European police forces have arrested seven people and dismantled a large-scale cybercrime-as-a-service operation that saw almost 50 million fake online accounts created across social media and communications platforms for fraud purposes.

Seized SIM boxes in Latvia
Latvian Police/Europol

The coordinated takedown, codenamed Operation SIMCARTEL, took place on October 10 in Latvia, as part of a joint investigation by police in the Baltic nation, Austria, Estonia and Finland.

Five Latvian nationals and two additional suspects were arrrested by police.

In the raid, authorities seized 1200 SIM boxes, with the devices containing 40,000 active SIM cards.

Five Internet servers were taken down, along with two websites that had been offering the illegal service, gogetsms.com and apisim.com.

The network operated as a for-hire service, providing temporary telephone numbers from more than 80 countries to criminals who needed to mask their identities whilst committing cybercrimes.

Fraudsters used the service to bypass two-factor authentication systems so as to create vast numbers of fake accounts.

Once created, the bogus accounts served as starting points for various scams including investment fraud, fake online shops, and phishing attacks.

The infrastructure facilitated a range of offences including fraud, extortion, migrant smuggling and the distribution of child sexual abuse material.

Scammers employed tactics including the "daughter-son scam", where criminals persuaded victims that their child needed urgent financial help, alongside more traditional phishing and smishing attacks.

Some of the criminals specialised in fraud on second-hand marketplaces, whilst others set up fake investment websites and bogus online shops.

In other cases, criminals impersonated police officers using forged identification, personally collecting funds from victims.

Financial losses in Austria alone are said to be to around €4.5 million ($7.4 million), with an additional €420,000 ($693,000) lost in Latvia.

Around €431,000 ($711,000) was seized from the criminals' bank accounts, along with approximately $516,000 worth of crypto currency.

Police investigators working with Europol and Eurojust, attributed over 1700 individual cyber fraud cases in Austria and 1500 in Latvia to the criminal network.

Europol provided analytical support, open-source intelligence analysis for mapping the online criminal service, and forensic expertise to secure digital evidence.

The agency worked with the not-for-profit Shadowserver Foundation security organisation to dismantle the technical infrastructure.

In September this year, United States law enforcement busted another "SIM farm", with 300 devices and with over 100,000 subscriber identity cards found on the site near the United Nations headquarters in New York City.

The US Secret Service was involved in the raid in New York, and suspected nation-state threat actors were operating the SIM farm.