Yes, none of the victims, at least from the sentencing report, sound like they were vocal crypto bros. They sounded more like regular families. If they weren't public figures, I also would really like to know why they were targeted. That's scary.
From the “Dirty Comms” episode of Darknet Diaries, a SIM swapper being interviewed describes how attackers will use breach information from other crypto-related sites to credential-stuff Coinbase. That doesn’t necessarily get you very far because of MFA, but there was seemingly a brief window when Coinbase had a vulnerability for checking account balances without triggering MFA, so attackers were able to identify tons of email addresses associated with large crypto holdings. I imagine this information is available if one were to seek it out.
> DREW: I don’t even know if you’re gonna believe me whenever I tell you this, but there was an exploit in Coinbase for about one month where you could check the balance of any valid password and username. You could – no matter what. You didn’t need to have any sort of access except username and password. So, you didn’t need to SIM them to see their balance. So, people just ran millions upon millions of combos, combo list through Coinbase, and just found the millionaires of Coinbase. There’s obviously millions of those.
If those transactions associated with the account leaks, the funds can be followed. This will often means transactions flowing to off-chain wallets of KYC'd owners.
