Poland Arrests 4 Suspects in SIM-Swap Crypto Theft Tied to ‘Merry

Polish authorities have arrested four people connected to a SIM-swap scheme targeting cryptocurrency holders. The case drew wider attention after blockchain investigator ZachXBT publicly linked a threat actor known as “Merry” to the operation.

The arrests didn’t come out of nowhere. SIM-swap fraud has been climbing for years across Europe and North America, and crypto holders have consistently been the most attractive targets. The mechanics are pretty straightforward — and pretty ugly. Attackers convince or coerce a mobile carrier into transferring a victim’s phone number to a SIM card the attacker controls. Once that’s done, any two-factor authentication code sent by text goes straight to the fraudster. Bank accounts, crypto wallets, exchange logins — all of it becomes accessible in minutes. Polish investigators say the suspects used exactly that playbook, gaining unauthorized access to victims’ mobile numbers, intercepting authentication codes, and draining cryptocurrency accounts. The financial damage across cases like these tends to be severe, partly because crypto transactions are irreversible and partly because victims often don’t realize what’s happened until the funds are already gone.

Four people are now in custody.

ZachXBT’s Role and the ‘Merry’ Connection

ZachXBT, who built a reputation tracking crypto fraud through on-chain analysis and open-source investigation, put a name — or at least an alias — to part of the scheme. He alleges that a threat actor going by “Merry” played a central role in orchestrating the SIM-swap attacks. That means, per ZachXBT’s findings, Merry wasn’t just a participant but someone involved in manipulating mobile carrier systems to seize control over victims’ numbers and direct stolen cryptocurrency through the network.

Independent investigators like ZachXBT have become genuinely important in the crypto crime space. Law enforcement agencies often lack the specialized on-chain tracing skills to follow funds across wallets, mixers, and exchanges quickly enough to matter. ZachXBT’s prior work has exposed multiple high-profile scams and helped identify individuals who might otherwise have stayed anonymous behind pseudonyms and blockchain addresses. His identification of Merry as a key figure here seems to have fed directly into the Polish investigation, though authorities haven’t publicly confirmed the exact nature of that collaboration.

It’s probably worth noting that “Merry” is an alias, not a confirmed legal identity. The source didn’t specify whether any of the four arrested individuals is believed to be Merry, or whether Merry remains at large. Unclear, at this point.

What Polish Authorities Have — and Haven’t — Said

Polish law enforcement has been tight on details. No specific charges have been announced publicly. No court dates have been released. Authorities haven’t disclosed the potential scale of losses across all victims, nor have they named the suspects. What’s clear is that the operation aimed to dismantle a network — not just catch a few low-level participants — and that investigators believe the arrested individuals were part of a coordinated criminal structure.

Related: DOJ Seizes Huione Group Cloud Servers in Crypto Fraud Crackdown

That kind of restraint usually means one of two things: the investigation is still active and disclosures could compromise it, or prosecutors are still building the evidentiary case. Probably both. Further arrests can’t be ruled out, and the source left open the possibility that more details will surface as the case moves through the legal system.

The broader context matters here. Law enforcement agencies across Europe have been ramping up resources dedicated to crypto-related cybercrime, partly because the losses have become impossible to ignore and partly because international coordination has improved. Cases involving SIM-swap attacks on crypto holders have been prosecuted in the United States, the United Kingdom, and several EU member states over the past few years. Poland’s operation fits into that wider pattern — authorities working to demonstrate that anonymity in crypto crime isn’t as reliable as perpetrators assume.

ZachXBT’s involvement adds a layer that’s become more common in high-profile cases. He’s not law enforcement, can’t make arrests, and has no subpoena power. But his on-chain tracing work has a track record of getting results, and his public identification of Merry put pressure on the case in ways that formal investigations sometimes can’t move quickly enough to do on their own. Whether his findings were shared directly with Polish authorities or simply ran parallel to their work isn’t something the source made clear.

What’s not murky is the basic threat. SIM-swap attacks work because mobile carriers are a weak link in security chains that crypto users often assume are solid. Two-factor authentication via SMS — still the default for many exchanges and wallet services — can be bypassed the moment someone else controls your phone number. Hardware keys and authenticator apps offer better protection, but adoption is slow, and attackers know it.

See also: Michelle Bond Heads to November Trial After Judge Keeps Campaign Finance Charges Alive

The four suspects remain in custody. The investigation is ongoing. ZachXBT’s public allegations about Merry’s role are still just that — allegations — and the legal process in Poland will determine what actually sticks.

No additional details on charges have been released by authorities.