Account Takeover Case StudiesWhat Do ATO Attacks Actually Look Like in Practice?

Why Case Studies Can Help You Understand Account Takeover

Nearly one in three Americans — and more than eight in ten US businesses — have fallen victim to an account takeover attack in the past. But statistics only tell the story in aggregate.

Let’s be clear: account takeover fraud isn’t a theoretical threat. An attack can happen to you or your business, no matter how prepared you are. And, if you’re unlucky enough to fall victim, you could lose hundreds of thousands or even millions of dollars.

But, what exactly happens to the merchants and individuals who suffer from these attacks? And who are these fraudsters anyway? These are the kinds of questions that can be best illustrated with a couple of basic account takeover case studies.

In this chapter, I wanted to detail two specific examples of account takeover fraud, to help you understand the bigger picture.

Fraud Ring Carries Out $500,000 Cellphone Account Takeover Attack

Between June 2017 and December 2019, a three-member criminal fraud ring based in New York and New Jersey carried out account takeover attacks across the United States.

The heist was straightforward. According to a press release by the United States Attorney’s Office for the Southern District of New York, criminals would use “stolen identity information to impersonate a victim who had a cellphone account with a particular cellphone service provider.” Then, the trio would use “social engineering techniques to take over accounts…belonging to victim accountholders.”

Once inside, the fraudsters would purchase “new electronic devices — typically but not exclusively iPhones — which they charged to victim accounts, without the knowledge or consent of victims.”

The trio were eventually apprehended by special agents working for Homeland Security Investigations (HSI), a law enforcement branch of the US Department of Homeland Security. By that point, 32-year-old Henry Perez, 21-year-old Ashley Gomez, and 23-year-old Misty Alizette Infante were discovered to have stolen over $500,000 in new devices; half of their $1 million goal.

Defendant Name	Age	Charges & Maximum Penalties
Henry Perez	32	Wire fraud (20 years); Wire fraud conspiracy (20 years); Computer intrusion (10 years); Computer intrusion (5 years); Aggravated identity theft (2 years mandatory minimum); Aggravated identity theft (2 years mandatory minimum).
Ashley Gomez	21	Wire fraud (20 years); Wire fraud conspiracy (20 years); Aggravated identity theft (2 years mandatory minimum).
Misty Alizette Infante	23	Wire fraud (20 years); Wire fraud conspiracy (20 years); Aggravated identity theft (2 years mandatory minimum).

Alabama Man Manipulates Bitcoin Prices by Hacking SEC’s X.com Account

In January 2024, 25-year-old Athens, Alabama resident Eric Council Jr. conducted a SIM swapping attack. This allowed him to take over the US Security and Exchange Commission's (SEC’s) official account on short-form social media platform X (formerly known as Twitter).

Once logged in, Council “falsely announced that the SEC approved BTC Exchange Traded Funds, a decision highly anticipated by the market.” According to a press release published by the US Department of Justice’s Office of Public Affairs, Council’s fraudulent post caused the price of Bitcoin, the world’s oldest cryptocurrency, to spike by more than $1,000 per coin.

Once the SEC regained access to their account and clarified that Council’s post was unauthorized, the price of a Bitcoin subsequently fell by $2,000. In other words, this attack led to net losses for all Bitcoin holders around the world.

Council was sentenced in May 2025 to 14 months in prison, plus three years of supervised release, for his involvement in the “deliberate [account] takeover of a federal agency’s official communications platform.”

Next Chapter

How to Identify Account Takeover

Read More