The recent discovery of a sprawling SIM farm operation in the New York City area has revealed how these facilities, typically used by cybercriminals to flood phones with spam calls and texts, have grown large enough that the US government is warning it could have been used not just for crime, but large-scale disruption of critical infrastructure.
On Tuesday morning, the US Secret Service revealed that it had found a collection of facilities across the “New York tristate area” holding more than 100,000 SIM cards housed in “SIM servers,” devices that allow them to be managed and operated simultaneously. Due to the sheer scale of the infrastructure of this single SIM farm—and the fact that it reportedly came onto the Secret Service’s radar after it was exploited in “swatting” attacks that targeted US members of Congress around Christmas of 2023—the agency has warned that the operation, which has been at least partially dismantled, posed a serious threat of a disruptive attack on cellular service.
Given the number of SIM cards all under the control of a single operation, it could have “disabled cell phone towers and essentially shut down the cell phone network in New York City,” according to Matt McCool, the special agent in charge of the Secret Service New York field office.
“This network could be used to overwhelm cell towers,” according to a law enforcement source familiar with the Secret Service’s investigation, who asked not to be named due to the sensitivity of the ongoing investigation. “To give you an idea of capacity for disruption, this network could be used to send approximately 30 million text messages per minute, meaning it could anonymously text the entire United States in around 12 minutes.”
The source tells WIRED that the Secret Service has confirmed that the SIM farm was used by organized crime, nation-state threat actors, and other individuals known to law enforcement.
Photos of “SIM blocks” discovered by Secret Service agents. These devices can connect around a hundred SIM cards simultaneously.
Courtesy of The U.S. Secret Service
The Secret Service’s Advanced Threat Interdiction Unit seized the equipment found in the SIM farm sites, which the agency described as all being within 35 miles of midtown Manhattan. The Secret Service says its investigation is ongoing as it combs through the calling and texting records of the massive collection of SIMs. No arrests have been made, according to the law enforcement source. In its announcement of the bust, the Secret Service noted that it acted now to head off any potential use of the SIM operation to target the United Nations General Assembly in Manhattan this week—though it didn’t offer any evidence to suggest that was the operation’s intent.
“Given the timing, location and potential for significant disruption to New York telecommunications posed by these devices, the agency moved quickly to disrupt this network,” reads a statement from the agency.
Despite speculation in some reporting about SIM farm operation that suggests it was created by a foreign state such as Russia or China and used for espionage, it’s far more likely that the operation’s central focus was scams and other profit-motivated forms of cybercrime, says Ben Coon, who leads intelligence at the cybersecurity firm Unit 221b and has carried out multiple investigations into SIM farms. “The disruption of cell services is possible, flooding the network to the degree that it couldn’t take any more traffic,” Coon says. “My gut is telling me there was some type of fraud involved here.”
In this case, according to a CNN report on the Secret Service’s investigation, the agency got onto the trail of the New York area SIM farm after it was used in a pair of swatting incidents around Christmas Day in 2023 that targeted congresswoman Marjorie Taylor Greene and US senator Rick Scott. Those incidents appear to have been tied to a pair of Romanian men, Thomasz Szabo and Nemanja Radovanovic, who were working with the American serial swatter Alan Filion, also known as Torswats.
Though all three men have since been convicted on swatting-related charges, the Secret Service’s McCool noted in his statement that the agency’s investigation followed “telecommunications-related imminent threats directed towards senior US government officials this spring.”
MobileX SIM card packages discovered by the US Secret Service.
Courtesy of The U.S. Secret Service
The phenomenon of SIM farms, even at the scale found in this instance around New York, is far from new. Cybercriminals have long used the massive collections of centrally operated SIM cards for everything from spam to swatting to fake account creation and fraudulent engagement with social media or advertising campaigns. The SIM cards are typically housed in so-called SIM boxes that can control more than a hundred cards at a time, which are in turn connected to servers that can then control thousands of SIMs each.
SIM farms allow “bulk messaging at a speed and volume that would be impossible for an individual user,” one telecoms industry source, who asked not to be named due to the sensitivity of the Secret Service’s investigation, told WIRED. “The technology behind these farms makes them highly flexible—SIMs can be rotated to bypass detection systems, traffic can be geographically masked, and accounts can be made to look like they’re coming from genuine users.”
The telecom industry source adds that the images of SIM servers and boxes published by the Secret Service indicate a “really organized” criminal operation may have been behind the setup. “This means that there is great intelligence and significant resources behind it,” the person added.
The SIM farm found by the Secret Service, Unit 221b’s Coon says, isn’t the biggest operation he’s learned of in the US. But it’s the most concentrated in such a small single geographic area. SIM boxes, he notes, are illegal in the US, and the hundreds of them found in the Secret Service’s investigation must have been smuggled into the US. In one case he was involved in, Coon says, the boxes were imported from China, disguised as audio amplifiers.
The “clean, tidy racks” of equipment in a well-lit room shows that the operation may be well-organized and professional, says Cathal Mc Daid, VP of technology at telecommunication and cybersecurity firm Enea. Photos released by the Secret Service show multiple racks of telecom equipment neatly set up, with individual pieces of tech numbered and labeled, plus cables on the floor being covered and protected with tape. Each SIM box, Mc Daid says, appears to include around 256 ports and associated modems. “This looks more professional than many of the SIM farms you see,” says Mc Daid.
Mc Daid notes, however, that he’s tracked similar operations discovered in Ukraine—some of which have been as large or even larger than the one revealed on Tuesday by the Secret Service. Over the course of the last few years, law enforcement officials in Ukraine have discovered tens of thousands of SIM cards being used in SIM farms allegedly set up by Russian actors. In one case in 2023, around 150,000 SIM cards were reportedly found. These SIM farms have been used to operate fake social media profiles that can spread disinformation and propaganda.
Additional equipment found in the New York–area SIM farm sites.
Courtesy of The U.S. Secret Service
In one photo released by the Secret Service, packaging from hundreds of SIM cards belonging to telecom service MobileX is visible. “We are aware of recent reports that MobileX SIM cards, along with those of other providers, were recovered during a federal investigation,” Peter Adderton, the CEO and founder of MobileX, says in a statement. “Our platform is designed to be easy to use and cost-effective, qualities that unfortunately can also attract occasional bad actors.” Adderton adds that MobileX is prepared to work with law enforcement and has systems in place to shut down suspicious activity.
Since SIM farms are typically used for indiscriminate fraud rather than swatting or other more disruptive threats, the unusual use of this particular SIM farm to swat US officials was likely the source of its downfall, notes Allison Nixon, the chief research officer for Unit 221b. “Swatters are also fraudsters, so they know how to use criminal proxy services. The owners of criminal proxy infrastructure make significant investments predicated on the idea that arrest rates for cybercrime are low,” Nixon says. “But they fail to anticipate the fact that cybercrime, allowed to fester, always leads to terrorism. So the first time the feds see this, the operation is already massive.”
