Police Dismantle Massive SIM Box Bot Farm Used to Power Global Fraud

In one of Vilnius’s districts, Lithuanian police carried out a large-scale operation to dismantle a bot farm operating on a network of so-called SIM boxes. The seized equipment indicates that the resources were used in a variety of fraudulent schemes targeting PayPal, Facebook, Google, Telegram, and WhatsApp. The scale of the operation proved staggering — authorities discovered over 75,000 SIM cards, more than 200 SIM boxes, and around 100 computers in the suspects’ possession.

According to police reports, this infrastructure could have supported the operation of hundreds of thousands of fake accounts across social networks and payment platforms. The SIM cards were used both to create counterfeit profiles and to conduct voice communications via VoIP protocols. By exploiting these methods, the perpetrators were able to bypass phone number verification, enabling them to mass-distribute phishing messages, engage in advertising fraud, and manipulate user behavior metrics on a massive scale.

The operation was launched after Lithuania’s Communications Regulatory Authority alerted police to suspicious SIM-farm activity within the capital. An analysis of network infrastructure revealed abnormal traffic loads across several cellular base stations. Following the investigation, law enforcement officers focused their efforts on three sites located in administrative buildings. The search was complicated by restricted access to the premises and the clandestine nature of the bot farm’s operations.

During the raids, two individuals were detained for questioning. Investigators established that the suspects had traveled extensively across Europe, purchasing SIM cards from multiple telecom operators to sustain the botnet’s continuous operation. The SIM boxes themselves were used to automate card management and reroute activity through the network.

This marks the second major case involving bot farms in the region within a week. Just days earlier, Europol reported a successful operation in Latvia, where authorities seized approximately 1,200 SIM boxes and 40,000 active SIM cards, and shut down five servers supporting the network. Taken together, both operations point to the existence of a vast criminal infrastructure operating throughout Eastern Europe.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy