-
A 35-year-old man stole ID details of 1,500 people and successfully hijacked 35 phone numbers.
-
He bypassed multifactor authentication to drain bank accounts and even sell stolen numbers online.
-
Police urge you to watch for unexpected texts about phone porting, or sudden “SOS only” signal.
A phone scammer got 26 months behind bars. He stole people’s digital lives from a couch in Lynbrook. His method was clever, leading to devastating losses for victims.
The Man Behind the Screen
Patrick Michael Hric, 35, bought stolen identities on the dark web. He used cryptocurrency to grab keylogger files from a Russian marketplace. That’s how he got his hands on people’s passwords and login credentials.
When he got arrested in March last year, the police discovered personal data of about 1,500 people. These included bank account details, payslips, driver’s licenses, MyGov logins, and even passports. And the worst part? These were all ready to use.
Hric spent a full month researching how to bypass security measures. He wanted to transfer phone numbers without permission. And he figured it out.
How the Porting Scam Worked
Hric targeted mobile numbers first. He transferred each victim’s phone number onto a separate e-SIM card from TPG. That move let him bypass multifactor authentication. Banks and email services thought it was really you. But it was him.
The dark web is a primary marketplace for phone numbers used in these attacks. Instagram user data, including phone numbers, has been advertised on dark web markets, a reminder that SIM-swapping relies on stolen phone numbers.
He pulled off 35 successful phone number ports. He tried 73 more times on 54 other numbers. Most attempts failed, but the damage was already big. Two years back, he illegally gained access to bank accounts belonging to eight victims.
One victim lost $9000 to unauthorized bank transactions. Then another person lost about $3724, though the bank later refunded that one.
A Shopping Spree on Someone Else’s Dime
Hric opened a Latitude credit card under a victim’s name and spent $12.790 at JB Hi-Fi buying laptops, a mobile phone, and a tablet.
But it got worse. In another case, Hric placed an unauthorized order to sell $23,312 worth of shares from a victim’s Commsec account. The victim blocked the sale after getting a notification.
Another person noticed that $330 had gone missing from their bank account. Then they later lost access to the account entirely. The victim rushed to a branch of their bank and watched in real time as the scammer made another $1130 purchase at Dan Murphy’s, BP, and Uber Eats.
That victim’s bank, NAB, reimbursed $920. But it took weeks to recover the mobile phone service.
Bragging on Telegram
Hric didn’t just use the stolen numbers himself. He advertised them on an encrypted Telegram chat group.
He offered ported phone numbers for $250 each. His own words to police said it best: “The end game was always financial gain.”
When successful, he took between a couple of hundred and a couple of thousand dollars. But he admitted eight out of ten tries got him nothing out of it.
Judge Anthony Lewis wasn’t impressed by that math. He called Hric’s invasion of privacy ‘heinous.’ His moral culpability? “Very high order.”
How the Court Proceedings Went
Hric made a guilty plea, admitting to 12 counts of computer fraud-related charges. Before this case, he already had community correction orders for dishonesty.
His engagement with those orders was “relatively poor,” the judge said.
A psychologist painted a messy picture. Hric didn’t have a job, was strained financially, abused meth, and went through a relationship breakdown. Doctors diagnosed major depression, generalized anxiety, and stimulant use disorder.
Still, the judge saw hope. Hric made full admissions to police. He handed over passwords to his phone and computer.
His lawyer argued he wanted to help authorities fix security holes in telco systems. But he still got sentenced to 26 months in jail; however, there’s a possibility of release after one year on recognizance release order.
For two years after that, probation officers will watch him. He must follow mental health treatment and a good-behavior bond.
What You Need to Watch For
Australian Federal Police Detective Superintendent Bernard Geason put it plainly. Scammers will go far to steal your data.
So stay alert. If you get an unexpected text from your mobile provider saying you requested a number port, pause. That could be a scammer. Also, watch for sudden disconnection. If your phone shows “SOS only,” someone may have stolen your number.
Act fast if this happens. Call your mobile provider immediately. Call your bank too. Freeze transfers. Cancel affected cards. Then report everything to ReportCyber. Your quick action might stop the next victim from losing everything.
For eight real people in Australia, the damage is already done. For Hric, the next 12 months will feel very different from a dark web shopping spree.
