Russian SIMs
Image: Cathryn Virginia

The Secret SIMs Used By Criminals to Spoof Any Number

Criminals use so-called Russian, encrypted, or white SIMs to change their phone number, add voice manipulation to their calls, and try to stay ahead of law enforcement.
August 12, 2020, 1:00pm

The unsolicited call came from France. Or at least that's what my phone said. When I picked up, a man asked if I worked with the National Crime Agency, the UK's version of the FBI. When I explained, no, as a journalist I don't give information to the police, he said why he had contacted me.

"There are these special SIM cards out there," he said, referring to the small piece of hardware that slips inside a cell phone. "I'm actually ringing from one now," he added, before later explaining he runs an underground site that sells these cards.

This SIM card, the caller said, allowed him to spoof any phone number he wanted. Want to look like you're calling from a bank in order to scam a target? Easy. Want to change it to a random series of digits so that the recipient's phone won't record your real number? That just takes a few seconds to set up, according to tutorials of how to use the cards available online.

Do you sell encrypted phones or Russian SIMs? Do you use them? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Russian SIMs. Encrypted SIMs. White SIMs. These cards go by different names in the criminal underground, and vary widely in quality and features. But all are generally designed to give the user some sort of security or privacy benefit, even if what that particular SIM does is more theatre than substance. Beyond spoofing phone numbers, some SIMs let a caller manipulate their voice in real-time, adding a baritone or shrill cloak to their phone calls that is often unintentionally funny. Other cards have the more worthwhile benefit of being worldwide, unlimited data SIMs that criminals source anonymously from suppliers without having to give up identifying information and by paying in Bitcoin.

The SIM cards themselves aren't inherently illegal, but criminals certainly make a noticeable chunk of the companies' customer bases. The NCA told Motherboard it has seized so-called Russian SIMs from suspects during investigations. The existence of this bustling industry highlights how crime figures continue to try and leverage different technologies, and comes as government agencies successfully crack down on other parts of criminal technical infrastructure.

"They are the most popular SIMs in crime," a source close to the criminal world told Motherboard, referring to the anonymously sourced data SIMs. Motherboard granted multiple sources in this story anonymity to protect them from retaliation or to speak more candidly about industry practices.


Criminals often make use of so-called encrypted phones, customized devices that in some cases have the microphone, GPS, and camera functionality removed. Some of these companies also offer Russian or encrypted SIM cards, letting customers buy not just a handset, but the data and roaming capability they would need to actually use the phone quickly, as well as some extra features from the SIM if they like. Companies or individuals don't always sell both the phone and the SIM, but the industries do overlap.

To test the process of obtaining such a SIM, Motherboard purchased a so-called white SIM, known for not having any branding or labelling, through a source close to the criminal world. After sending the supplier around $100 in Bitcoin, a package arrived the next day.

A list of countries where this particular SIM worked and shared with Motherboard included Colombia, the UK, Morocco, Mexico, the UAE, and the U.S.

After receiving the SIM card and putting it into an unlocked phone, a user has to change the Access Point Name or "APN" on the device. An APN is a collection of settings a phone uses to set up a connection between the carrier's cell network and the wider internet. Essentially, entering this tells a user's phone that they want to connect to a particular phone network, one that it may not ordinarily recognize.

In one video uploaded to YouTube in April, a SIM vendor demonstrated how to spoof phone numbers with their product. The vendor typed a series of digits on their phone, followed by an asterisk, and then the number they wanted to mimic and then the hash symbol. After a pause, a second phone displayed an incoming call from the spoofed number.

In another video, a second vendor, this time wearing what appears to be black rubber gloves, demonstrated how to do the same with their own SIM.

"Contacting Server," the message on a Nokia handset read. Moments later, they received a call from 07777 777777; an obviously spoofed number.

russian-sim.png

A screenshot from a YouTube video demonstrating number spoofing on a so-called Russian SIM. Image: Screenshot.

"Scammers use [it] to to call people so it shows [a] bank number or eBay," one alleged vendor, who went by the handle Captain on the messaging app Telegram, told Motherboard. "They get sold worldwide. Spain. Morocco. Europe shit loads," they added.

"You can actually pick any number that you want," the person who said they phoned me from one of the SIMs said. "I could change it every call and keep running from a different number every time," they added, making blocking a caller difficult.

Though some of these SIMs are sold clandestinely, through messaging apps and via people in-the-know, public facing companies also sell these cards.

"After the call has ended, your interlocutor is left with the randomly generated number in his/her call log," the website for Secure SIMs, one company selling the cards, reads. And some sellers advertise their SIM cards on more clearly crime-focused marketplaces. The underground site Motherboard accessed sold so-called "fullz," which are pieces of credit card data, as well as access to hacked PayPal and bank accounts alongside SIM cards.

Other videos online show similar SIM cards and their voice changing feature. In one, a seller briefly shows some of the options available, such as "Man," "Woman," "Child," and "Cartoon."

Karsten Nohl, a security researcher from SRLabs focused on telecommunications security, told Motherboard in an email that operators of the SIM cards likely run their own Mobile Virtual Network Operator (MVNO), which is essentially a telecom company piggy backing off of the infrastructure of a more established network. Many MVNOs exist, including Google's Fi, which runs on top of T-Mobile's infrastructure.

In order to obtain SIMs and data to sell, smaller companies can go to different carriers around the world and buy the data in bulk, according to a source who currently works in the secure communications industry.

securesims.png

A screenshot from the website of Secure SIMs, one company in this space. Image: Secure SIMs.

"Then you start selling these SIM cards as pooled data," the source said. To enter relationships with telecos in the United States or Canada, companies will likely need to create an MVNO, but may not need to in some other countries, the source said.

Dominic Gingras, CEO and founder of privacy-focused phone company Secure Group, told Motherboard in a phone call this may not be necessary, and said some companies could sign a deal with providers and gain access to APIs that would allow the number changing because they can be used for legitimate purposes.

Captain said the SIMs work by first connecting to a private server, which then makes the call itself on the user's behalf. They said the server is run by a Russian company—hence the street term Russian SIMs, as many users appear to think their calls are being routed through the country—but did not provide any evidence to corroborate the actual location of the server. At least some of the numbers associated with similar SIM cards come from Estonia, the source who currently works in the secure phone industry said. The person who owned the underground website selling SIM cards said the calls are instead going through "poor countries" where people can cheaply buy access to the phone network.

"People just have been drawn to the name Russian SIM," they said.

As part of an investigation into Encrochat, an encrypted phone network heavily used by organized crime, Motherboard obtained documents which contain evidence presented against Mark, an alleged drug dealer. For legal reasons, Motherboard is referring to Mark using a pseudonym. Those documents explicitly link so-called Russian SIMs to people allegedly trafficking heroin and other narcotics.

In one message, Mark told an associate "to ring his Russian number," the document reads. In another he asked someone to "ring him on the 'Russian'," prosecutors write. "My Russian Is Dead," Mark wrote to an associate.

Many of the companies or individuals selling these cards don't ask for any identifying information from a user apart from a shipping address to send the card to. This may be useful to criminals if they want to use a phone without necessarily giving their real name or address to a telecommunications company.

underground_site.png

A screenshot of an underground website selling SIM cards. Image: Motherboard.

"It is important to mention that unlike regular GSM providers we don‘t sign any contracts or ask for personal data. This way we ensure that none of our clients personal information will be passed to third parties. All of our SIM cards are pre-paid which means that we receive mobile data in advance to ensure maximum safety for our clients," the website for one company called VIP Line reads.

Craig Buchan, the director of Omerta, a company that sells similar SIMs as well as handsets and marketed its products to former customers of Encrochat, told Motherboard in an email that "one key feature is obviously we do not keep records of our SIMs usage." (Bunchan said the company stopped allowing the spoofing of certain number prefixes in case they were being used in cases of fraud).

Some of the companies make extraordinary, and largely unsubstantiated claims, though. These include being "bulletproof," or being able to thwart all surveillance from IMSI-catchers, devices used by law enforcement that pose as cell phone towers and trick nearby devices to connect to them in order to track their physical location.

"SECURE SIMS. UNDETECTABLE, EVEN BY THE POLICE. COMPLETE ANONYMITY," the website adds.

"I feel like they are preying on the uneducated," one source who runs an encrypted phone company told Motherboard. "SIMs have unique identifiers when they connect to a roaming partner like O2 [a British telecom] for example."

"You can't just tell a device not to connect to a strong tower. That's what the device is designed to do. Find a strong signal. Latch on and use mobile data," the source added.

Gingras, the CEO of Secure Group, said the number changing and voice changing SIMs "are a novelty thing." They can give you another layer of privacy, perhaps by spoofing a number so you don't get called back, "but I don't think it's that serious."

"They are the most popular SIMs in crime."

"They may be a bit overextending their marketing, claiming that it protects you against your government's scrutiny," he added. "I don't think it's really that useful to protect you against a really upset government."

Even if someone obtained a SIM card anonymously, they are still using a SIM card and by extension a phone network. The source who currently works in the phone industry said "you can't be invisible."

Nohl, the security researcher, told Motherboard, "A data-only SIM (that uses IMS for voice/text) prevents IMSI catchers from intercepting voice calls and text. So do all 4G and 3G networks that use encryption, which IMSI catchers cannot break open, and many 2G networks that upgraded to A5/3 encryption," Nohl said. "In all these scenarios, the IMSI catcher can still catch IMSIs, though, mainly for tracking purposes."

Putting some of those more bold claims aside, some of these SIMs are still popular in the underground.

"Serious and organised criminals attempt to evade law enforcement, through both mainstream secure messaging apps and encrypted communication platforms specifically designed for criminal use," Matt Horne, Deputy Director of Investigations from the NCA, told Motherboard in an emailed statement.

"However, through the takedown of Encrochat and our work on Operation Venetic, we’ve shown that their methods and tools are not beyond our reach. By working closely with international and UK policing partners, we’re continuing to make technological advances and targeting those operating at the highest level of criminality," he added.

"They are the crime SIMs," the source close to the criminal world said.

Subscribe to our cybersecurity podcast, CYBER.