On June 25, the Polish Central Cybercrime Bureau (CBZC), with support from FBI and Homeland Security Investigations (HSI) agents, arrested four individuals suspected of stealing funds from cryptocurrency exchange accounts via SIM swapping attacks and laundering the proceeds. All four have been placed in pretrial detention. Blockchain investigator ZachXBT linked one of the suspects to social engineer Wojtek Kulisz.
How SIM Swapping Attacks Work: Full Process of IT Intrusion, Social Engineering, and Phone Number Hijacking
(Source: Polish Central Cybercrime Bureau YouTube)
According to the CBZC, the attackers' modus operandi was as follows:
- First, infiltrating the IT systems of companies partnering with telecom operators;
- Using social engineering techniques and specialized software to breach employees' email accounts;
- Leveraging the obtained access to clone and hijack victims' phone numbers, carrying out SIM swapping attacks (enabling criminals to receive all calls and texts, including one-time security codes);
- Hijacking cryptocurrency exchange accounts via SMS and email channels, systematically draining funds;
- Then laundering the proceeds through personal bank accounts within and outside Poland, international payment platforms, and digital wallets in various currencies.
ZachXBT Links Suspect to Wojtek Kulisz
Blockchain investigator ZachXBT reported that one of the suspects can be connected to Wojtek Kulisz (online alias "Merry," a social engineer). ZachXBT's cross-referencing method: comparing designer clothing and jewelry displayed on Kulisz's public Instagram account "wojtekk" with items pictured by Polish authorities at the seizure site. Polish authorities themselves did not release the suspects' names or photos.
Charges Faced by the Four and Concurrent Global Enforcement Actions
All four suspects face the following charges: participation in an organized criminal group; theft via illegal access to computer systems; money laundering. Each charge carries a maximum sentence of 25 years in prison, and all have been placed in pretrial detention.
Concurrent global enforcement actions: In March 2026, the FBI and Thai police froze approximately $580 million in cryptocurrency linked to Southeast Asian fraud rings; in late May 2026, the FBI's "Operation Poweroff" seized over $8 billion in assets, including more than 127,000 Bitcoin tied to a transcontinental fraud network.
Frequently Asked Questions
How do SIM swapping attacks bypass two-factor authentication (2FA) on crypto exchanges?
According to reports, SIM swapping attacks work by inducing or deceiving telecom companies into transferring the victim's phone number to a SIM card controlled by the criminals. Once attackers control the phone number, they can receive all SMS messages sent to that number, including one-time security codes delivered via SMS. Even if the victim has 2FA protection, if the verification method is SMS text, it can similarly be bypassed.
How did ZachXBT link the suspect's identity to Kulisz without official disclosure?
According to reports, ZachXBT used open-source intelligence (OSINT) methods: comparing designer clothing and jewelry displayed on Kulisz's public Instagram account "wojtekk" with photos of items taken by Polish authorities at the seizure site. This method of cross-referencing publicly available social media imagery is a common identity-linking technique used by blockchain investigators.
What is the legal basis for this Poland-FBI operation?
According to reports, the operation was led by Poland's CBZC with support from the FBI and HSI, constituting an international law enforcement collaboration. The four arrestees face charges including participation in an organized criminal group, theft via illegal access to computer systems, and money laundering, all under Polish law, with a maximum sentence of 25 years.
