PlugwalkJoe's Five-Year Prison Sentence Highlights the Dangers of SIM Swapping in Crypto

British cybercriminal Joseph O’Connor, operating under the online alias PlugwalkJoe, has been convicted and sentenced to five years in U.S. federal prison for orchestrating a sophisticated SIM swap attack that netted him $794,000 in stolen cryptocurrency. The case, which centered on the compromise of a crypto exchange executive’s accounts in April 2019, represents one of the most high-profile prosecutions targeting digital asset theft through mobile account hijacking.

The PlugwalkJoe Story: From SIM Swapping to Federal Conviction

O’Connor’s criminal journey began in 2019 when he executed a SIM swapping attack against an unnamed cryptocurrency exchange executive, gaining unauthorized access to company systems and digital wallets. After his initial arrest in Spain in July 2021, O’Connor was extradited to the United States in April 2023. During his May 2023 court proceedings, he entered guilty pleas to multiple charges including conspiracy to commit computer intrusions, wire fraud, and money laundering.

The U.S. Attorney’s Office of the Southern District of New York disclosed the sentencing details in June 2023, revealing that beyond his five-year prison term, O’Connor was mandated to complete three years of supervised release and forfeit $794,012.64. The judgment underscored the severity with which federal authorities treat cryptocurrency-targeted cybercrime.

How SIM Swapping Enabled PlugwalkJoe’s Criminal Operation

The PlugwalkJoe case exemplifies the mechanics of mobile account hijacking. After successfully rerouting the exchange executive’s phone number to a device under his control, O’Connor infiltrated associated accounts and computing infrastructure. Once inside, he methodically siphoned cryptocurrency and obscured the trail through a complex network of transfers and exchanges. Notably, he converted portions of the stolen assets into Bitcoin using various cryptocurrency exchange services before funneling some funds into accounts registered under his identity.

The SIM swapping attack served as the gateway to a broader criminal enterprise. Beyond the initial $794,000 theft, PlugwalkJoe’s co-conspirators exploited the same techniques during the July 2020 Twitter security breach, where coordinated attackers compromised approximately 130 high-profile accounts. During this incident, the group generated approximately $120,000 in illicit cryptocurrency proceeds by leveraging the compromised accounts to promote fraudulent schemes and selling account access to other bad actors.

PlugwalkJoe’s involvement extended beyond financial theft. Court documents reveal he weaponized his access by orchestrating swatting attacks against victims—falsely reporting emergencies to dispatch authorities—and engaging in extortion campaigns, notably threatening to publicly release private Snapchat messages unless targets complied with his demands.

SIM Swapping Remains an Evolving Threat in Crypto Security

Despite the passage of years since PlugwalkJoe’s initial crimes, SIM swapping continues to pose a persistent vulnerability for the cryptocurrency sector. The attack mechanism exploits the weakest link in account security: mobile phone control. By manipulating telecommunications providers or using social engineering tactics, bad actors gain control over a victim’s phone number. This access immediately compromises any account relying on SMS-based two-factor authentication, allowing attackers to reset passwords and drain digital assets.

Recent incidents underscore the technique’s continued prevalence. Blockchain security researcher ZachXBT recently documented a coordinated campaign targeting at least eight prominent crypto figures, including Pudgy Penguins founder Cole Villemain, Grammy-winning artist and NFT collector Steve Aoki, and Bitcoin Magazine editor Pete Rizzo. The perpetrators deployed phishing links through hijacked accounts to siphon nearly $1 million from unsuspecting victims.

The PlugwalkJoe case and subsequent SIM swapping incidents highlight that conventional security practices remain insufficient against determined attackers. As long as SMS-based verification persists as a fallback authentication method, the cryptocurrency community faces an ongoing threat landscape that demands both individual vigilance and industry-wide security innovation.