OnionSpace
Dark Web News

SIMCARTEL Takedown in Latvia — 7 Arrested, 1,200 SIM-Boxes Seized

Action day in Latvia dismantled a SIM-box crime-as-a-service: 7 arrests, 1,200 devices and 40,000 active SIMs seized, 5 servers taken down, and thousands of victims across Europe.

⏱️ 4 min📅 Updated: Nov 6, 2025✍️ OnionSpace Team
SIMCARTEL Takedown in Latvia — 7 Arrested, 1,200 SIM-Boxes Seized

Overview

A coordinated action day in Latvia (10 Oct 2025) dismantled a sophisticated SIM-box crime-as-a-service operation codenamed “SIMCARTEL.” Authorities arrested five Latvian suspects on the day and two more during the wider operation (7 total), took down five servers, and seized ~1,200 SIM-box devices operating ~40,000 active SIM cards. Investigators linked the network to 1,700+ cyber-fraud cases in Austria and 1,500 in Latvia, with losses of ~€4.5M (AT) and ~€420k (LV).

The service sold phone numbers registered to people in 80+ countries, enabling perpetrators worldwide to create throwaway identities for smishing, phishing, account takeovers, and other telecom-enabled crimes—while masking true identity and location.

Headline results

  • 7 suspects arrested (5 on action day, 2 subsequently)
  • ~1,200 SIM-boxes and ~40,000 active SIMs seized
  • 5 servers hosting the illegal service dismantled
  • 2 domains (gogetsms.com, apisim.com) taken over by law enforcement with splash banners
  • €431,000 in bank accounts and $333,000 in crypto frozen
  • 4 luxury vehicles seized
  • 1,700+ cases (Austria) and 1,500 (Latvia) attributed; total damages several million euros
  • Hundreds of thousands of additional SIM cards also seized

Scale check: investigators estimate the platform’s renters created 49+ million online accounts using the illicit number pool.

How the service enabled crime

SIM-box infrastructure let clients route calls/SMS at scale using foreign numbers and rapid SIM rotation, making it easy to:

  • register fake accounts (social, messaging, fintech) en masse,
  • conduct smishing/phishing with believable local caller IDs,
  • evade blocks/traceback by cycling numbers across jurisdictions.

Offences observed (examples)

  • Second-hand marketplace fraud: mass fake accounts → smishing/phishing funnels.
  • “Daughter/Son” WhatsApp scam: impostors claim emergencies from a “new number,” pushing four-figure transfers.
  • Investment fraud: cold-calls, forced remote-access tools, staged dashboards; victims steered to deposit larger sums.
  • Fake shops / fake bank pages: rented numbers listed in site headers and callback flows to boost credibility.
  • Fake police officers: fraudsters (often targeting Russian-speaking victims) used forged IDs and in-person pickups of cash/valuables.

Takedown mechanics

  • Action day in Latvia with searches (26), arrests, infrastructure seizures, and forensic imaging.
  • Europol & Eurojust coordinated cross-border work and judicial orders; weekly case meetings and OSINT mapping of the service.
  • Shadowserver assisted with technical dismantling; LE splash pages deployed on seized domains.
  • Financial measures froze fiat/crypto and preserved evidence for restitution and follow-on cases.

Participating countries (selection)

  • Austria: Bundeskriminalamt; LKA Salzburg; Staatsanwaltschaft Wien
  • Estonia: Police (Politsei); Northern District Prosecutor’s Office
  • Finland: Police; NCCU Finland; National Bureau of Investigation
  • Latvia: State Police; Rīga Judicial Region & Northern Prosecution Offices

Why it matters (OnionSpace view)

Telecom-as-a-service tools like SIM-boxes supercharge identity fraud and smishing at continental scale. After a takedown, operators often rebrand, re-host, and resurface with similar offerings.

What to watch

OnionSpace Team

OnionSpace Team

Trusted educational resource for safe, anonymous dark-web navigation.

← View All Posts