The Secret SIMs Used By Criminals to Spoof Any Number

Criminals use so-called Russian, encrypted, or white SIMs to change their phone number, add voice manipulation to their calls, and try to stay ahead of law enforcement.

The unsolicited call came from France. Or at least that’s what my phone said. When I picked up, a man asked if I worked with the National Crime Agency, the UK’s version of the FBI. When I explained, no, as a journalist I don’t give information to the police, he said why he had contacted me.

“There are these special SIM cards out there,” he said, referring to the small piece of hardware that slips inside a cell phone. “I’m actually ringing from one now,” he added, before later explaining he runs an underground site that sells these cards.

This SIM card, the caller said, allowed him to spoof any phone number he wanted. Want to look like you’re calling from a bank in order to scam a target? Easy. Want to change it to a random series of digits so that the recipient’s phone won’t record your real number? That just takes a few seconds to set up, according to tutorials of how to use the cards available online.

Russian SIMs. Encrypted SIMs. White SIMs. These cards go by different names in the criminal underground, and vary widely in quality and features. But all are generally designed to give the user some sort of security or privacy benefit, even if what that particular SIM does is more theatre than substance. Beyond spoofing phone numbers, some SIMs let a caller manipulate their voice in real-time, adding a baritone or shrill cloak to their phone calls that is often unintentionally funny. Other cards have the more worthwhile benefit of being worldwide, unlimited data SIMs that criminals source anonymously from suppliers without having to give up identifying information and by paying in Bitcoin.

The SIM cards themselves aren’t inherently illegal, but criminals certainly make a noticeable chunk of the companies’ customer bases. The NCA told Motherboard it has seized so-called Russian SIMs from suspects during investigations. The existence of this bustling industry highlights how crime figures continue to try and leverage different technologies, and comes as government agencies successfully crack down on other parts of criminal technical infrastructure.ADVERTISEMENT

“They are the most popular SIMs in crime,” a source close to the criminal world told Motherboard, referring to the anonymously sourced data SIMs. Motherboard granted multiple sources in this story anonymity to protect them from retaliation or to speak more candidly about industry practices.

Criminals often make use of so-called encrypted phones, customized devices that in some cases have the microphone, GPS, and camera functionality removed. Some of these companies also offer Russian or encrypted SIM cards, letting customers buy not just a handset, but the data and roaming capability they would need to actually use the phone quickly, as well as some extra features from the SIM if they like. Companies or individuals don’t always sell both the phone and the SIM, but the industries do overlap.

To test the process of obtaining such a SIM, Motherboard purchased a so-called white SIM, known for not having any branding or labelling, through a source close to the criminal world. After sending the supplier around $100 in Bitcoin, a package arrived the next day.

A list of countries where this particular SIM worked and shared with Motherboard included Colombia, the UK, Morocco, Mexico, the UAE, and the U.S.

After receiving the SIM card and putting it into an unlocked phone, a user has to change the Access Point Name or “APN” on the device. An APN is a collection of settings a phone uses to set up a connection between the carrier’s cell network and the wider internet. Essentially, entering this tells a user’s phone that they want to connect to a particular phone network, one that it may not ordinarily recognize.

n one video uploaded to YouTube in April, a SIM vendor demonstrated how to spoof phone numbers with their product. The vendor typed a series of digits on their phone, followed by an asterisk, and then the number they wanted to mimic and then the hash symbol. After a pause, a second phone displayed an incoming call from the spoofed number.

In another video, a second vendor, this time wearing what appears to be black rubber gloves, demonstrated how to do the same with their own SIM.

“Contacting Server,” the message on a Nokia handset read. Moments later, they received a call from 07777 777777; an obviously spoofed number.

A SCREENSHOT FROM A YOUTUBE VIDEO DEMONSTRATING NUMBER SPOOFING ON A SO-CALLED RUSSIAN SIM. IMAGE: SCREENSHOT.

“Scammers use [it] to to call people so it shows [a] bank number or eBay,” one alleged vendor, who went by the handle Captain on the messaging app Telegram, told Motherboard. “They get sold worldwide. Spain. Morocco. Europe shit loads,” they added.

“You can actually pick any number that you want,” the person who said they phoned me from one of the SIMs said. “I could change it every call and keep running from a different number every time,” they added, making blocking a caller difficult.

Though some of these SIMs are sold clandestinely, through messaging apps and via people in-the-know, public facing companies also sell these cards.

“After the call has ended, your interlocutor is left with the randomly generated number in his/her call log,” the website for Secure SIMs, one company selling the cards, reads. And some sellers advertise their SIM cards on more clearly crime-focused marketplaces. The underground site Motherboard accessed sold so-called “fullz,” which are pieces of credit card data, as well as access to hacked PayPal and bank accounts alongside SIM cards.

Other videos online show similar SIM cards and their voice changing feature. In one, a seller briefly shows some of the options available, such as “Man,” “Woman,” “Child,” and “Cartoon.”

Karsten Nohl, a security researcher from SRLabs focused on telecommunications security, told Motherboard in an email that operators of the SIM cards likely run their own Mobile Virtual Network Operator (MVNO), which is essentially a telecom company piggy backing off of the infrastructure of a more established network. Many MVNOs exist, including Google’s Fi, which runs on top of T-Mobile’s infrastructure.

In order to obtain SIMs and data to sell, smaller companies can go to different carriers around the world and buy the data in bulk, according to a source who currently works in the secure communications industry.

“Then you start selling these SIM cards as pooled data,” the source said. To enter relationships with telecos in the United States or Canada, companies will likely need to create an MVNO, but may not need to in some other countries, the source said.

Dominic Gingras, CEO and founder of privacy-focused phone company Secure Group, told Motherboard in a phone call this may not be necessary, and said some companies could sign a deal with providers and gain access to APIs that would allow the number changing because they can be used for legitimate purposes.

Captain said the SIMs work by first connecting to a private server, which then makes the call itself on the user’s behalf. They said the server is run by a Russian company—hence the street term Russian SIMs, as many users appear to think their calls are being routed through the country—but did not provide any evidence to corroborate the actual location of the server. At least some of the numbers associated with similar SIM cards come from Estonia, the source who currently works in the secure phone industry said. The person who owned the underground website selling SIM cards said the calls are instead going through “poor countries” where people can cheaply buy access to the phone network.