Polish authorities, with FBI and HSI support, arrested four members of a cybercrime ring accused of SIM-swapping attacks that hijacked cryptocurrency exchange accounts and laundered an estimated $5 million or more through accounts across multiple countries.
Polish authorities have arrested four members of an organized cybercrime group accused of hijacking phone numbers and cryptocurrency exchange accounts in a coordinated SIM-swapping operation that laundered what investigators estimate to be more than $5 million.
The operation was conducted by Poland's Polish Cybercrime Bureau, known by its Polish acronym CBZC, with support from the FBI and Homeland Security Investigations in the United States.
According to investigators, the suspects used specialized software and social engineering to gain unauthorized access to the infrastructure of companies that partner with telecommunications operators, as well as to employee email accounts. The data obtained through those intrusions was then used to execute SIM-swap attacks — a method that involves illegally cloning and taking over victims' phone numbers to intercept SMS messages and email communications.
With control of those communications, the group was able to compromise accounts at cryptocurrency exchanges, seize the funds held there, and move the proceeds through what CBZC described as "a distributed financial network."
"Using specialized software and social engineering, the perpetrators gained unauthorized access to the infrastructure of entities cooperating with telecommunications operators and employee email accounts," CBZC said in an announcement. "The data obtained in this way enabled so-called SIM swap attacks, which involve the illegal cloning and takeover of victims' phone numbers."
CBZC noted that the suspects treated these activities as "a regular source of income," routing stolen funds through multiple bank accounts across several countries as well as digital wallets. The bureau estimated that the total value of laundered funds "exceeds several tens of millions of Polish złoty," which translates to at least $5 million at current exchange rates.
All four individuals have been placed in pre-trial detention. They face charges of participation in an organized criminal group, hacking into IT systems to commit theft, and money laundering — offenses that carry a maximum penalty of 25 years in prison under Polish law.
CBZC did not publicly name any of the four suspects. However, blockchain crime investigator ZachXBT identified one of the arrested individuals as Wojtek Kulisz, known online as "Merry," based on images released by authorities from the police raid.
SIM-swapping attacks have become an increasingly common vector for cryptocurrency theft, exploiting the widespread use of SMS-based two-factor authentication. By convincing or infiltrating a telecom's systems to redirect a target's phone number to a device they control, attackers can bypass authentication barriers that would otherwise protect exchange accounts and digital wallets.
The cross-border nature of the investigation — drawing in U.S. federal agencies alongside Polish law enforcement — underscores the degree to which such operations depend on international cooperation to dismantle networks that route stolen assets across multiple jurisdictions. With charges now filed and the suspects held pending trial, the case will test how aggressively Polish courts pursue maximum penalties in organized cybercrime prosecutions.
TechEchelon Staff bylines are produced collectively by the newsroom for short, breaking, and wire-style coverage. Longer-form reporting is published under the responsible reporter's name.
More from the Staff →Microsoft, Europol, and international partners disrupted the Amadey and StealC malware operations under Operation Endgame, seizing 326 servers, 142 domains, and identifying over $47 million in linked cryptocurrency.
CISA has confirmed active exploitation of CVE-2026-20253, a critical Splunk Enterprise flaw that allows unauthenticated remote attackers to manipulate files, and ordered federal civilian agencies to patch by Sunday under Binding Operational Directive 26-04.
Market intelligence platform Klue has confirmed attackers stole OAuth tokens connected to customer Salesforce environments on June 12, as the newly emerged Icarus extortion group publicly claims responsibility and the list of affected organizations continues to grow.
Written for readers who already know the basics — markets, AI, and the policy decisions that shape both.