A Clarkston, Michigan man was sentenced today to 42 months in federal prison for his role in a series of “SIM swapping” schemes that allowed him and his confederates to take control of online accounts, which resulted in the theft of cryptocurrency, causing more than $28,000 in losses.
Anthony Joseph Carlson, 25, also conducted a separate “phishing” scheme to hijack valuable Instagram accounts, which he was able to monetize. And he defrauded other victims by selling stolen Instagram accounts, causing additional losses of over $93,000.
Carlson was sentenced by United States District Judge Percy Anderson, who scheduled a hearing for January 18, 2023, to determine the amount of restitution that the defendant will be ordered to pay to approximately 10 individuals and companies.
Carlson pleaded guilty on August 22 to four felony offenses – two counts of conspiracy to commit wire fraud and two counts of unauthorized access to a protected computer to obtain information.
Judge Anderson today emphasized the seriousness of the cybercrimes by saying, “It’s the same as if the defendant was actually robbing the victims,” later adding, “You don’t get a break because you used a computer.”
SIM swapping is fraud in which cell phone service providers are tricked into reassigning a victim’s cell phone number to a new cell phone controlled by a fraudster, without the victim’s knowledge or authorization. The new cell phone device has a new Subscriber Identification Module (SIM), thus, SIM swapping. After hijacking a victim’s phone service, a SIM swapper is able to receive communications intended for the victim, including password reset codes for a victim’s online accounts. Carlson worked with others in SIM swapping schemes to reset victim account passwords, take over victims’ online accounts and steal cryptocurrency.
Carlson participated in two separate conspiracies to use SIM swapping to gain unauthorized access to the email, financial and social media accounts of the victims to steal cryptocurrency. One scheme that did not result in any actual losses involved the takeover of a Coinbase account in order to steal $10,000 in cryptocurrency, and a second involved the takeover of a Facebook account that allowed Carlson and a co-conspirator to obtain cryptocurrency from two friends of the person whose account had been compromised.
As a result of a separate phishing scheme – in which Carlson sent emails purporting to be from a legitimate source to induce victims to reveal information, including personal identifying information and passwords – he was able to gain control of valuable Instagram accounts with large numbers of followers. Carlson told the victims who owned the Instagram accounts that he wanted to purchase advertising on their accounts, but he needed to first determine how valuable their accounts were for marketing purposes. Carlson convinced the victims to download his purported analytics software, which had a spoofed website name almost identical to a commonly used Instagram analytics software, and they were tricked into providing their Instagram usernames and passwords, which Carlson used to take over their Instagram accounts to monetize for his personal gain.
Carlson also obtained stolen Instagram accounts from others and then re-sold them to other victims for thousands of dollars. In another scheme, Carlson collected money for advertising on Instagram accounts he did not actually control.
The Federal Bureau of Investigation conducted the investigation in this matter. Assistant United States Attorney Lisa E. Feldman of the Cyber and Intellectual Property Crimes Section prosecuted this case.
Submitted by Thom Mrozek, Director of Media Relations U.S. Attorney’s Office