A 21-year-old student from the U.S. who stole over $7.5 million in cryptocurrency via SIM-swapping hacks has been sentenced to 10 years in prison.

The Santa Clara County’s District Attorney’s Office announced Monday that the thief, Joel Ortiz, had hacked the cellphones of at least 40 individuals. Ortiz was a “prolific” SIM swapper, the Attorney’s Office said, adding that in one crime in May 2018, he stole more than $5.2 million “in minutes” from a cryptocurrency entrepreneur in Cupertino, California.

He “lavishly” spent the stolen funds, including $10,000 at Los Angeles clubs, hiring a helicopter to go to a music festival and on Gucci luggage and clothing, according to the announcement.

Ortiz was taken into custody at Los Angeles International Airport last year and pleaded no contest (accepting the charges but not pleading guilty) to 10 felony theft charges earlier this year.

After two hearings, Ortiz was sentenced on Friday by Santa Clara County Judge Edward Lee, becoming one of the first people in the U.S. to be convicted of stealing cryptocurrency by SIM swapping.

Judge Lee said:

“These are not Robin Hoods. These are crooks who use a computer instead of a gun. They are not just stealing some ethereal, experimental currency. They are stealing college funds, home mortgages, people’s financial lives.”

The case was investigated by the REACT (Regional Enforcement Allied Computer Team) Task Force, which subsequently seized $400,000 from Ortiz after his arrest. The rest of the funds have either been spent or have been concealed, the Attorney’s Office said.

SIM-swap hacks – in which attackers manage to clone victims’ SIM cards in order to access online accounts – are an increasingly popular means of crypto theft. Earlier this year, a 20-year-old man from Ohio was formally charged in a New York Supreme Court indictment for stealing the identities and cryptocurrency holdings of over 50 victims across the U.S. via SIM-swaps.

In November, U.S.-based law firm Silver Miller filed arbitration claims against AT&T and T-Mobile on behalf of victims of SIM-swap hacks, saying one of its clients had lost over $621,000 in cryptocurrency in this way.

The law firm alleged:

“By leaving holes in their security protocols and failing to properly train and monitor their employees, cellphone providers have assisted thieves in remotely taking over the SIM cards in people’s smartphones, accessing financial records and account information of the victims, and emptying the victim’s accounts of cryptocurrency and other valuable assets.”

SIM card image via Shutterstock