Six key questions about the dismantled network capable of crippling New York’s cell system

By David J. Lopez, CNN

(CNN) — The US Secret Service this week revealed that a probe into a surge of swatting calls against high-ranking officials led investigators to a vast and stunning network of more than 100,000 SIM cards and 300 SIM servers.

The servers could have been commanded remotely to create massive amounts of phone traffic in a stealthy and unceasing operation that switched out SIM cards quickly to keep federal law enforcement off its trail.

The hidden electronic maze – concentrated within 35 miles of New York City – was so powerful, it could have sent an encrypted and anonymous text to every human being in the United States within 12 minutes, said Matt McCool, the special agent in charge of the Secret Service’s New York field office. It could have overwhelmed cell towers, toppling New York City’s cell service.

CNN chief law enforcement and intelligence analyst John Miller and CNN law enforcement analyst and former Secret Service agent Jonathan Wackrow on Thursday addressed six key questions related to the investigation into the dismantled network:

Are the authorities any closer to determining who’s responsible for running this network?

Miller: So far there are no arrests, but the fact that investigators were able to get from anonymous, encrypted calls coming through the internet to the point of finding physical locations and equipment shows that they have the talent and the resources in this area. Now that they have the physical equipment and the locations, there are additional ways that they can keep pulling that thread toward an actual person or people. One real indicator is that someone had to be there to rent those places, buy that equipment, bring it in, set it up, and contract for services like WiFi to transmit the signals. Each one of those represents an element that can be pursued as an investigative lead. But make no mistake — the people behind this operation, whatever it is, have gone to great lengths to conceal their identity and purpose.

Early forensic analysis suggests foreign governments and criminals in the US have used this hidden electronic maze to run their organizations. Who could be behind this network and what are their goals?

Wackrow: What we are witnessing is a blend of hostile actors with different groups using the same system for their own ends. On one side, you have organized crime groups and their fraud syndicates that monetize scale through phishing, account takeovers, bulk payment fraud, and spam. For them, a “SIM farm” is infrastructure, one that is cheap to run and efficient for moving money or masking activity. Then there are the criminal “service providers” and resellers, the middlemen who build the boxes, lease SIM pools, and sell anonymity to anyone willing to pay. Transnational organized crime with both financial and tactical goals may also use these systems to run command-and-control and move communications across borders. Finally, nation-state actors or proxies who piggyback on the same infrastructure for espionage or influence operations. Leveraging the network for covert communications, always keeping plausible deniability.

Their goals fall into two buckets: money and operational effect. Some groups are purely profit-driven. They scale fraud and sell identity and access, all while bypassing traditional security measures. Others want disruption, concealment, or tactical advantage. Degrading cellular capacity during a critical window, masking covert communications, or creating chaos to draw responders away. The real danger is when those motives collide.

A criminal group builds and rents the gear, a foreign actor quietly moves traffic through it, and an extremist or mercenary tests it for disruption. Each user increases the overall risk. When profit and political or tactical objectives share the same platform, a tool meant for fraud becomes a weapon; fast, quiet, and at massive scale.

How vulnerable is our critical infrastructure to an attack from SIM farms like those discovered in the New York metropolitan area?

Wackrow: Most people assume our critical infrastructure is hardened and protected, but this case proves otherwise. A network built from nothing more than SIM cards had the potential to disrupt core services we rely on every day. In New York, investigators found it could have flooded cell towers with so much traffic that 911 calls might not connect while police, fire, and EMS would struggle to coordinate. That is not just an inconvenience. It can be a matter of life and death.

And the threat does not stop at phones. Hospitals depend on cellular links for patient monitoring and emergency communications. Transportation systems use it to track trains, buses, and logistics. Power grids, water systems, and even financial networks are tied into connected devices that quietly run in the background. If those links fail, the ripple effect is immediate and severe. That’s why this bust is a warning shot. We can’t only prepare for hackers breaking in through code. We must prepare for attackers overwhelming the systems themselves.

The Secret Service’s Advanced Threat Interdiction Unit set out six months ago to unmask the layer of burner phones, changing phone numbers and SIM cards swatting American officials. After this massive discovery, what are investigators most concerned about going forward and where does the investigation go from here?

Miller: The Advanced Threat Interdiction Unit was actually set up because of the increasing technical capability of bad actors and the fact that law enforcement needed to match that level of expertise. That unit is made up not just of Secret Service agents but computer scientists and analysts with a background in cyber.

There are several outstanding elements in this case. One is the sheer computational power of the infrastructure that this operation built in a circle around New York City — 300 servers and the equivalent of 100,000 different phones could be commanded to overwhelm the cellular infrastructure of the greater metropolitan area by unleashing millions of calls per minute. But Secret Service investigators are not sure that that was the intended purpose. What the agents and their cyber experts are probing is who built this, who ran it, and for what purpose. It is just as likely that this was designed as a dark telephonic switchboard that could connect any criminal organization that could afford it. The Secret Service told us that early evidence showed it was being used as a communications platform for terrorists, hostile foreign powers, human traffickers, and drug cartels. So that means it could’ve been set up by a nation-state or an organized crime entity or even a hacker group because it offers what these kind of actors need — encryption, anonymity, and a bottomless supply of available phone numbers to use to make it difficult for authorities to pinpoint one set of numbers being connected to any single organization.

One concern now is if this network could be reconstituted, then investigators would have to track it down again. Nor is it lost on investigators that if a major criminal organization or a nation-state is behind this, then they have to assume there might be others in Chicago, Los Angeles, El Paso, or Washington, DC. And given the computational power of hundreds of servers, it could be used for communications or as a weapon.

The unit is now working to identify other similar networks. How do they go about doing that?

Wackrow: The next step is about turning what has been seized into an investigative strategy. Special agents along with their technical counterparts will disassemble the servers, then digitally analyze SIM cards and the logs to see exactly how this network operated and who it is connected to. From there, they will layer in telecom data to identify other clusters that look and behave the same way. That’s the protective-intelligence piece, leveraging one discovery to anticipate and block the next threat before it can take shape.

The Secret Service will not be working in isolation. They will work collaboratively with the FBI, Homeland Security Investigations, the members of the intelligence community, along with local and state law enforcement partners. Some of those agencies will focus on the criminal cases. Others will focus on the foreign-actor perspective. For the Secret Service, they will keep its eye on immediate protective risks. It is a collaborative approach: Move quickly, share intelligence, and make sure that if there are other networks hiding out there, they’re found and shut down before they can disrupt critical systems.

There are still so many unanswered questions here. Both of you have decades of experience in law enforcement: What do you think is the most important question for investigators to answer first here?

Wackrow: The first thing investigators must figure out is simple but critical. Who was really in control of this network and what were they planning to do with it? Was it mainly a criminal scheme to make money that others happened to use, or was there a deliberate plan to disrupt New York during one of the busiest weeks of the year? That answer shapes everything else. The criminal charges, how the US responds if a foreign government was involved, and how urgently other cities need to hunt for similar setups.

When you are talking about more than 300 servers and 100,000 SIM cards packed into a tight radius around New York, the stakes are enormous. If this system had been activated at scale, it could have blocked 911 calls and disrupted protective operations. So, the immediate priority is closing the loop on who commanded it, how it was financed, and whether overseas actors were in play. Once that picture is clear, investigators can move to shut down any copycats before they get this far.

Miller: How would they fight this? In New York City, beginning around 2016, Lt. Gus Rodriguez (who was in charge of cyberintelligence for the NYPD) began an initiative with New York City’s critical infrastructure partners — the things that couldn’t break because they were essential, like cellular communications, water, power, hospitals, 911, police, fire, and ambulances. We experimented with how to fight off attacks just like the kind this system would’ve been capable of. This meant travelling to the IBM cyber range in Boston and simulating attacks on things like the cellular network and then having our own critical infrastructure try and thwart those attacks. In those battles we didn’t always win, but the NYPD, the FBI, and the critical infrastructure partners in the cyber-initiative in NYC at least learned how to fight, and in the years since, we’ve learned a lot. They need to be doing that across the country.

The-CNN-Wire
™ & © 2025 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.

CNN’s Nicki Brown and Celina Tebor contributed to this report.