- SIM farm deployments across 17 countries connected via shared ProxySmart software
- Remote SIM infrastructure enables bypassing phone-based verification systems globally
- Network connects dozens of telecommunications companies across Europe, North America and beyond
A previously unreported network of SIM farms linked to a Belarus-based provider has been identified across multiple continents, showing how mobile networks are being used to support large-scale fraud operations.
Research published by the British cyber firm Infrawatch found a distributed infrastructure that allows remote access to physical SIM hardware connected to telecom networks in multiple regions.
Infrawatch identified 94 SIM farm deployments across 17 countries connected via software operated by a Belarus-based provider called ProxySmart.
The article continues below
Facilitation of fraud on a large scale
The deployments were supported by 24 commercial providers selling access to SIM connectivity across Europe, North America and South America.
The network offers connections to 35 mobile operators, including major UK carriers such as Three, O2, EE and Vodafone. US connectivity was also widely available, with infrastructure spread across 19 states allowing attackers to pose as legitimate domestic users.
SIM farms consist of racks with SIM cards or mobile devices that can be remotely controlled at scale. These are commonly used to bypass phone-based verification methods, including SMS OTPs used during logins or payments.
Their ability to mimic legitimate consumer connections makes it difficult for service providers to distinguish malicious traffic from normal mobile activity.
Technical analysis performed by Infrawatch found that the ProxySmart platform supports automated IP rotation, remote device management, and network fingerprint spoofing. This allows operators to maintain continuous access to telecommunications infrastructure while reducing the chances of detection.
Investigators also found that services selling access to ProxySmart-supported SIM farms are promoted through online forums and messaging platforms.
Many of these services operate without customer identity checks, accept cryptocurrency payments, and are structured to reduce visibility to enforcement systems.
Blocking SIM farm activity is difficult because mobile operators assign a single IP address to multiple customers, making it difficult to separate legitimate users from malicious actors using IP-based filtering methods.
“SIM farms have been largely overlooked as criminal infrastructure to date – partly because the UK is the only country to ban them, making global law enforcement difficult,” said Lloyd Davies, founder and CEO. Infrawatch.
“This study highlights a significant resilience gap that leaves organizations and users more vulnerable to fraud and online harm. The global ecosystem of SIM farm operators and monetization services is highly sophisticated and serves as a foothold in telecommunications networks across Europe, the Americas and South America for bad actors.”
The investigation began with the discovery of a UK-based SIM farm service and expanded into a broader mapping effort that revealed the extent of the ProxySmart ecosystem.
The findings were shared with relevant law enforcement agencies and regulatory authorities prior to publication.
“ProxySmart is openly advertised as a SIM Farm-as-a-Service, and unfortunately it’s not hype or marketing. These are serious operators who have perfected a model that makes it easy to run a SIM farm from end to end: from offering remote assistance for setting up racks of modems to a dedicated software for remote infrastructure management and anti-bot countermeasures,” Davies added.
“The legal gray area in which SIM farms find themselves has allowed that model to scale with limited disruption, and we believe it will most likely facilitate large-scale fraud operations today.”
With dozens of implementations already identified across multiple regions, the research shows how remote access telecommunications infrastructure is being commercialized and repurposed to support fraud, account abuse and automated online activity.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
