What Did Polish Authorities Uncover?
Polish authorities arrested four members of an organized criminal group accused of carrying out SIM swap attacks on cryptocurrency exchanges, stealing digital assets, and laundering the proceeds through financial accounts and digital wallets.
The operation was supported by agents from the U.S. FBI and Homeland Security Investigations, reflecting the cross-border nature of the case and the growing law enforcement focus on cyber groups targeting crypto platforms.
According to Poland’s Central Bureau for Combating Cybercrime, known by its Polish acronym CBZC, members of the group breached the IT infrastructure of entities that cooperate with telecommunications operators. Investigators said the suspects used specialized software and social engineering techniques to access employee email accounts.
That access allegedly enabled SIM swap attacks, a method in which criminals hijack or clone a victim’s phone number to intercept account authentication messages. Once phone numbers were compromised, the group allegedly used them to take control of user accounts on cryptocurrency exchanges and drain digital assets.
Why Are SIM Swap Attacks A Serious Crypto Risk?
SIM swap attacks remain one of the most damaging account-takeover methods in crypto because they target the link between telecom identity and exchange security. Even when users protect accounts with passwords, phone-based authentication can become a weak point if attackers gain control of the number tied to the account.
For exchanges, the case shows how risk can originate outside the trading platform itself. The alleged breach involved entities cooperating with telecommunications operators, not necessarily the crypto exchanges directly. That makes the security perimeter wider and harder to manage.
The method is also difficult to contain once attackers gain access. A compromised phone number can be used to reset passwords, bypass certain forms of two-factor authentication, access email accounts, and move assets quickly before victims or platforms detect the intrusion.
Polish investigators said the stolen funds were laundered through a distributed financial network spanning personal bank accounts in Poland and abroad, international payment platforms, and multi-currency digital wallets. The total value of funds laundered is estimated to exceed tens of millions of Polish zlotys.
Investor Takeaway
The case highlights a recurring weakness in crypto custody and exchange security: account protection can fail when telecom infrastructure is compromised. For investors, phone-based authentication remains a major risk point, especially when large balances are held on exchange accounts.
Who Are The Suspects?
All four suspects were remanded into pre-trial detention at the request of the prosecutor’s office. They face charges including participation in an organized criminal group, theft by hacking, and money laundering. The charges carry penalties of up to 25 years in prison, according to court documents.
Polish authorities have not confirmed the identities of the detained suspects, citing the ongoing international nature of the investigation. They also said detailed information on the targets of the attacks and secured accounts will not be disclosed at this stage.
Onchain investigator ZachXBT separately alleged that one of the detained individuals may be Wojtek Kulisz, a Polish social engineering threat actor known online as “Merry.” ZachXBT said designer clothing and jewelry visible in official raid footage appeared to match items Kulisz had publicly displayed on Instagram.
The allegation has not been confirmed by Polish authorities. Still, it adds attention to the case because independent blockchain investigators have increasingly played a role in identifying suspects, tracing stolen funds, and connecting online identities to alleged crypto theft activity before formal law enforcement disclosures.
What Does This Mean For Exchanges And Users?
The arrests point to a broader enforcement shift around crypto-related cybercrime. Law enforcement agencies are not only targeting blockchain wallets or exchange accounts after thefts occur. They are also pursuing the telecom, email, and social engineering layers that enable attackers to take control of accounts in the first place.
For exchanges, the case increases pressure to reduce reliance on SMS-based authentication and strengthen account recovery controls. Platforms handling high-value accounts may face higher expectations around withdrawal delays, device checks, behavioral monitoring, and risk scoring when account credentials or phone numbers change.
For users, the case reinforces the need to avoid SMS as the main security layer for exchange accounts. Hardware security keys, authenticator apps, withdrawal allowlists, and keeping larger balances away from exchange wallets can reduce exposure to SIM swap attacks.
The Polish case also shows how crypto theft investigations are becoming more international. Stolen assets may move through exchanges, payment platforms, wallets, and bank accounts across jurisdictions. That makes cooperation between domestic cybercrime units and U.S. agencies more important as attackers move funds through both traditional and digital financial channels.
The investigation remains ongoing, and authorities have not disclosed the full list of victims or secured accounts. But the case makes clear that SIM swap attacks are still a live threat to crypto users, exchanges, and digital asset infrastructure, even as law enforcement becomes more aggressive in tracing and disrupting the groups behind them.
