Poland Detains Four in SIM-Swap Crypto Heist, ‘Merry’ Linked

Polish authorities arrested four people on suspicion of carrying out SIM-swap attacks that targeted cryptocurrency exchange accounts, stole digital assets and laundered the proceeds, the Central Bureau for Combating Cybercrime (CBZC) said in a press release. The operation was supported by the U.S. FBI and Homeland Security Investigations.

Investigators allege the group breached IT systems of companies that work with telecommunications operators, used specialized software and social engineering to access employees' email accounts, then performed SIM swaps to clone and hijack victims' phone numbers. Those numbers were used to take control of exchange accounts and move funds out, the CBZC stated.

The bureau says the stolen assets were routed through a distributed laundering network that included personal bank accounts in Poland and abroad, international payment platforms and multi-currency digital wallets. Authorities estimate the value laundered exceeds tens of millions of Polish zlotys. All four suspects have been remanded into pre-trial detention at the request of prosecutors. Court documents list charges including participation in an organized criminal group, theft by hacking and money laundering, with potential sentences up to 25 years' imprisonment.

Onchain investigator ZachXBT posted on Telegram that one detainee is Wojtek Kulisz, who uses the online name “Merry.” The investigator pointed to designer clothing and jewelry seen in CBZC raid footage and said those items match posts on Kulisz's public Instagram account. Polish authorities have not confirmed the identities of the suspects, citing the international scope of the probe and ongoing legal procedures.

The CBZC declined to disclose which exchanges or specific accounts were affected or to provide a timeline for the attacks. The bureau described the case as organized criminal activity that combined technical tools and human-targeted deception to bypass security tied to mobile phone numbers.

SIM-swap attacks typically involve persuading a mobile carrier to transfer a victim's phone number to a device controlled by the attacker. With control of the number, attackers can intercept one-time passwords and account recovery messages used for two-factor authentication, then reset credentials on email or exchange accounts and withdraw funds.

ZachXBT is an onchain investigator who analyzes blockchain transaction records and public materials to trace stolen funds and link online personas to real-world identities. The CBZC said the investigation involved international cooperation with U.S. federal law enforcement to trace cross-border elements and that further actions to identify victims and recover assets are under way.