Image Credit: Shutterstock
Key Takeaways
- Polish police and U.S. federal agencies arrested four suspects accused of SIM-swap attacks targeting crypto exchange users
- The group allegedly hijacked phone numbers via telecom company breaches to intercept SMS codes and drain accounts
- Blockchain investigator ZachXBT linked one detainee to known threat actor “Merry,” though Polish authorities have not confirmed the identity
Poland’s Central Bureau for Combating Cybercrime arrested four people on June 25 in a joint operation with the FBI and U.S. Homeland Security Investigations, accusing them of running SIM-swap attacks against cryptocurrency exchange users and laundering tens of millions of Polish zlotys in stolen digital assets. All four were placed in pre-trial detention at the request of prosecutors. The Kraków Regional Prosecutor’s Office is supervising the case.
How the Group Allegedly Operated
The suspects did not target cryptocurrency platforms directly. According to the CBZC, they first broke into the IT systems of companies that work with telecommunications operators, using specialized software and social engineering to compromise employee email accounts and gain access to internal infrastructure.
From there, investigators say the group cloned and hijacked victims’ phone numbers through SIM-swap attacks. With control of a victim’s number, the suspects intercepted SMS authentication codes and account recovery messages. That access let them take over cryptocurrency exchange accounts and transfer out digital assets without authorization.
Stolen funds were then moved through a distributed laundering network. The CBZC said the operation used personal bank accounts in Poland and abroad, international payment platforms, and multi-currency digital wallets. Investigators estimate the total value of laundered funds exceeds tens of millions of Polish zlotys.
ZachXBT Links One Suspect to Known Threat Actor
The arrests attracted wider attention after blockchain investigator ZachXBT alleged on his Telegram channel that one of those detained is Wojtek Kulisz, a Polish social engineering threat actor known online as “Merry.”
ZachXBT said designer clothing and jewelry visible in the CBZC’s official raid footage appeared to match items Kulisz had publicly displayed on his Instagram account.
Polish authorities have not confirmed or denied the claim. The CBZC cited the ongoing international nature of the investigation as the reason for withholding the suspects’ identities. The names of targeted exchanges and details about compromised accounts are also being withheld.
Charges Carry a Maximum Sentence of 25 Years
All four suspects face three charges: participation in an organized criminal group, theft through unauthorized access to computer systems, and money laundering. The maximum sentence across those charges is 25 years in prison.
A Polish court approved pre-trial detention for all four at the prosecution’s request. Prosecutors characterized the alleged scheme as a deliberate, ongoing criminal enterprise rather than isolated incidents.
FBI and Homeland Security Investigations agents participated directly in the operation alongside Polish officers. Authorities have not specified the nature of the U.S. agencies’ role or confirmed what U.S. connections were identified in the investigation.
Investigation Extends Beyond Poland’s Borders
The CBZC said the investigation is active and extends beyond Poland’s borders. Officials declined to release information about the number of victims, the value of assets seized during the raids, or which cryptocurrency platforms were targeted.
