Braiden Williams stood in L’Arc, a highly exclusive nightclub in the heart of Paris, surrounded by half a dozen women who could be supermodels. But all Williams did was stare at his phone.
L’Arc hosts parties around Paris Fashion Week, and is often a venue of choice for celebrities like Jamie Foxx and Snoop Dogg. Williams should have felt he fitted right in—he certainly had more than enough money for the bottles of Dom Pérignon which sat in ice buckets next to him and the women. One L’Arc employee chanted the name of Williams’ crew “A C G” over and over again, before the worker put a wine glass in between his own teeth, tilted his head back, and then poured yet more Dom. At one point a group of more beautiful women holding lit sparklers glided across the dance floor as electronic music thumped. They were followed by a man holding a large sign that read “ACG” and “Braiden.” Another sign, flanked by two women holding yet more champagne, read “Braiden Run This Shit.”
Williams was the star of the night. But he looked entirely out of place. Williams had a distinctive bowl-cut. His neck jutted out like someone who hunched over their computer for much of the day. He looked like a goofy teenager rather than an experienced clubber.
ACG and Braiden weren’t L’Arc’s typical clientele. ACG is a group of alleged hackers who the FBI says are responsible for a wave of Bitcoin thefts and other crimes. Williams' group, which has around six members, are a 21st century version of bank robbers. Instead of a gang lifting physical cash from a vault, these opportunists work together to quickly take over a target’s phone number, intercept their login codes, then pilfer any cryptocurrency they own before the victim has much of a chance to react at all. Williams' role was allegedly transferring the target’s phone number to his own device in those multi-stage heists. And ACG pulled them off again and again: this trip to L’Arc and Europe, as well as Williams’ multiple high-end sports cars, was funded by those thefts.
Williams didn’t know it at that point, standing in the club in mid-2022, but soon after returning home from Europe to the U.S., he would come face to face with the FBI agents tracking him down. Instead of laying low, Williams would ramp up his activity, going beyond hacking to allegedly order physical violence and make bomb threats against universities across the country.
Williams’ crimes are not isolated to one young hacker who had more money than he knew what to do with. Nor is his story only about the rise of one group like ACG, which continues to strike fear into the broader community it is a splinter of, known as the “Comm.” Williams is part of a rapid and massive convergence between two traditionally separate sectors of crime. People like Willams have combined the frictionless, sophisticated world of cybercrime with the blunt brutality of physical violence, sprouting an entirely new area of the underground where essentially anything is possible. Hackers are no longer just people behind a keyboard. They have guns now, and innocent people are getting hurt.
Back in the nightclub, while a man next to Williams cheered on the L’Arc staff who poured the champagne, Williams continued to stare at his phone. He grinned into the device’s screen. That was his world.
Everyone in a bank job has a specific role. A SIM swapping gang is no different. SIM swapping is the technique used by hackers to seize control of a target’s phone number, and by extension, their digital life and finances. The theft starts with a “Searcher,” who breaks into a person’s email account, perhaps by using software to churn through a mass of potential passwords or buying the login credentials from another hacker. Then, acting as the hacker equivalent of a bank robber casing the joint, the Searcher rummages through the target’s inbox. They’re looking for any sign that this person owns a good amount of cryptocurrency. An email showing their Bitcoin balance; maybe a receipt from when the person previously sold some of their cryptocurrency for cash. Anything that would signal this target is worth pushing to the next step.
Once the Searcher gets a hit, they prepare to cover the gang’s tracks. They configure the inbox to hide incoming emails from the target’s Bitcoin exchange. If seen, these may warn the target something is wrong—'we’ve detected unusual activity on your account.' By automatically deleting or archiving those, the Searcher knocks out the security cameras in the bank lobby.
Next, the Caller steps in. This person is the sweetalker, the one who is going to trick the bank employees to let them into the vault. Today lots of cryptocurrency exchange accounts are protected by a second layer of security, with the user needing to receive a text message and enter a code before being able to withdraw their funds. It’s the Caller’s job to gain power over that phone number. They often do this by contacting the target’s telecom company—T-Mobile, AT&T, Verizon—and pretending to be the target. I’ve lost my phone, I need to transfer my number to a new one, they might say. The Caller then tells the telecom to port the number—swap the SIM—to a phone of their choice.
Laying in wait is the final member of the crew, the Holder. With physical possession of the phone that will become that hackers’ key to their payday, this person is the locksmith. Once the telecom ports the target’s number to the Holder’s phone, it can start to receive the login codes. The Holder then relays those codes back to the Searcher, who has since moved on to a more aggressive role. They finally enter the target’s cryptocurrency accounts, and start filling their duffel bags with Bitcoin.
Once the Bitcoin is transferred out of the target’s account and to the hackers’, the crew vanishes into thin air. Then they move onto the next job.
In summer 2021, ACG started to follow this blueprint under the direction of two leaders, who go by “exe” and “awpy.” Their rolodexes filled up with more members: NASA, synergy, nostaw, and others. They all got to work.
The following spring in a San Antonio Airbnb overlooking a dog park, Williams ferried login codes for ACG as a Holder. Armed with little more than a black iPhone 7, Williams helped empty multiple victims’ accounts on Coinbase, one of the most established Bitcoin exchanges in the U.S. There was a T-Mobile job that netted ACG $30,000. Then a second score of $200,000. In another heist, the gang robbed $153,000.
In that last case, ACG didn’t manage to stop the victim from realizing something was off. The Searcher had blocked all emails from Coinbase in the victim’s email inbox, but the hijacked Verizon phone number actually belonged to the target’s father. At 11:15pm one night in April, the father received an email from Verizon indicating his phone number was being ported to another device. Even with that glaring red flag, there wasn’t much they could do but report the theft to the local police. ACG made off with the $153,000 and kept on going.
When the Farmington Police Department (FPD) in Minnesota responded to that report, it was as if they walked into an empty bank vault, the door left wide open by the thieves in a hurry, with only a few footprints on the ground. With not much to work with, the investigators started the digital equivalent of dusting for prints—they asked Verizon which phone the victim’s number was transferred to and where it was located. That pointed to a cellphone tower in San Antonio, Texas, more than 1,000 miles away. The FPD also obtained details from Coinbase on where the Searcher had logged in from. The returned IP address led to Fullerton, California on the other side of the country.
One piece of evidence was more conclusive. The FPD in turn obtained records from Apple about the Holder device. The email linked to that phone, a court record later said, pointed to a name: Braiden Williams.
But those leads were, obviously, out of the reach of a local police department in the midwest. What was the small town agency going to do about criminals several states over? For the moment, the thieves had gotten away, already preparing for their next heist.
After the Airbnb near the dog park, Williams swapped his base of operations for a bungalow on the west side of San Antonio. By the summer, Williams’ iPhone had become something like a high traffic clearing house for ACG. Control of 30 different phone numbers flowed through the device, with each potentially carrying the lockpicks necessary to steal targets’ cryptocurrency.
As ACG raked in more scores, members celebrated. The gang arranged cash on the floor to spell #ACG. They bought masses of pills and displayed them the same way. Williams’ cut was at least $114,000. The young hacker went on a spending spree: he bought a 2015 Ford Mustang, a black 2016 Dodge Challenger, and then a second 2020 Dodge Challenger, this time in orange.
Then in mid-2022, Williams used the loot from his digital bank robberies to go big at L’Arc in Paris. Another ACG member called Joey went on their own international clubbing excursion. Just like Williams’ signs in L’Arc bigging up ACG, Joey did the same in Daisy, an exclusive venue in Toronto, Canada.
“ACG JOEY X TURF,” one sign read as staff carried the message through a cheering crowd. “TALK SHIT GET SIMMED,” another said, as two people associated with the gang looked on. They flashed their jewel-encrusted watches and bracelets, and poured glasses of champagne for women surrounding their table. The young men didn’t drink—instead, they drenched their jewelry in champagne straight from the bottle so it ran over them and into the ice bucket below. ACG made so much money now they didn’t even need to drink the Dom. This was just to flex.
A member even produced a rap track, boasting about ACG’s exploits while also dissing other SIM swappers:
Just licked the Coinbase and average SMS. If I get another G off, I’mma get depressed. This n***** Brad can’t even con a Comcast [...] I had a Verizon n***** with 500k. That n***** ran to the Verizon store the same day [...] These n****** could SE [social engineer] like me, they just need some practice [...] Don’t have ADHD but I’m still hyperactive.
This was the height of ACG’s notoriety among the wider SIM swapping and criminal hacking community. Across Discord servers and Telegram group chats, potentially thousands of people participate in what is loosely known as Comm, a nebulous network of hackers, gamers, and young girls who are sometimes targeted by other participants. ACG became the hot new group among the constant ream of chats inside Comm. Others wanted to join the outfit so much that some even pretended to be members to boast to their Telegram contacts. People wondered who this group ACG was, and where they came from.
“What is acg,” a person wrote in one massive Telegram group chat.
“Acg on fckn [fucking] top,” another account near instantly replied.
The FBI had the same question.
The Farmington Police Department may have been unable to act on the theft of $153,000 because the data pointed to suspects well outside of its jurisdiction. The FBI had no such limitation. An FBI agent in Kansas City, Missouri, who went by the initials J. F. S. reviewed what the FPD had so far—the Coinbase, Verizon, and Apple data—and also found that Williams was staying in the Airbnb just a couple of miles from the cell tower used during the theft. It wasn’t difficult; Williams seemingly hadn’t made any effort to cover his tracks. The difference between SIM swappers and other cybercriminals is not that the former is necessarily foolish. Sometimes they appear to simply not care whether they are caught.
On July 21, 2022, around a month after Williams had been living the high life in Europe, FBI agents tracked down their suspect. Immediately and voluntarily, Williams spilled everything: yes, he participated in multiple SIM swaps; yes, he was a Holder for ACG while others played the role of Callers; and he spent cash from those thefts on his international trip and vehicles. Unsurprisingly, the agents then arrested Williams. He was charged with hacking crimes and faced years in prison.
Ordinarily, that would be the end of the story. The crook might see the error of their ways, and vow to turn their life around. Maybe Williams could move into the legitimate cybersecurity industry and leave the criminal world. Or maybe he’d just go to prison for a long time and we’d never hear about him again.
Around a week later, Williams was released and managed to keep his 2020 Dodge Challenger. Initially he wasn’t allowed to use an internet capable device for any purpose than to attend court hearings via Zoom. In August a court removed some of those restrictions, meaning Williams could also stream television, or pursue education and employment opportunities.
That’s not what Williams did. Instead, Williams allegedly used his internet access and freedom to start a violent campaign of harassment against a specific target.
In the fall, Williams sent a Snapchat friend request to Rebecca (not her real name), a 15 year-old girl. For the next several months the pair chatted, court records say.
Although there is no public evidence this is what happened with Rebecca and Williams, the overriding context of many relationships inside Comm is that of members trying to control and threaten girls.
Chats from other Comm members show that at one end of the spectrum, the men get clingy and defensive, saying they somehow “own” this girl. As the scale moves further to the right, that activity becomes darker. Girls are told to write the hacker’s handle onto the body in pen. That writing can sometimes be in blood. Some of the men extort the girls to produce sexual imagery or videos, which can then be used to blackmail and control them further. On the far end of that spectrum, the men sometimes point weapons into the girl’s face, and film it for their amusement.
(The FBI has warned the public about especially insidious corners of Comm, made up of groups like “764” and “Leak Society,” that don’t just have extortion and abuse as a side effect, but a core feature of their membership. The end goal for some members is “forcing the minors they extort into committing suicide on live-stream for their own entertainment or their own sense of fame,” the FBI warning reads.)
Williams' conversations with Rebecca didn’t last much longer because Williams got into more trouble with the authorities. One night in early November, Williams drove through Iola, a tiny town in Kansas with not much to its name beyond gas stations and hotels. At around midnight, residents complained about a reckless driver on an otherwise quiet and leafy cross section of road. When local police found the vehicle, Williams did not stop, and led authorities on a 75 mile pursuit. He was arrested, let go, and then taken into custody again by U.S. Marshalls for violating his bail conditions. A judge ordered Williams be transferred back to California to face his SIM swapping charges there, and eventually, in March, 2023, Williams was released to a halfway house.
When Rebecca learned Williams was back out, she blocked him. That’s when Williams escalated. Rebecca received unsolicited food deliveries to her house in Ambler, Pennsylvania, and she thinks Williams hacked into at least one of her accounts. Then Williams went a step further, and reached out to her in the physical world.
In April, 2023, two men nervously panted as they hurried up a concrete path. Passing a small tree with bright purple flowers, they came to the house’s front door.
“Smash it, smash it,” one of the people, who was also filming the encounter, whispered. The other man, dressed in a black hoodie and jeans, was holding a brick with a piece of paper wrapped around it. He then repeatedly bashed the home’s Blink video doorbell before smashing a window and throwing the brick inside.
“Rebecca is a whore!” the first man yelled, his voice breaking. The men then turned around and ran.
Attached to the brick had been a note. “Msg us or else,” it read. When local police responded to the bricking, Rebecca's 17 year-old sister mentioned what it was all connected to: Comm, she said.
Williams' alleged connection to physical violence was part of a much broader, and bloody, trend in Comm. Not content with thefts in the digital world, hackers in groups like ACG violently robbed, attacked, and kidnapped one another for money. Someone tied a victim up and threatened to inject him with heroin unless he handed over his Bitcoin. Another man laid face down in a ditch, his head in a black hood, after being fleeced. “I promise you I do not have money,” another man in just his underwear whimpered as blood gushed from his head. “On my little brother’s soul that’s all I have,” he added. The attackers had a hammer and wore high-viz vests; in some cases, thieves have posed as police officers to gain entry to a target’s house. In another instance, a young man screamed in pain as someone cut off his ear.
Up until this point, SIM swappers typically performed heists against ordinary people who held a lot of cryptocurrency, like individual investors. But as Comm members got more and more rich, they flaunted their own new found wealth on Telegram and Discord. As well as videos of their international trips to nightclubs, members posted a constant stream of screenshots showing their current balance in Bitcoin and other cryptocurrency. To them, flexing the cash was just as an important part as actually owning it. It meant you had “made it” in Comm.
But the SIM swappers’ blatant displays showed others they were rolling in cash. SIM swappers themselves became the targets, and started using physical violence to rob one another.
A service economy emerged of people who were willing to perform these attacks for a fee or a cut of the takings. On Telegram, one group offered brickings, robberies, and kidnappings for a few hundred to thousands of dollars. Name the state, and they would see if they had people there. When the heists were digital-only, Searchers found juicy targets by rummaging through emails before bringing in a Holder to take over their phone number. Searchers now hunted for victims and then provided their details to new roles in these organizations: the Bricker. The Fighter. The Gunman.
The blast radius of that violence extended out from Comm itself and impacted other people. J. F. S., the pseudonymous FBI agent who had investigated Williams’ involvement in ACG, used initials in their criminal complaint because they believed associates of Williams were linked to swatting of U.S. law enforcement officials. Swatting is where a criminal will place a bogus phone call to emergency services in the hope of drawing a heavily armed response to a target, at minimum causing them distress but with the potential for physical harm. In one call, a Comm member called an FBI agent and repeatedly told them to shut up and said they were, in so few words, mentally disabled. Comm was so brazen that members even taunted the FBI.
That violence was now impacting ordinary people who had nothing to do with Comm: the home the two men bricked was the wrong house. Their target actually lived next door.
If that wasn’t enough, Williams’ and ACG’s activities were going to touch the lives of countless children, parents, and teachers around the U.S. Soon a wave of emails framing Rebecca arrived in the inboxes of hundreds of schools and universities making bomb threats against them. The emails framed Rebecca as the culprit, and were written in such a way as to suggest she was the sender.
“I have made ammonium nitrate and nitrogen bombs and I am going to be going to your workplace, and blowing it up as my last final farewell to this hell hole we call earth, and if anyone tries to stop me it won’t end well, because I also have timed explosives at my high school,” one of the emails, purporting to be written by Rebecca, read. “Do not send anyone to my house before I go through with this as I have my father's AR-15 and I will not hesitate to kill myself or anyone who tries to stop this from happening. You are all going to die a terrible death. Everyone at your school is going to die.”
Williams then threatened Rebecca directly: he would “get active” if she didn’t respond. He even threatened to bomb her.
The Comm, ACG, and Williams were all out of control. On May 12, The Ambler Police Department, now responding to the threats against schools and not just a brick through a window, contacted the FBI. After not containing the issue the first time, the FBI stepped in, again.
Special Agent Zachary Fuller from the Philadelphia FBI decided to use their full name when he took on investigating Williams this time. Fuller interviewed Rebecca, who again pointed to Comm and this time mentioned ACG specifically. Williams threatened to SIM swap Rebecca as well.
In the now urgent context of bomb threats, authorities scrambled to get more information. They served an emergency data request with Verizon and another communications company, which pointed to Williams’ halfway house. When FBI officials entered, one agent dialed a phone number linked to threats against Rebecca. Something rang in Williams’ pocket. The agent pulled out a phone, and even in that moment, other people were listening in: the phone was signed into a call on Discord called “ACG MEETING.” Now surely the rest of the gang knew what had happened.
This arrest appeared to put a stop to Williams’ rampage. Rumors circulated that he had cooperated with the authorities. In one nightclub as confetti rained down from the ceiling, women held up bottles of champagne and sparklers. A message strobed on a wall across the dance floor: “Braiden Snitched.” Williams was no longer the man of the evening; he was the butt of the joke.
Those rumors weren’t limited to the sort of clubs that Williams used to flex his wealth inside. At some point, Williams’ Snapchat avatar was changed to a figure dressed in a police uniform, a nod to his alleged work with the authorities.
But, ACG remains an elusive target. Multiple members still appear to be free, posting and mocking rivals on Telegram. There have been no announced arrests of exe or awpy, the group’s leaders. If Williams was able to live it large when he just received a cut, what could the ringleaders possibly be raking in.