Introduction: a cross-border takedown of a SIM-box CaaS platform
European law enforcement has disrupted a cybercrime-as-a-service (CaaS) operation that rented out phone numbers from a vast SIM-box infrastructure to help criminals register and run tens of millions of fake online accounts. The coordinated action, Operation SIMCARTEL, included 26 searches, seven arrests, seizure of 1,200 SIM boxes with 40,000 active SIMs, five servers, and the takeover of the gogetsms[.]com and apisim[.]com domains. Authorities from Austria, Estonia, Finland, and Latvia led the effort with Europol and Eurojust support. The main enforcement actions occurred on October 10, 2025, with public disclosures on October 17–19, 2025.
In brief
- Scale: Infrastructure enabled ~49–50 million online accounts using phone numbers from 80+ countries.
- Victims & losses (to date): ~1,700 fraud cases in Austria (~€4.5M) and ~1,500 in Latvia (~€420k).
- Arrests & seizures: 7 suspects detained; 1,200 SIM boxes, 40,000 active SIMs, hundreds of thousands of spare SIMs; 5 servers; 4 luxury vehicles; €431k in bank funds and €266k in crypto frozen.
- Use cases for criminals: phishing/smishing, fake-broker investment scams, marketplace scams, WhatsApp “daughter/son” impostor fraud, extortion, migrant smuggling, and distribution of CSAM.
Background & context: what is a SIM farm and why it’s dangerous
SIM farms (or SIM-box operations) aggregate thousands of SIM cards in rack-mounted gateways to terminate calls/SMS at scale and, increasingly, to rent disposable phone numbers that bypass phone-based verification on major platforms. This undermines platform integrity, fuels automated fraud, and erodes the reliability of SMS-based 2FA when threat actors can rotate numbers cheaply. Operation SIMCARTEL fits a broader pattern of law-enforcement moves against telecom-enabled fraud infrastructure in recent years, but stands out for its account-creation scale and CaaS commercialization.
Technical analysis: how the SIM-box platform worked
Provisioning & inventory. According to official releases and reporting, the service operated 1,200 SIM-box devices with 40,000 active SIMs, plus a large reserve of additional SIM cards. Numbers were registered to individuals from 80+ countries and programmatically rotated across 5 seized servers to deliver SMS/voice verification on demand.
Service delivery. Through gogetsms[.]com and apisim[.]com, customers could rent numbers to register new accounts and receive OTPs at scale; archived marketing snapshots touted “temporary numbers” and coverage for 160+ online services. The operators also monetized user-supplied SIMs—turning third-party cards into passive-income “assets” via the farm’s software.
Abuse workflows. With verified accounts in bulk, actors ran phishing/smishing trees, fake-broker funnels, marketplace scams, and impersonation plays (e.g., the WhatsApp “new number, urgent transfer” narrative), while hiding their identities and locations behind churned numbers.
Attribution & forensics. Seizure of servers and domain control should yield customer logs, API keys, payment trails, and SMS routing metadata, aiding follow-on investigations and potential victim notification. Officials signaled ongoing work to quantify total impact beyond Austria and Latvia.
Practical consequences & risk exposure
- Platform integrity: When one service enables tens of millions of “verified” sockpuppets, trust signals (phone-verified badges, velocity checks) degrade, amplifying spam/fraud and content manipulation.
- Account security: SMS OTP becomes less effective as a unique-user check if threat actors can bulk-rent numbers or SIM-jack abandoned ones.
- Financial fraud: Concrete losses already exceed €4.9M across Austria and Latvia, with more expected as cases are correlated.
- Telecom abuse: Large-scale SMS termination can distort carrier analytics and complicate A2P (application-to-person) filtering and fraud detection.
Operational recommendations: what defenders should do next
For enterprises & platforms
- De-emphasize SMS-only verification. Implement MFA with FIDO2/WebAuthn and device-bound passkeys; treat phone-verified status as low-confidence.
- Phone-reputation intelligence. Score registrations/logins using number risk signals (e.g., carrier type, virtual/SIM-box heuristics, number age, velocity across tenants).
- Graph & velocity guards. Rate-limit OTP requests; detect clustered registrations linked by number blocks, ASN, device fingerprints, or referral telemetry.
- Behavioral & content moderation. Continuously re-verify high-risk accounts; weight non-SMS signals (hardware attestation, payment reputation, social graph).
- KYC/AML controls (for fintech/crypto): monitor for phone churn patterns in onboarding; require document + liveness for risky flows.
- Telecom cooperation. Share indicators (domains, IMSI/MSISDN patterns, OTP destination ranges) with carriers and threat intel ISACs post-takedown.
For telecoms & CPaaS
- Tighten SIM lifecycle validation; detect SIM-box signatures (unusual call/SMS profiles, permanent attachment to GSM gateways).
- Expand A2P anti-abuse with anomaly detection on OTP traffic and origin-destination entropy.
- Collaborate with law enforcement for real-time sinkholing of farmed ranges when legally feasible.
For end users
- Prefer app-based or hardware-key MFA where possible; be wary of urgent money requests from “new numbers”; verify out-of-band.
How SIMCARTEL differs from classic SIM-swapping rings
- Goal: SIMCARTEL industrialized account creation & anonymity; SIM-swappers typically aim to take over a specific victim’s number to intercept OTPs and reset accounts.
- Scale: Millions of accounts vs. targeted hijacks.
- Infrastructure: API-driven rental of phone numbers and OTP receipt vs. fraudulent SIM re-provisioning at carriers. Law enforcement has tackled both models before, but SIMCARTEL’s CaaS platform shows the maturing supply chain behind fraud at scale.
Summary: key takeaways
- A multi-country team took down a SIM-farm CaaS that fueled ~49–50 million fake accounts, with 7 arrests and substantial seizures on October 10, 2025.
- Early confirmed losses approach €5M across Austria and Latvia, and additional victims are likely as forensic analysis proceeds.
- SMS-based verification is increasingly insufficient as a trust anchor; organizations should re-weight identity proofing toward stronger, device-bound methods and behavior-based controls.
Sources / bibliography
- Europol press release, “Cybercrime-as-a-service takedown: 7 arrested”, Oct 17, 2025. (CyberScoop)
- Latvian State Police (Valsts policija), “In an international operation ‘SIMcartel’…”, Oct 17, 2025. (vp.gov.lv)
- BleepingComputer, “Europol dismantles SIM box operation renting numbers for cybercrime”, Oct 17, 2025. (BleepingComputer)
- CyberScoop, “Europol dismantles cybercrime network linked to $5.8M in financial losses”, Oct 17, 2025. (CyberScoop)
- The Hacker News, “Europol Dismantles SIM Farm Network Powering 49 Million Fake Accounts Worldwide”, Oct 19, 2025. (The Hacker News)
