Canadian Teenager Stole $37 Million in Bitcoin via SIM Swap Attack

Blockchain investigator ZachXBT has exposed a significant SIMSIM-- swap attack carried out by Canadian teenager Cameron Redman in 2020. At the age of 17, Redman hijacked the phone number of crypto investor Josh Jones, gaining access to two-factor authentication codes and seizing over 1,547 Bitcoin and 60,000 Bitcoin Cash, valued at approximately $37 million at the time. Redman attempted to launder the stolen assets through hundreds of microtransactions routed via centralized crypto exchanges. However, law enforcement managed to recover only $5.4 million, leaving over $31 million unaccounted for. Redman was eventually charged in November 2021 in Canada, with support from U.S. federal agencies. Due to his minor status at the time, legal protections initially shielded his identity during early proceedings.

ZachXBT has since argued that the current legal protections for juveniles are insufficient in high-value cybercrime cases. He suggests that juvenile laws should not apply to offenders involved in multimillion-dollar thefts. ZachXBT's findings indicate that Redman continued to engage in social engineering and online fraud schemes even after being charged, highlighting a failure of the justice system to deter repeat offenders. This underscores the urgent need for more specific legislation to address such crimes.

SIM swapping, a form of identity theft where an attacker convinces a mobile provider to transfer a victim’s phone number to a SIM card they control, has become one of the most effective forms of crypto-related cybercrime. This tactic allows attackers to intercept SMS verification codes and access secure accounts, including cryptocurrency wallets. The surge in reported SIM swap cases globally indicates a growing and well-organized threat targeting both retail investors and public figures. In the United Kingdom, incidents rose by over 1,000% in one year—from 289 to nearly 3,000 cases. In the United States, the FBI tracked over $68 million in SIM swap-related losses in 2021, followed by $48.8 million in 2023, and $82 million in 2024.

Security experts recommend several countermeasures to defend against these attacks. Key suggestions include replacing SMS-based two-factor authentication with dedicated authenticator apps, setting PINs with mobile carriers, reducing personal data exposure online, and swiftly responding to account changes. However, experts also agree that technology alone cannot solve the problem. Without updated laws and stricter punishments, SIM swappers—especially younger ones—will continue exploiting regulatory loopholes. The increasing sophistication of these attacks reveals critical weaknesses in cybercrime legislation, highlighting the need for more robust legal frameworks to combat this growing threat.