A University of California San Diego student named Richard Yuan Li was indicted on August 26th for a SIM swapping scheme that involved stealing phone numbers and accounts and extorting at least 40 people for cryptocurrency and other payments, according to a new release the US Department of Justice shared on Monday.

According to the indictment (PDF), Li convinced Apple customer service in 2018 to send him a replacement iPhone 8 for one he claimed was lost in the mail. Li and others then convinced carriers to port victims’ phone numbers to the iPhone 8 to take control of their accounts — and in some cases, drained their crypto wallets directly.

“Li and his co-conspirators contacted victims and demanded that they pay ransoms in order to avoid further harm, including additional account compromises, the loss of additional cryptocurrency, and the release of victims’ confidentiality information the conspirators obtained,” the DOJ writes.

If Li is convicted for all counts, including wire fraud, aggravated identity theft, and “conspiracy to engage in interstate communication with intent to extort and to commit computer fraud and abuse,” he could serve 20 years in prison and pay a fine up to $250,000, among other possible charges.

SIM swapping is the practice of stealing someone’s identity by assuming their phone number. Typically, numbers from unsuspecting victims are ported over to burner phones — often by asking carriers to do it — and then scammers use those phones to impersonate the victim and seize control of their online accounts. Li’s case is an unfortunate reminder of how common SIM swapping is. In 2019, it even happened to Twitter CEO Jack Dorsey.

Phone numbers being the key ingredient for identity theft has a lot to do with the common way two-factor authentication is set up. By default, many online services offer two-factor authentication but use a mobile phone as the second method for identifying someone. With stolen phone numbers, that can just as easily become a foothold to taking over someone’s account.