A college student alleged to have stolen $5 million in cryptocurrency by way of hijacking phone numbers—a technique called SIM swapping—has pled guilty and will go to jail for 10 years, according to Motherboard.

Digital pickpocketing on the rise: SIM swapping entails gaining control of telephone numbers (for example, by posing as the phones’ users to their wireless carriers) and then resetting passwords to cryptocurrency wallet applications before draining them. Over the past few years, it’s become a particularly popular and damaging attack. Assailants have at times appeared to target prominent people known to hold large amounts of Bitcoin and other cryptocurrencies.

In August of 2018 Michael Terpin, a prominent cryptocurrency investor, filed a lawsuit against AT&T, accusing it of fraud and negligence after hackers stole cryptocurrency from his personal account. In November, a cryptocurrency-focused US firm brought another suit against AT&T and T-Mobile on behalf of SIM-swapping victims. Also on Friday, a 20-year-old was indicted in New York and charged with carrying out more than 50 SIM-swapping attacks against targets all over the country.

Sensing weakness: Billions of dollars’ worth of cryptocurrency is now stored online, and it’s often not well-protected. That’s attracted the attention of creative and sophisticated criminal hackers, including professional groups. While blockchains have some inherent security advantages, third-party applications like exchanges and wallet services that store their users’ private keys can represent a soft underbelly that thieves can exploit. SIM swapping is just one way to do that. The lesson here is simple: if you don’t control your keys, you don’t control your cryptocurrency.