Seven suspects are now in custody after a cross-border crackdown dismantled a cybercrime service that powered more than 3,000 online scams across Europe, authorities said. Investigators seized servers, domains, and cryptocurrency wallets worth tens of thousands of euros, cutting off infrastructure that enabled fraud on a massive scale.
The operation codenamed “SIMCARTEL”, conducted by authorities from Austria, Estonia, and Latvia, uncovered a criminal network that provided essential technical infrastructure enabling cybercriminals to conduct large-scale fraud operations. The operation’s scale demonstrates the industrial nature of modern cybercrime, where specialized service providers supply the technical capabilities that lower-level criminals lack.
Five suspects of Latvian nationality were arrested during coordinated raids in Latvia, with two additional suspects apprehended as the investigation expanded. Law enforcement seized infrastructure that had been instrumental in enabling crimes across multiple European nations, representing a significant disruption to the cybercrime ecosystem.
The Cybercriminal Infrastructure
The seized 1,200 SIM box devices and 40,000 active SIM cards formed the backbone of the operation’s capability to facilitate fraud at scale. SIM boxes are specialized devices that allow criminals to route calls and messages through multiple phone numbers simultaneously, disguising their true locations and identities. This technology enables various fraud schemes including bank fraud, authentication bypass, and social engineering attacks that rely on appearing to call from legitimate phone numbers.
“Their online service provided telephone numbers from over 80 countries for criminal activities,” Eurojust said. “The entire infrastructure allowed fraudsters to set up fake accounts on social media and other communication platforms to perpetrate the scams. They set up close to 50 million fake accounts for this purpose.”
Quantifying the Impact
Investigators successfully attributed more than 1,700 individual cyber fraud cases in Austria and 1,500 cases in Latvia to this criminal network, illustrating the extensive reach of the operation. The financial impact has been devastating, with victims losing several million euros across affected countries.
In Austria alone, financial losses attributed to the network amount to approximately €4.5 million. Latvia documented additional losses of €420,000, though investigators believe the true financial impact extends significantly beyond these confirmed figures as investigations continue across multiple jurisdictions.
The attribution of specific fraud cases to this network required extensive forensic analysis and international cooperation. Each fraud case represents not just financial loss but also the compromise of personal information, erosion of trust in digital communications, and psychological harm to victims who fell prey to sophisticated social engineering schemes enabled by the network’s infrastructure.
The CaaS Business Model
This operation exemplifies the cybercrime-as-a-service business model that has transformed the threat landscape. Rather than conducting fraud directly, the arrested suspects allegedly provided essential infrastructure that enabled other criminals to conduct operations. This specialization and division of labor mirrors legitimate business structures, creating efficiency and scale that individual criminals could never achieve.
SIM box infrastructure solves a critical problem for cybercriminals: how to conduct fraud operations that require appearing to call or message from legitimate local phone numbers. Banking fraud schemes often require criminals to bypass two-factor authentication by intercepting SMS messages or calling victims while spoofing bank phone numbers. Romance scams and investment fraud require sustained communication from phone numbers that appear geographically proximate to victims. SIM boxes enable all these capabilities at scale.
The CaaS model also provides criminal entrepreneurs with steady revenue streams. Rather than the unpredictable income from conducting fraud directly, infrastructure providers charge subscription fees or per-use charges to their criminal clients. This creates more stable and predictable criminal enterprises that can invest in improving their technical capabilities and evading law enforcement detection.
This takedown follows similar high-profile operations against platforms like Genesis Market, which sold stolen credentials, and LabHost, a hosting service for criminal websites. Europol stressed that focusing on the backbone of cybercrime rather than only individual actors provides a more sustainable impact.
Also read: Operation Cookie Monster: FBI Seizes Cybercrime Marketplace Genesis Market
Officials cautioned that while arrests and seizures disrupt operations, cybercriminals continuously seek new infrastructure. They encouraged private sector partners to report suspicious activity and strengthen monitoring to prevent similar services from resurfacing.
