Operation SIMCARTEL: The SIM Farm That Made a Mockery of UK SMS Verification
On the 10th of October 2025, the Latvian State Police Counterterrorism Unit “Omega” breached the doors of properties across Latvia. Inside, officers found racks of telecommunications equipment, computer hardware, and large quantities of SIM cards. The raids were the action day of Operation SIMCARTEL, coordinated by Europol and Eurojust with investigative support from Austrian, Estonian and Finnish authorities.
Seven people were arrested. Five of them Latvian nationals. One had a prior investigation file in Estonia for arson and extortion. By the end of the day, the operation had seized 1,200 SIM-box devices containing 40,000 active SIM cards, alongside hundreds of thousands of additional unused SIM cards prepared for future deployment. Five servers were dismantled. Two websites were seized, gogetsms.com and apisim.com, both replaced with law enforcement seizure banners. Four luxury vehicles and €697,000 in frozen bank and cryptocurrency assets followed.
The damage attributable to the network is what makes this case the working example of industrial fraud in 2026: more than 49 million fake online accounts created via the platform, more than 3,200 known victims across Austria, Estonia and Latvia, €4.5 million in confirmed losses in Austria alone, €420,000 in Latvia, and a list of facilitated crimes that runs from phishing and investment fraud through to fake bank websites, fake police officer scams, extortion, migrant smuggling, and the distribution of child sexual abuse material.
This is not a story about clever hackers. This is a story about a fraud platform that operated on the open web, with a public price list, for years. And about a UK financial services industry that still relies on the security control that platform was specifically designed to defeat.
The platform model: passive income from your phone
The most damning detail in the Europol case file is also the most public. The network’s two customer-facing websites, gogetsms.com and apisim.com, were not hidden. They were not on Tor. They did not require an introduction from a forum administrator. Anyone with a browser could find them. Anyone with a credit card or a cryptocurrency wallet could buy access.
The pitch on gogetsms.com was straightforward. Temporary phone numbers, advertised for “secure” account verification, drawn from a pool of real SIM cards registered in more than 80 different countries. Buyers paid a small fee. The site sent them a code to verify a new social media, banking, or messaging account. The buyer used the code. The account was created. The phone number went back into the pool for the next buyer.
The other half of the model was the supply side. SIM-card owners could earn “passive income” by lending out their numbers to receive one-time password traffic. The site managed the routing through the SIM-box infrastructure. The owner kept a cut. Nobody on either side of the transaction needed to know who the eventual end user was, or what the account was being used for.
What it was being used for, according to Europol, was approximately every kind of online fraud currently affecting UK consumers and small businesses. Phishing operations. Smishing campaigns. Investment fraud, particularly crypto investment fraud. Fake online second-hand marketplaces. Fake bank websites. Daughter-son scams targeting elderly relatives. Fake police officer impersonation. Account takeovers on social media and communication platforms. And, sitting alongside the financial crimes, the distribution of child sexual abuse material and the coordination of migrant smuggling.
The platform was a logistics service. The crime was downstream.
What Operation SIMCARTEL actually seized
The post-action statement from Europol, published on the 17th of October 2025, is unusually specific. The seizure list is worth itemising in full, because most reporting in the UK trade press summarised it as “a major SIM farm bust” and moved on. The detail tells a different story.
The technical infrastructure: five servers running the platform backend, two public-facing websites (gogetsms.com and apisim.com) seized on action day, the entire transactional database of the service. This is not a description of an underground operation. It is a description of a small but functional technology company.
The hardware: 1,200 SIM-box devices, which are not consumer products. A single GSM modem with eight SIM slots costs perhaps £200. The criminal operator equipping a 1,200-device estate was operating at a scale comparable to a regional telecoms reseller. Combined with 40,000 active SIM cards and several hundred thousand more unused SIM cards in inventory, the procurement bill alone runs well into the millions.
The financial assets: four luxury vehicles, €431,000 in frozen bank accounts, and €266,000 in frozen cryptocurrency wallets. Total €697,000 in seized or frozen assets at action day, with the wider asset recovery investigation continuing.
The personnel: seven arrests, of which five were Latvian nationals. One of the principal suspects had been previously investigated in Estonia for arson and extortion, a detail Europol included in the operational statement and which the Latvian State Police footage corroborates. This was not a group of disorganised opportunists. This was an organised criminal operation with a track record.
The Shadowserver Foundation, a non-profit security organisation, provided the technical support for the infrastructure takedown. The fact that a public-interest charity sits inside the Europol takedown chain for a service of this scale tells you something about the resourcing imbalance.
The UK angle nobody wants to discuss
The Europol statement names Austria, Estonia, Finland and Latvia as participating jurisdictions. It does not name the United Kingdom. Read past the headline and the omission becomes interesting.
The platform sold temporary phone numbers from more than 80 different countries. Among those countries, mobile numbering ranges from the United Kingdom are widely available on equivalent services and were, by the operational pattern, almost certainly part of the SIMCARTEL inventory. The 49 million fake accounts created via the network were not segmented by national market. They were created on the social media, communication, payment and banking platforms used globally, which in many cases means the same Microsoft, Google, WhatsApp, Telegram, Facebook and major UK bank accounts UK customers use.
Now consider the UK financial services control environment. Open Banking onboarding. New current account applications at every UK high street bank. Insurance broker quotation portals. Conveyancing instruction confirmations. Self-assessment HMRC voice authentication fallback. SMS-based one-time passcodes are the default second factor across substantially the entire UK retail financial services sector, and the equivalent default for a large fraction of UK professional services onboarding.
That control has now been demonstrably defeated at industrial scale by a service that, until 10 October 2025, was operating publicly on a website with a price list.
The follow-on questions write themselves. How many of those 49 million fake accounts were used to defeat UK customer onboarding? Has any UK bank issued a customer communication acknowledging that SMS-OTP is no longer a viable single control for high-value account verification? Has UK Finance, the industry body, issued guidance? Has the Financial Conduct Authority opened a thematic review? Has the Information Commissioner’s Office said anything about the risk to customer due diligence under existing data protection requirements?
The public record, seven months after the arrests and three weeks after the IOCTA 2026 publication, says no on every count.
The IOCTA 2026 connection
The reason this case is back on the agenda in May 2026 is Europol’s own decision to elevate it. The Internet Organised Crime Threat Assessment 2026, published on the 28th of April, names Operation SIMCARTEL as the working example of why online fraud has become “the fastest-growing area of organised crime” in the EU and why the threat is now defined by velocity, concealment, and industrial-scale victimisation.
The IOCTA 2026 chapter on online fraud schemes is explicit. Industrial-scale SIM farms now underpin the majority of online fraud operations. The Latvian SIM-box case, the report says, illustrates how transnational physical infrastructure has been built specifically to defeat the SMS-based identity verification controls that retail financial services and consumer platforms rely on.
That is not an inference. That is the European Union’s flagship cybercrime assessment naming SMS-OTP as a defeated control, citing a specific operational case as the proof, and publishing the document on the 28th of April.
The UK cyber security industry’s response to that publication, as of the date of this case study, can be characterised in two words: deafening silence.
How to Turn This Into a Competitive Advantage
UK procurement processes for financial services, professional services, and increasingly for general B2B contracts include security questionnaires. Most respondents check the box marked “MFA enforced” and move on. The question that procurement teams should now be asking, and that wins competitive procurement when answered well, is: which MFA factor? Specifically, are SMS one-time passcodes being relied upon for any production authentication path?
Three concrete ways to convert the SIMCARTEL case into commercial advantage.
Lead with authentication factor specifics in client conversations. When a customer asks about MFA, do not say “yes, we use MFA”. Say “we have moved off SMS-based factors for production authentication paths because of the Europol SIMCARTEL takedown and the IOCTA 2026 finding that SIM-farm services have defeated SMS-OTP at industrial scale”. That sentence is a verifiable, defensible position. Your competitors cannot match it without the same work.
Build a customer briefing that names the control change. Most UK SMBs have not yet had a conversation with their customers about authentication factor migration. Being the first business in your sector to publish a one-page briefing that explains, in plain English, what has changed and why, is a commercial signal that you are ahead of the curve. Procurement teams forward documents like this internally. It is free reach.
Use SIMCARTEL in supplier accountability conversations. Your IT supplier has, presumably, configured authentication for your customer-facing systems. If those configurations include SMS as an option, the supplier now needs to explain why, against the current public record. The conversation should be in writing.
How to Sell This to Your Board
Boards respond to three things: financial risk, regulatory exposure, and competitive positioning. The SIMCARTEL case gives you a fact base for all three.
Financial risk argument. Operation SIMCARTEL has crystallised €5 million in confirmed losses across Austria and Latvia alone. The 49-million-account figure means the same operational pattern almost certainly affected UK businesses, even if no UK enforcement action has yet been announced. The board needs to know whether the current customer onboarding flow is exposed to the same defeated control. The cost of audit is trivial. The cost of an incident is not.
Regulatory exposure argument. The ICO and the FCA both expect organisations to apply reasonable controls calibrated against known threats. After the 28th of April 2026, SMS-OTP being defeated at industrial scale is part of the public record of known threats. Maintaining it as a sole second factor for high-risk operations is a position the board may struggle to defend on a regulatory inspection or in litigation arising from a fraud loss.
Competitive positioning argument. Your customers, and your customers’ customers, will increasingly be asking about authentication factor choice. The SMB whose board can demonstrate a documented response to the SIMCARTEL case file, even a modest one, is a different proposition in procurement from the SMB whose board has not heard of the case. The first wins contracts. The second loses them.
Ask the board to approve the audit, not a new product purchase. The anti-hero rule holds at board level. Most organisations already have access to app-based authenticators, hardware keys, or passkey-compatible identity providers. The work is configuration and migration, not procurement.
What to do this week
Three actions, all achievable inside a twenty-person company by Friday.
-
Inventory your SMS-OTP touchpoints. Walk your customer onboarding, password reset, account recovery, and high-value transaction approval flows. Note every place a SMS one-time passcode is the second factor. For each, note the alternative factor your platform already supports.
-
Set a migration deadline. Pick a date inside the next 90 days by which every production SMS-OTP path will have an enabled alternative. Communicate the date to your IT supplier in writing. The phrase “this is in response to the Europol SIMCARTEL case and the IOCTA 2026 finding” earns you a different response than “we should probably look at our MFA”.
-
Draft a customer-facing one-page briefing. Explain, in plain English, what has changed and why. Send it to your top ten customers. Post it on your website. The reach is asymmetric: most of your competitors will not be doing this.
Operation SIMCARTEL is not a future risk. It is a past, prosecuted, publicly documented criminal enterprise that defeated the UK financial services industry’s default identity control at industrial scale. The UK industries that depend on that control have, so far, treated the case as European news.
It is not European news. It is your news.