“Using specialized software and social engineering, the perpetrators gained unauthorized access to the infrastructure of entities cooperating with telecommunications operators and employee email accounts,” reads the Polish Cybercrime Bureau’s announcement, an account that lays bare a methodical campaign of intrusion and theft.
Polish authorities, FBI and HSI coordinate an international takedown
Poland’s Cybercrime Bureau (CBZC) announced the arrest of four people in a coordinated action, carried out with support from the U.S. Federal Bureau of Investigation (FBI) and Homeland Security Investigations (HSI). The four suspects have been placed in pre-trial detention and now face charges of participation in an organized criminal group, hacking into IT systems to commit theft, and money laundering. Those offenses carry a maximum combined penalty of 25 years in prison under the authorities’ account.
Technique: breaching telecom partners, hijacking emails, and SIM swaps
Investigators say the group targeted entities that cooperate with telecommunications operators and employee email accounts to obtain the data needed for SIM-swapping attacks. According to the CBZC statement, the perpetrators used “specialized software and social engineering” to gain unauthorized access, then illegally cloned and took over victims’ phone numbers. By intercepting SMS messages and email communications tied to accounts, the actors were able to seize control of accounts at cryptocurrency exchanges.
Scale of theft and laundering: “several tens of millions” of złoty
Polish investigators estimated that the funds laundered via this scheme exceed “several tens of millions of Polish złoty,” which the CBZC notes would translate into at least $5 million based on the current exchange rate. The bureau described how the group treated the activity as “a regular source of income,” moving stolen funds through multiple bank accounts across various countries and into digital wallets, a pattern the announcement described as laundering “via a distributed financial network.”
Public identification and investigative leads
CBZC did not name the arrested individuals in its public announcement. Separately, blockchain crime investigator ZachXBT identified one person depicted in images released from the police raid as Wojtek Kulisz, aka “Merry.” That attribution was reported by the investigator on the basis of images the authorities provided from the raid; the CBZC statement itself withheld names.
What this means for technologists, regulators, and cryptocurrency exchanges
- Technologists and security teams will be watching for unauthorized access to the infrastructure of entities that cooperate with telecommunications operators and for compromises of employee email accounts — the very entry points CBZC says the group exploited.
- Policymakers and regulators will note the cross-border nature of the alleged laundering: multiple bank accounts in various countries and transfers into digital wallets underscore the transnational challenges that triggered FBI and HSI cooperation with the CBZC.
- Cryptocurrency exchanges and account holders will be reminded of the operational risk posed when phone numbers and email channels are intercepted; investigators linked such interception directly to the loss of control over exchange accounts in the CBZC account of events.
Legal posture and open steps
The four individuals are in pre-trial detention and face the full range of charges outlined by the CBZC: organized-crime participation, IT system hacking for theft, and money laundering. The bureau’s public release frames the activity as organized, repeatable, and financially motivated — “a regular source of income” — and emphasizes the use of foreign accounts and digital wallets to conceal proceeds. With sentencing exposure of up to 25 years, prosecutors in Poland have positioned the case for a significant criminal proceeding.
The arrests close a chapter of active theft and alleged laundering, but the facts in the CBZC announcement make clear that the underlying vulnerabilities — access to telecom partner infrastructure, compromised email accounts, and the ability to reroute SMS and account recovery flows — were the enablers. Whether investigators will trace the distributed financial network to additional actors or infrastructure is a question left to forthcoming legal filings and the next stages of the cross-border inquiry.
