By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SecurityScorecardPublished November 5, 2025

TL;DR: A Secret Service takedown uncovered a SIM farm with 300 SIM servers, over 100,000 active SIM cards, and infrastructure capable of sending 30 million text messages per minute, according to SecurityScorecard’s reporting on the CBS News New York segment. The case shows how telecommunications abuse can create emergency-communications risk that security and resilience teams cannot ignore.


At a glance

What this is: A Secret Service investigation uncovered a large SIM farm in the New York tri-state area with scale capable of overwhelming mobile networks and emergency communications.

Why it matters: It matters because telecom abuse can become a real-world resilience and crisis-response issue, and identity and access teams need to understand how high-volume infrastructure can be misused to amplify disruption.

By the numbers:

  • Investigators seized 300 SIM servers, over 100,000 active SIM cards, and infrastructure capable of sending 30 million text messages per minute.
  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read SecurityScorecard's coverage of the Secret Service takedown and telecom disruption risk


Context

Telecommunications abuse becomes a governance problem when the infrastructure is large enough to flood networks, degrade emergency access, or interfere with incident response. In this case, the reported SIM farm was not just a nuisance service, but a scale event that could have affected public safety communications during a high-profile gathering in New York.

The identity angle is indirect but real. Large pools of SIMs, phones, servers, and remote-control infrastructure rely on provisioning, credential handling, and access management, even when the primary risk sits in telecom resilience rather than enterprise IAM. That makes this relevant to teams that govern service access, third-party dependencies, and operational continuity.


Key questions

Q: What breaks when large telecom asset pools are not tightly governed?

A: When a large pool of SIMs or communication devices can be activated at once, attackers can generate enough traffic to saturate networks, delay calls, and disrupt emergency coordination. The failure is not only technical congestion. It is the absence of ownership, rate limits, and shutdown authority across the asset pool.

Q: Why do pooled telecom identities increase operational risk?

A: Because the risk scales with coordinated activation, not with a single device. One operator with access to many SIMs, servers, or modems can create disproportionate impact by turning ordinary communications infrastructure into a volume-based disruption tool. That is the same governance problem seen in unmanaged machine identity estates.

Q: How can security teams measure whether telecom abuse controls are working?

A: Track whether abnormal SMS or call volume is detected before service degradation, whether every high-volume asset has an owner, and whether shutdown actions can be executed quickly. If alerts arrive after congestion starts, the controls are too weak for a public-safety scenario.

Q: Who is accountable when telecom saturation threatens emergency communications?

A: Accountability should sit with the owners of the infrastructure, the operators who can activate it, and the resilience function that tests the failure scenario. If third parties can provision the assets, contractual offboarding and emergency disablement rights also need clear responsibility.


Technical breakdown

How SIM farms create telecom congestion at scale

A SIM farm is an industrialised set of SIM cards, modems, and servers used to generate large volumes of calls or texts from many identities at once. The operational effect is not subtle: traffic bursts can consume signalling capacity, saturate call handling, and make legitimate communications harder to complete. When scaled across thousands of endpoints, the attack resembles distributed abuse of a shared communications fabric rather than a single-source spam event. The risk rises sharply in dense urban areas or during major events, where emergency response depends on reliable mobile connectivity.

Practical implication: telecom operators should monitor abnormal high-volume SMS and call patterns as capacity and safety events, not just nuisance traffic.

Why remote control and pooled identities matter in telecom abuse

The threat is amplified when a single operator can control many SIMs remotely. That creates a pooled-identity problem similar to NHI sprawl in enterprise environments, where the question is not whether one credential is dangerous, but how much damage a large unmanaged set can cause when activated together. In telecom abuse, the control surface includes provisioning, network registration, device management, and remote orchestration. Once those are aggregated, the system can behave like a privately owned denial-of-service platform.

Practical implication: teams need inventory, ownership, and rate-limiting controls for high-volume telecom assets, especially where remote orchestration is possible.

How emergency communications become the real target

The direct objective is often not service destruction for its own sake, but interference with public response. Flooding cell towers or message pathways can delay 9-1-1 calls, break situational awareness, and slow rescue coordination. That shifts the issue from ordinary abuse into critical infrastructure resilience. The broader lesson is that attacker value can come from timing and location as much as from payload, especially when the infrastructure sits near a major event or a concentration of officials and responders.

Practical implication: resilience planning should treat telecom saturation as a public-safety failure mode and include emergency-communications dependencies in scenario testing.


Threat narrative

Attacker objective: The objective was to create large-scale communications disruption at a politically sensitive moment, with emergency-response interference as the likely payoff.

  1. Entry occurred through a large, distributed SIM infrastructure operating across abandoned apartments and controlled remotely as a pooled telecom asset.
  2. Escalation came from the ability to coordinate over 100,000 active SIM cards and drive traffic at a volume capable of overwhelming normal network behaviour.
  3. Impact would have been disruption of cell service, including interference with first responders and emergency calls during a major international gathering.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Telecom abuse is a pooled-identity problem, not just a network problem. When one operator can coordinate hundreds of servers and more than 100,000 active SIM cards, the real governance issue is how many identities and devices can be triggered together. That is structurally similar to unmanaged NHI sprawl in enterprise environments, where scale creates blast radius faster than individual controls can respond. Practitioners should assess pooled identity risk as an operational resilience issue.

High-volume communications assets need lifecycle control, ownership, and rate governance. A SIM farm behaves like a large unmanaged access estate when no one can prove who owns each asset, how it is provisioned, or when it should be disabled. This is where identity governance intersects with telecom security: control is not only about blocking bad traffic, but about preventing uncontrolled aggregation of identities that can be switched on at once. Practitioners should map ownership and revocation paths for any remotely orchestrated communications asset.

Critical infrastructure incidents now include identity-like abuse of infrastructure assets. Even though this is not a classic IAM breach, the attack pattern still depends on the same structural failure: too many assets, too little visibility, and insufficient control over activation. That makes the case relevant to NHI governance teams because the security question is no longer just authentication, but whether any large pool of machine-controlled assets can be mobilised faster than defenders can detect. Practitioners should extend governance thinking beyond corporate accounts to any remotely controlled service fleet.

Telco resilience planning should treat emergency communications as a protected business function. The most serious consequence in this case was not spam volume, but the possibility of suppressing 9-1-1 and first-responder communications during a high-stakes event. That means security leaders need to fold telecom saturation scenarios into crisis planning, continuity testing, and third-party risk review. Practitioners should test how quickly critical voice and text channels degrade under deliberate volume abuse.

Identity security teams should borrow the NHI lesson: visibility matters only if it includes activation context. Knowing that assets exist is not enough. The question is whether those assets can be mass-activated, by whom, under what conditions, and with what rate limit. The same governance gap appears in service accounts, API keys, and tokens when organisations inventory credentials but never model how many can be abused in parallel. Practitioners should evaluate activation density, not just asset count.

From our research:

What this signals

Activation density is the new resilience signal. Organisations rarely fail because they cannot list assets. They fail because they cannot see how many assets can be triggered together, by whom, and within what time window. That same pattern appears in NHI estates, where a long inventory can still hide an unsafe concentration of usable identities. For governance teams, the right question is whether an asset pool can be mobilised faster than defenders can interrupt it.

Telecom abuse also reinforces a broader lesson for identity programmes: visibility without operational context is incomplete. NHI estates, service accounts, and remotely controlled infrastructure all need ownership, revocation paths, and rate governance, not just discovery. If your programme can identify assets but cannot stop bulk activation, you still have a control gap.


For practitioners

  • Inventory remotely controlled telecom assets Build a complete register of SIM servers, modems, phone banks, and any remote orchestration endpoints, then assign an accountable owner for each cluster. Include location, supplier, purpose, and shutdown authority so abnormal concentration can be removed quickly.
  • Set volume thresholds for abuse detection Define alerting for SMS, call, and registration rates that exceed normal operational baselines, and tie those alerts to incident response playbooks. High-volume message generation should be treated as a resilience event, not a routine spam problem.
  • Test emergency-communications failure scenarios Run exercises that assume cell congestion or mass SMS flooding during a major event, and validate fallback voice, radio, and coordination paths. Include public-safety dependencies and escalation routes in the scenario.
  • Review third-party telecom exposure paths Assess whether vendors, resellers, or managed service providers can provision large pools of communications assets without tight revocation and rate controls. Limit remote activation rights and require rapid deprovisioning when assets are no longer needed.

Key takeaways

  • This incident shows how telecom infrastructure can be weaponised as a high-volume disruption platform rather than a single-device abuse case.
  • The scale evidence, including 300 SIM servers and more than 100,000 active SIM cards, shows why visibility and ownership are not enough without rate control.
  • The practical control lesson is to govern activation density, shutdown authority, and emergency fallback paths before volume abuse becomes a public-safety issue.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Asset ownership and access governance are central to controlling pooled telecom infrastructure.
NIST SP 800-53 Rev 5AC-6Least privilege applies to remote orchestration of large communications fleets.
CIS Controls v8CIS-5 , Account ManagementAccount and operator governance matters for any remotely controlled communications platform.
MITRE ATT&CKTA0040 , Impact; TA0010 , ExfiltrationThe case is about disruptive impact through volume abuse, with possible misuse of messaging channels.

Model telecom flooding scenarios as impact-driven tactics and validate detection before service loss.


Key terms

  • SIM Farm: A SIM farm is a concentrated setup of SIM cards, modems, and servers designed to control many mobile identities at once. It can be used for legitimate testing, but in abuse scenarios it becomes a high-volume communications platform that can flood networks or automate mass messaging.
  • Activation Density: Activation density is the number of usable identities or devices that can be triggered in parallel from a shared control plane. In telecom abuse and NHI governance alike, it matters because the blast radius grows when many assets can be activated together faster than defenders can intervene.
  • Emergency Communications Resilience: Emergency communications resilience is the ability of voice, text, and dispatch systems to stay available during congestion, disruption, or targeted abuse. It combines technical capacity, fallback channels, and operational planning so critical response functions continue when public networks are stressed.

What's in the full analysis

SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:

  • The CBS News New York segment context and SecurityScorecard CISO commentary that frame the incident for public audiences.
  • The investigation timeline and how federal agents linked the telecom threat to the New York tri-state area.
  • The scale details of the SIM farm and the specific disruption scenarios discussed on air.
  • The broader incident response and third-party risk framing used by SecurityScorecard's STRIKE team.

👉 The full SecurityScorecard article includes the CBS News segment context, investigation details, and response framing.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It gives identity and security practitioners a structured way to govern machine-scale access across complex environments.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org