Poland’s cybercrime police say they have arrested four suspects in a major investigation into cyberattacks, SIM swap fraud, crypto theft, and money laundering, with support from the FBI and Homeland Security Investigations and oversight from Kraków prosecutors.
- Four suspects were arrested
- CBZC announced the operation on June 25
- SIM swaps and social engineering were allegedly used
- Tens of millions of Polish zlotys were allegedly laundered
- ZachXBT linked one detainee to “Merry, ” but that is unconfirmed
Poland’s Central Cybercrime Bureau (CBZC) said on June 25 that it detained four people accused of being part of a criminal network involved in cyberattacks, digital asset theft, and large-scale money laundering. The case is being handled with support from the FBI and Homeland Security Investigations, while prosecutors in Kraków are overseeing the legal side of the investigation.
The alleged method is grimly familiar. Police say the group used specialized software and social engineering to target telecom-related systems and employee email accounts, then carried out SIM swap attacks to take over victims’ phone numbers. Once an attacker controls a number, SMS messages and account recovery codes can be intercepted. That can be enough to reset passwords, break into email, and then move into crypto exchange accounts if security is weak enough.
SIM swap fraud is a fraud technique where criminals convince or manipulate a mobile carrier into transferring a victim’s phone number to a SIM card they control. It is old-school identity theft with a modern phone bill attached, and it remains one of the ugliest shortcuts in crypto crime because so many services still lean on phone numbers for recovery and verification.
That is the real takeaway here: the blockchain usually is not the part getting “hacked.” The weak point is often the messy layer around it, phone numbers, email accounts, recovery systems, and whoever thought SMS was a serious security strategy in 2026. Spoiler: it isn’t.
According to the police account, once communications were compromised, crypto exchange accounts became easy targets. The stolen funds were then allegedly moved through domestic and international bank accounts, payment platforms, and multi-currency digital wallets. Authorities say the laundering total reached tens of millions of Polish zlotys.
That kind of movement is exactly why these cases are hard to unwind. Criminals do not usually leave stolen crypto sitting in one wallet with a little neon sign on it. They split it up, swap it around, and push it through a maze of accounts and platforms to make the money look less suspicious. Layering is the whole game.
Polish courts approved pre-trial detention for all four suspects, and the alleged offenses could carry penalties of up to 25 years in prison. That is serious exposure, which suggests authorities view this as organized cybercrime rather than a handful of opportunists running a sloppy side hustle.
There is also an unconfirmed claim that will attract attention in crypto circles. On-chain investigator ZachXBT separately suggested that one detainee may be the Polish social engineering threat actor known as “Merry.” Authorities have not confirmed any identities, so that should be treated as an allegation, not a fact.
ZachXBT has built a strong reputation for tracing stolen funds and spotting patterns on public blockchains, but on-chain analysis is not a conviction. It can produce leads, map laundering paths, and help investigators connect dots that would otherwise stay hidden. It still does not replace off-chain evidence, witness statements, telecom records, or the unglamorous police work that actually closes cases.
The reported involvement of the FBI and Homeland Security Investigations points to a cross-border case. That usually means the suspects, victims, infrastructure, or cash-out routes stretched beyond Poland. Cybercrime rarely respects borders, which is convenient for criminals and deeply annoying for everyone trying to put the pieces back together.
Authorities have not released the detainees’ identities, details about victims, specific exchange accounts, or any seized assets while the investigation continues. That kind of restraint is normal in a live international case, especially when prosecutors and investigators may still be mapping out the wider network.
The practical lesson is blunt. If your security still depends on SMS, you are handing attackers a weak point they know how to exploit. App-based authenticators and hardware security keys are far stronger than text messages, because phone numbers can be stolen, ported, or redirected with alarming ease. In crypto, the chain may be transparent, but the real damage often starts somewhere much less glamorous, like your carrier account or inbox.
Key takeaways
-
Was this a blockchain hack?
No. The alleged attack chain centers on social engineering, SIM swaps, and account takeover, not a flaw in the blockchain itself. -
Did Polish police confirm four arrests?
Yes. CBZC said four suspects were detained, with support from the FBI and Homeland Security Investigations. -
Is “Merry” confirmed as one of the suspects?
No. That claim came from ZachXBT and has not been confirmed by authorities. -
Why are SIM swaps such a problem in crypto crime?
Because control of a phone number can let attackers intercept SMS codes, reset passwords, and take over email and exchange accounts. -
Why should crypto users care if the theft happened off-chain?
Because many losses begin with weak account security, not smart contract failures. A compromised phone number or inbox can be enough to drain exchange-linked funds.
Further reading
Related probes and cybercrime cases that echo the same ugly playbook.
