Cybercrime
,
Fraud Management & Cybercrime
Operation SIMCARTEL: Cops Seize 1,200 SIM-Box Devices Operating 40,000 SIM Cards
Mathew J. Schwartz (euroinfosec) •
October 20, 2025
Alleged criminal infrastructure seized during the action day of Operation SIMCARTEL. (Image: Europol)
Police in Europe said they disrupted a SIM farm provider in Latvia that supplied millions of mobile telephone numbers used by fraudsters to perpetrate cybercrime scams.
See Also: Why Cyberattackers Love ‘Living Off the Land’
The operation, codenamed Simcartel, featured police in Austria, Estonia, Finland and Latvia probing and arresting seven suspects who allegedly counted criminal customers across 80 different countries. Police said they disrupted websites that facilitated access to the service, which advertised foreign telephone numbers that customers used in a number of phishing attacks, as well as for SMS phishing, aka smishing.
The service “allowed perpetrators to set up fake accounts for social media and communication platforms, which were subsequently used in cybercrimes while obscuring the perpetrators’ true identity and location,” said Europol, the EU’s law enforcement intelligence agency, which helped coordinate the operation with Eurojust.
Five of the Simcartel arrests took place in Latvia on Oct. 10, including the suspected ringleader and three male and female technical staff, reported Latvia’s public news service.
A video posted by Latvian authorities shows members of the state police counterterrorism unit, Omega, raiding the service’s apparent technical hub, first smashing open frosted glass office doors and deploying flashbang grenades, before storming the facility with weapons drawn.
Police said a fifth person arrested in Latvia was “one of the main suspects behind this now-dismantled criminal structure,” and also has an open arrest warrant in Estonia for arson and extortion.
Police said they’ve identified at least 1,500 online fraud victims in Latvia, 1,700 in Austria and more in Estonia. Victim losses amount to at least $5.2 million. Each country’s probe remains ongoing.
As part of an “action day” targeting the service provider, police in Austria, Estonia and Latvia searched 26 properties, seized approximately 1,200 SIM-box devices used to operate 40,000 SIM cards. They confiscated cryptocurrency worth $835,000, four luxury vehicles, five servers and two domains that advertised and gave customers access to the service: gogetsms.com and apisim.com.
Latvian police seized suspected narcotics and a large quantity of what appeared to be stolen car parts from one of the suspects.
Europol said the Shadowserver Foundation, a non-profit organization devoted to making the internet safer, assisted with the technical takedown of the criminal infrastructure.
Bulk Access to SIM Cards
Investigators are still unraveling the full scale of the service and all the different ways criminals employed it. Customers used the operation’s SIM cards to create at least 49 million different online accounts for illicit purposes.
Sellers of illicit SIM-box services – aka SIM-farm providers – enable their customers to easily gain bulk access SIM cards at a low cost. Such services regularly are used to perpetrate mass campaigns involving scam texts, scam calls and posting misleading, fake or phishing messages to social networks. The services enable customers to disguise the SIM card’s real phone number or location.
Authorities said phishing and smishing attacks launched by users of the Latvian service were frequently designed to steal passwords, bank details or payment card details from victims. In other cases, the phone numbers were used to perpetrate a type of scam in which criminals pose as a police officer. Mostly targeting Russian speakers, “perpetrators posed as police officers with forged IDs and personally collected funds from the victims,” Europol said.
Other specific types of crime police have tied to this SIM-farm service provider included:
Marketplace fraud: Fake accounts on such services serve as launch points for phishing and smishing;
Daughter-son scams: Messages typically sent on WhatsApp purport to share a child’s new phone number, before “citing alleged spontaneous accidents or emergencies and evoking panic with the victim, they demand urgent payments usually in the four-figure range,” Europol said;
Investment fraud: Attacks seek to trick a victim into sending them large sums of money as well as installing remote-control software on their system;
Fake entities: Attackers use the rented numbers to make fake or spoofed online banks and storefronts look legitimate.
Defined: SIM Farm
Some SIM gateways are legitimate, although always at a much smaller scale than what was seen in the recent arrests, experts say. Legitimate use cases include providing continuity of connectivity in areas with poor reception, or for temporary office facilities.
In a 2023 consultation into SIM fraud, the British government suggested that the domestic definition of a SIM farm – referring to illicit use – might be any device that could handle more than four SIM cards at a time, or one for each of the country’s mobile operators.
“We have very limited evidence that there are any legitimate use cases for devices that allow the use of more than four SIM cards, and for all such cases alternative options exist,” it said.
Espionage applications also exist for SIM farms, as the U.S. Secret Service said when it recently dismantled a network of 300 SIM servers with 100,000 SIM cards, mostly located within 35 miles of a United Nations General Assembly meeting (see: Secret Service Dismantles NY Telecom Threat Amid UN Meeting).