The first time Mark Donnelly noticed anything wrong was when his mobile phone suddenly lost service.
It came out of the blue, there was no explanation.
Where he'd normally see connectivity bars on his iPhone 12 Pro, there was just an "SOS" displayed – the term used by telcos to show a mobile phone has been cut from the network.
Mysteriously, his connection to Optus was gone.
The Sydney nurse didn't know it but while he'd been busy working a morning shift at Westmead Hospital, in Sydney's west, helping sick patients, he'd become the victim of a devastating sim swap, also known as simjacking or a sim hijack.
A hacker was permitted to use private details and activate an eSIM using just the Optus online message system, without having to verify their identity face-to-face in an Optus store, which then allowed them to steal his phone number.
Once the hacker had his phone number, they took control of all his bank accounts, raised the spend limit of a ZipPay account, attempted to do the same on his AfterPay account, and gained access to all his immigration documentation, including his UK passport.
Armed with such prized identification, the hacker even tried - and failed - to set up a new bank account in Mr Donnelly's name.
A week after the attack, after long discussions with his banks, Mr Donnelly, 46, has managed to recover most of his lost $35,000.
ANZ returned $26,000 and ING another $4000. The remainder is still under investigation by Bendigo Bank.
Optus have so far offered him $80 compensation since the December 6 hack. Mr Donnelly has contacted the Telecommunications Industry Ombudsman (TIO) and has questions around Optus protocol and if it was followed correctly.
Optus has been contacted by nine.com.au.
"I'm devastated," Mr Donnelly, 46, said.
He described the experience of trying to untangle the mess with Optus and their fraud team as "absolutely hellish".
"They told me they would call me back in 24 to 48 hours and they would discuss it, but there was nothing," he said, recounting the timeline of the hack to 9news.com.au.
It was ultimately left up to Mr Donnelly to go into an Optus store in Sydney's west to try and work out what had happened.
On what turned out to be only the first of several visits, when Mr Donnelly complained about the loss of service an Optus staff member offered to replace the SIM.
That idea immediately reconnected Mr Donnelly's phone back to the network.
But crucially, Mr Donnelly claimed, the employee never checked why his iPhone had lost service.
Had that simple check been carried out by Optus, Mr Donnelly believes it may have shown how a hacker had activated the eSIM on another device.
Instead, Mr Donnelly left the store believing his old SIM must have been faulty.
Has this happened to you? Email firstname.lastname@example.org
Meanwhile, the hacker also noticed something was up, as they had suddenly lost control of Mr Donnelly's phone.
Later that night, the hacker went back to work.
In Optus chat logs obtained by Mr Donnelly and sighted by 9news.com.au, the hacker can be seen for a second time messaging an Optus agent and demanding the eSIM be activated.
Once again the hacker passed the security check - probably using identifying details stolen off Mr Donnelly (such information is often available and traded on the dark web) - and an eSIM was approved, with the activation set to take place in several hours.
9news.com.au understands that Optus' online service typically requires customers to provide their name, date of birth and mobile number to verify their identity. Services deemed to be higher risk transactions, such as the issuing of eSims, are understood to require further authentication through knowledge-based questions.
By mid-morning, on December 8, Mr Donnelly again lost his Optus service, with the SOS message mysteriously reappearing on his iPhone screen.
He returned to the Optus store, he said, but this time an employee told him the SIM would not be replaced.
Mr Donnelly said the employee told him his iPhone was broken, and that it needed to be repaired by Apple.
Confused, he left the store and went home.
Soon after Mr Donnelly got a Facebook call on his laptop from his frantic partner.
The hacker hadn't wasted any time with this second opportunity. Various bank accounts had been stripped of cash, the funds swiftly transferred to CoinJar, a crypto exchange.
Mr Donnelly tried in vain to contact CoinJar, but the company's website displayed no phone number which could have helped intercept the malicious activity.
Mr Donnelly fears for what might happen in the coming weeks and months.
The hacker gained access to Mr Donnelly's IMMI account, which contained all manner of identifying documentation, which often ends up sold on the dark net."I've completely lost my identity," he said.
"Mark Donnelly is ruined."
A source from cybersecurity support service IDCARE told 9news.com.au that sim swapping is now a major issue for telcos.
Hackers had turned their focus to simjacking after a long-favoured and lucrative technique known as "porting" was shut down, the source said, following a spike in attacks and more stringent security protocols and measures being applied by telcos.Porting also allows hackers to take control of someone's phone.
The TIO received over 500 complaints from consumers in the last financial year who said they had fallen victim to telco-related fraud.
In a report investigating how fraud and simjackings are executed which was released last month, the TIO blamed "weak security processes" at telcos as one of the key factors which help fraudsters gain access to accounts.
Australians lose millions of dollars from fraud each year, often facilitated through mobile phone scams and hacks.
AdaptiveMobile Security uncovered new and previously undetected Simjacker vulnerability exploited by surveillance companies for espionage operation.
The Simjacker vulnerability is currently being actively exploited by a specific private company that works with governments to monitor individuals. Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks.
The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.
The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users.
During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated.
The Simjacker attack can, and has been extended further to perform additional types of attacks.
Example of how Simjacker can track mobile phone location of vulnerable subscribers
The Scale of the Simjacker Vulnerability and Attacks
Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage. AdaptiveMobile Security Threat Intelligence analysts observed the hackers vary their attacks, testing many of these further exploits. In theory, all makes and models of mobile phone are open to attack as the vulnerability is linked to a technology embedded on SIM cards. The Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.
Stopping the attacks and building long-term defences
We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals. AdaptiveMobile Security has been working closely with their customers and the wider industry; including both mobile network operators and SIM card manufacturers to protect mobile phone subscribers. We have blocked attacks and are committed to using our global threat intelligence to build defences against these new sophisticated attacks that are circumventing current security measures.
Simjacker – Next Generation Spying Over Mobile
We believe that the Simjacker vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance. Read on to discover more about this ground-breaking attack.
Simjacker - Frequently Asked Questions and Demos
Here we put the most common questions, as well as showing example demos of the Location retrieval and Browser-Opening attacks, made possible by Simjacker.