1 comment

[ 1.2 ms ] story [ 12.5 ms ] thread
Posting this because it's a genuinely fascinating look at industrial scale account fraud infrastructure. The €5M in direct losses is notable, but what really caught my attention is how polished and accessible they made the whole operation.

The FaaS angle is what gets me. They weren't just running a SIMbox farm in a basement they had public websites, API documentation, and were essentially selling "bypass SMS verification as a service" to other criminals globally. That's a business model. That's engineering.

The scale is where it gets sobering. 1,200 SIMbox devices, 40,000 simultaneous SIM cards, 50 million fake accounts. That's not amateur hour. That's logistics, infrastructure, customer support. They'd solved the hard problems: How do you manage hardware at scale? How do you keep 40,000 SIMs operational? How do you make it easy enough that non-technical actors can integrate it into their fraud workflows?

And yeah, the systemic stuff is the real problem. We're all operating under the assumption that "phone verified" means something. It doesn't anymore, apparently. All those metrics everyone relies on user growth, engagement, review scores there's just... noise in there. A lot of noise.

Makes you wonder: for every verification layer we add, is there already a service like this being built to defeat it?