Polish authorities have arrested four individuals linked to an organized criminal group that executed SIM swap attacks to drain cryptocurrency exchange accounts, laundering proceeds estimated to exceed tens of millions of Polish zlotys. The operation, coordinated by Poland’s Central Bureau for Combating Cybercrime (CBZC), involved agents from the U.S. Federal Bureau of Investigation (FBI) and Homeland Security Investigations (HSI), underscoring the cross-border nature of crypto-related cybercrime.
According to the CBZC, the suspects breached the IT infrastructure of companies cooperating with telecommunications providers. Using specialized software and social engineering techniques, they accessed employee email accounts, enabling them to hijack or clone victims’ phone numbers. Once they controlled the numbers, the attackers bypassed SMS-based two-factor authentication (2FA) to take over exchange accounts and steal digital assets.
The stolen funds were laundered through a distributed network of personal bank accounts in Poland and abroad, international payment platforms, and multi-currency digital wallets, making tracing difficult. Formal charges include participation in an organized criminal group, theft by hacking, and money laundering, with penalties of up to 25 years in prison. Authorities have not disclosed the identities of the accused or the affected exchanges, citing the ongoing international investigation.
Independent onchain researcher ZachXBT alleged that one detainee may be Wojtek Kulisz, a Polish social engineering threat actor known online as “Merry.” He noted that designer clothing and jewelry visible in official arrest footage appeared to match items Kulisz had displayed on Instagram. The claim remains unconfirmed by officials, but it highlights the growing role of blockchain investigators in linking online personas to criminal activity.
The case reinforces a critical security risk: reliance on phone numbers for authentication can expose crypto accounts to takeover, even when passwords are strong. For exchanges, the arrests add pressure to move away from SMS-based 2FA and implement stronger account recovery controls, withdrawal delays, and behavioral monitoring. For users, the incident serves as a reminder to use hardware security keys, authenticator apps, and withdrawal allowlists, and to avoid keeping large balances on exchanges.
