but none of that matters if there’s crooked employee.”

    CROOKED EMPLOYEES ? ! ! ! !

    YOU MEAN THERE ARE CROOKED EMPLOYEES ? AND, THEY CAN STEAL THINGS ? ! ! !

    You don’t suppose that “crooked employees” of — oh, say — the POST OFFICE could fiddle with ballots cast in a VOTE BY MAIL election?

    The “crooked employee” actually wouldn’t have to do very much, just look the other way while someone scans ballot envelopes in the postal truck with an “intelligent scanner” and vaporizes those ballots suspected of being cast for candidates less noble than the candidates of the party preferred by Mr. Google or Mr. Facebook.

    Lets all pretend that, even though Russians can manipulate U.S. elections, NOBODY could do anything bad to a CALIFORNIA election. They couldn’t. They wouldn’t DARE.

  4. REACT should be highly praised and economically rewarded for their outstanding accomplishments!

    The aforementioned “Crypto-currency” thieves should be turned “electronically loose” upon foreign governments who routinely cause computer technology associated thefts. Just think what North Korea, China, and Russia would do if these youngsters ripped-off what crypto-cash they have stashed away for a rainy day. Jailing these guys is a waste of talent. Put them to work devising safeguards for computer based thefts of all kinds.

    Is Cyrpto-currency tracked for taxation purposes or is it part of the black-market of ill gotten gains? How does a person rack up $14 million or $7.5 million of this currency without being detected by someone?

    David S. Wall

Leave a Reply to M.T.GUNN Cancel reply