What the Secret Service quietly dismantled in New York wasn’t just another spam mill—it was a city-scale telecom weapon in the making. What began as a cache of roughly 100,000 SIM cards—and may now reach 300,000, as reported by CBS News—was paired with racks of SIM servers, pictured above, capable of impersonating an army of phones, flooding towers and other cell sites such as the one on this NYC apartment building, and choking off everyday calls, texts, data, and even access to 911. Taking it down before activation wasn’t routine cybercrime work; it was critical infrastructure defense, averting a scenario in which bad actors could have triggered rolling outages across the five boroughs at a time of their choosing.
What was first described last week as a cache of roughly 100,000 SIM cards seized in New York City has now been reassessed as possibly 300,000 after follow-on leads developed since the initial discovery. That escalation isn’t cosmetic; it materially changes the scale of the risk scenario—and the urgency of hardening the city’s and the nation’s mobile networks.
How the Secret Service found it
According to law enforcement accounts, investigators followed a trail from high-volume spam/swatting activity to “SIM-farm” hardware, racks of networked SIM servers, and pallets of prepaid SIMs, spread across multiple commercial and residential locations. The gear mimics tens of thousands of phones at once, enabling mass calling/texting or rapid SIM rotation to evade filters. Once agents tied the traffic patterns to specific premises, coordinated seizures removed the equipment before it could be activated on a large scale.
What 300,000 SIMs could do
The Secret Service found MVNO mobileX’s SIM cards in an abandoned apartment building along with racks of servers. mobileX uses Verizon’s mobile network.
A SIM farm can behave like a botnet of phones. Burst traffic (calls/SMS/data session attempts) from hundreds of thousands of lines can saturate radio sectors and core signaling, causing calls to fail, texts to stall, and mobile data to time out.
An operator can concentrate traffic on specific neighborhoods or critical areas (such as the financial district, Midtown, bridges/tunnels, or hospitals), creating rolling outages and cascading spillover to adjacent sites.
Even with public-safety prioritization, extreme congestion can degrade civilian access to 911 and hamper incident coordination if spillover affects support systems and non-priority users who relay information.
With this many lines, attackers can swap SIM identities, shift towers, and throttle/burst to duck throttles—extending disruption windows beyond a quick spike.
How many cell sites does NYC actually have?
A precise, public, real-time count doesn’t exist, but a reasonable, planning-grade snapshot looks like this across the five boroughs:
Macro & rooftop sites: On the order of 2,000–4,000 locations (many are rooftop arrays rather than freestanding towers; each site typically hosts multiple carriers and sectors.
Outdoor small cells/5G nodes: 7,000+ already installed citywide over the past decade, with additional thousands coming via new 5G pole programs (Link5G and carrier-owned nodes).
Indoor/DAS and venue systems: Hundreds of multi-carrier systems in transit hubs, stadiums, airports, hospitals, and large office/residential complexes.
Even at the low end of these ranges, a 300,000-SIM botnet dwarfs the available radio “entry points.” It needn’t aim for one-to-one saturation; overwhelming a subset of high-load sites can induce cascading failures and region-wide user pain.
What can help right now?
Real-time anomaly detection. Carriers tune analytics to flag abnormal signaling spikes, SMS TPS (transactions per second), and synchronized call attempts across many SIMs and sectors; auto-rate-limit when thresholds are crossed.
Prioritization & preemption. Ensure FirstNet/Verizon Frontline/priority SIMs preempt non-priority traffic under stress; verify cell-site configs so 911 and public-safety traffic stays serviceable during overloads.
Bulk-SIM controls. Tighten MVNO/MNO onboarding, velocity limits, and “know-your-customer” checks; block SIM-server fingerprints (IMEI/SIP/behavioral patterns) and fast-revoke suspect batches.
Inter-carrier + government coordination. Shared alerts and playbooks (DHS/CISA + carriers) for telecom DDoS, including joint throttling actions and rapid law-enforcement takedowns.
Why it’s difficult
Legitimate look-alikes. Each SIM authenticates like a real subscriber; defenses often kick in after cell sites and cores absorb load.
Scale vs. response time. With 100k–300k lines, attackers can move faster than blacklist propagation and distribute across many cells to stay under local thresholds.
Collateral tradeoffs. Aggressive throttling risks blocking legitimate high-volume senders (such as alerts, ticketing, and hospitals) or degrading the customer experience if triggers are too sensitive.
Shadow mobility. SIM farms can re-home to new cells/frequencies, rotate hardware, or split traffic across boroughs to outlast localized countermeasures.
If the NYC and New Jersey cache is truly closer to 300,000 SIMs, the threat profile shifts from “severe” to “unprecedented.” Carriers can mitigate the damage with more intelligent detection, strict bulk-SIM governance, and firm priority/preemption policies—but a determined, at-scale SIM botnet remains a challenging problem that demands swift, coordinated technical and law enforcement action.
Here’s the sobering math
A city-scale SIM farm of roughly 300,000 lines demands multi-site hardware and logistics before it ever sends traffic. Planning-grade estimates put one-time setup, hundreds of SIM-server/modem banks, antennas, racks, power/cooling, spares, facility build-outs, plus SIM plastic/activations, at roughly $7.5M to $19M, all-inclusive. The footprint must be split across many locations to avoid easy detection, which drives costs higher than a single “warehouse” build.
The real bill hits in operations once the network runs “hot.” Three months of service to generate sustained call/SMS/data load across 300k lines would likely total $11M–$45M, driven mainly by carrier usage fees ($3M–$12 per month), plus backhaul/site costs and the staffing/logistics for constant SIM rotation and evasion. Setup, plus three months, pencils out to roughly $19M on the low end, $36M mid-range, and $64M for an aggressive deployment—figures consistent with backing from well-resourced criminal syndicates or state-linked actors, not hobbyists.
Who could fund that?
Two buckets can finance this criminal enterprise: large, revenue-motivated criminal syndicates and state-linked actors with strategic aims. The former have cash flow from fraud (smishing, account takeovers, grey-route messaging, ransom-driven telephony denial of service) and use shell companies and straw buyers to hoard SIMs and leases.
The latter have the patience and budgets to underwrite multi-site infrastructure for disruption, collection, or influence operations, and to absorb months of sunk cost while staying quiet. The geographic spread, equipment volume, and timing around high-profile events are consistent with resourceful, well-organized backing—not a hobbyist crew.
Matt McCool, special agent in charge of the Secret Service’s New York field office, informed journalists that it couldn’t be understated what this system is capable of doing, and it would be unwise to think that there aren’t other networks out there being made in different cities in the United States.
Carrier responses
There’s no official, public breakdown of how many of the 300,000 SIM cards seized in NYC and New Jersey were actually activated versus stockpiled. However, even inactive SIMs can be activated in bulk very quickly, which is why Secret Service investigators flagged the cache as a serious capacity threat despite the uncertainty.
As of today, none of the “big three” carriers has issued a formal, on-record statement regarding the NYC SIM-farm bust—Verizon and AT&T offered no immediate comment when asked, and no attributable statement from T-Mobile has surfaced—while MVNO MobileX acknowledged some of its SIMs were among those seized and said it is cooperating with investigators and actively blocking suspicious activity.
MobileX utilizes Verizon’s mobile network and doesn’t disclose its subscriber count; however, in a January interview with LightReading, CEO Peter Adderton stated that it was in the “tens of thousands.” The mobile service is sold in Walmart and starts at below $4.00 per month.
