Global SIM Farm Network Exposed: 87 Control Panels Across 17 Countries
A recent investigation has unveiled a vast mobile proxy network operating across 17 countries, utilizing 87 exposed control panels to facilitate large-scale fraudulent activities. This network, powered by a Belarus-based software platform called ProxySmart, manages at least 94 physical phone-farm locations, enabling operations such as identity evasion, bot activity, and various forms of cyber fraud.
The ProxySmart Platform
ProxySmart serves as a comprehensive solution for operating and monetizing physical SIM farm infrastructure. It offers device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures. The platform supports both physical smartphones and USB 4G/5G modems, with phone-based farms enrolling devices via an unsigned Android application package (APK). Notably, ProxySmart includes operating system fingerprint spoofing capabilities, allowing farm operators to simulate TCP/IP stack signatures from various systems, thereby undermining detection mechanisms employed by anti-fraud systems.
Global Reach and Carrier Access
The investigation identified 87 instances of the ProxySmart control panel accessible on the public internet, linked to at least 24 commercial proxy providers and 35 cellular carriers worldwide. The network spans at least 94 physical farm locations across North America, Europe, and South America, with a significant presence in 19 U.S. states, including California, Texas, Maine, and Delaware.
ProxySmart-backed farms advertise access to major global networks, including AT&T, Verizon, T-Mobile, Vodafone, EE, O2, Deutsche Telekom, Telstra, Rogers, and over 30 others across the U.S., Europe, Australia, and Latin America. This extensive carrier access enables a wide range of illicit activities at an industrial scale.
Illicit Activities Enabled by SIM Farms
The capabilities provided by SIM farms facilitate various fraudulent activities, including:
– SMS-based One-Time Password (OTP) Bypass: Intercepting OTPs to gain unauthorized access to accounts.
– Fake Account Creation and Social Media Manipulation: Generating and managing fake profiles to influence public opinion or conduct scams.
– Botting and Automated Engagement: Using automated scripts to interact with online platforms, skewing engagement metrics.
– Geo-Restriction Circumvention: Bypassing regional content restrictions, including evading state censorship in countries like Russia, China, and Iran.
– Payment Fraud: Intercepting financial verification codes to commit financial fraud.
The mobile proxies operate behind carrier-grade Network Address Translation (CGNAT), meaning a single IP address can be shared by multiple legitimate users. This architecture makes IP-based blocking largely ineffective. Combined with rapid IP rotation achieved by toggling airplane mode for a few seconds to force carrier reassignment, these farms can cycle through addresses at will, complicating detection and enforcement efforts.
Lack of KYC Verification
The investigation revealed that meaningful Know Your Customer (KYC) verification was uncommon among reviewed providers. Some explicitly advertised zero KYC requirements, effectively making global carrier access available to any buyer with a payment method. This lack of verification facilitates anonymous and untraceable activities, posing significant challenges for law enforcement and cybersecurity professionals.
Law Enforcement Actions
The findings follow a series of major law enforcement actions against SIM farm infrastructure. In September 2025, the U.S. Secret Service and Europol dismantled a large-scale cybercrime-as-a-service network responsible for fueling thousands of online fraud cases across Europe. The operation, known as SIMCARTEL, resulted in five arrests, the seizure of key infrastructure, and the disruption of a sophisticated online criminal marketplace. Authorities executed 26 searches across multiple sites, arresting five Latvian nationals suspected of operating the illegal platform. Investigators seized five servers, 1,200 SIM-box devices, and more than 40,000 active SIM cards used to power the fraudulent service. Two linked websites, gogetsms[.]com and apisim[.]com, were taken over by law enforcement and replaced with seizure notices.
The dismantled service had enabled more than 49 million fake online accounts and was tied to over 3,200 known cyber fraud cases across Austria and Latvia alone. Financial losses from these crimes exceeded EUR 4.5 million in Austria and an additional EUR 420,000 in Latvia. Authorities also froze EUR 431,000 in bank assets, USD 333,000 in cryptocurrency, and confiscated four luxury vehicles belonging to suspects.
Implications and Recommendations
The exposure of this extensive SIM farm network underscores the evolving nature of cyber threats and the challenges in combating large-scale fraudulent activities. The use of physical devices connected to legitimate carrier networks allows threat actors to bypass traditional detection methods, making it imperative for cybersecurity professionals to develop more sophisticated countermeasures.
Organizations are advised to implement robust security protocols, including:
– Enhanced Monitoring: Deploy advanced monitoring tools to detect unusual patterns indicative of bot activity or unauthorized access.
– Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of security, making it more difficult for attackers to gain unauthorized access.
– Regular Audits: Conduct regular security audits to identify and mitigate potential vulnerabilities.
– User Education: Educate users about the risks of phishing and other social engineering attacks to reduce the likelihood of successful exploitation.
As cybercriminals continue to innovate and adapt, it is crucial for both the public and private sectors to collaborate in developing and implementing effective strategies to counteract these threats.
