The first time Mark Donnelly noticed anything wrong was when his mobile phone suddenly lost service.
It came out of the blue, there was no explanation.
Where he'd normally see connectivity bars on his iPhone 12 Pro, there was just an "SOS" displayed – the term used by telcos to show a mobile phone has been cut from the network.
Mysteriously, his connection to Optus was gone.
The Sydney nurse didn't know it but while he'd been busy working a morning shift at Westmead Hospital, in Sydney's west, helping sick patients, he'd become the victim of a devastating sim swap, also known as simjacking or a sim hijack.
A hacker was permitted to use private details and activate an eSIM using just the Optus online message system, without having to verify their identity face-to-face in an Optus store, which then allowed them to steal his phone number.
Once the hacker had his phone number, they took control of all his bank accounts, raised the spend limit of a ZipPay account, attempted to do the same on his AfterPay account, and gained access to all his immigration documentation, including his UK passport.
Armed with such prized identification, the hacker even tried – and failed – to set up a new bank account in Mr Donnelly's name.
A week after the attack, after long discussions with his banks, Mr Donnelly, 46, has managed to recover most of his lost $35,000.
ANZ returned $26,000 and ING another $4000. The remainder is still under investigation by Bendigo Bank.
Optus have so far offered him $80 compensation since the December 6 hack. Mr Donnelly has contacted the Telecommunications Industry Ombudsman (TIO) and has questions around Optus protocol and if it was followed correctly.
Optus has been contacted by nine.com.au.
"I'm devastated," Mr Donnelly, 46, said.
He described the experience of trying to untangle the mess with Optus and their fraud team as "absolutely hellish".
"They told me they would call me back in 24 to 48 hours and they would discuss it, but there was nothing," he said, recounting the timeline of the hack to 9news.com.au.
It was ultimately left up to Mr Donnelly to go into an Optus store in Sydney's west to try and work out what had happened.
On what turned out to be only the first of several visits, when Mr Donnelly complained about the loss of service an Optus staff member offered to replace the SIM.
That idea immediately reconnected Mr Donnelly's phone back to the network.
But crucially, Mr Donnelly claimed, the employee never checked why his iPhone had lost service.
Had that simple check been carried out by Optus, Mr Donnelly believes it may have shown how a hacker had activated the eSIM on another device.
Instead, Mr Donnelly left the store believing his old SIM must have been faulty.
Meanwhile, the hacker also noticed something was up, as they had suddenly lost control of Mr Donnelly's phone.
Later that night, the hacker went back to work.
In Optus chat logs obtained by Mr Donnelly and sighted by 9news.com.au, the hacker can be seen for a second time messaging an Optus agent and demanding the eSIM be activated.
Once again the hacker passed the security check – probably using identifying details stolen off Mr Donnelly (such information is often available and traded on the dark web) – and an eSIM was approved, with the activation set to take place in several hours.
9news.com.au understands that Optus' online service typically requires customers to provide their name, date of birth and mobile number to verify their identity. Services deemed to be higher risk transactions, such as the issuing of eSims, are understood to require further authentication through knowledge-based questions.
By mid-morning, on December 8, Mr Donnelly again lost his Optus service, with the SOS message mysteriously reappearing on his iPhone screen.
He returned to the Optus store, he said, but this time an employee told him the SIM would not be replaced.
Mr Donnelly said the employee told him his iPhone was broken, and that it needed to be repaired by Apple.
Confused, he left the store and went home.
Soon after Mr Donnelly got a Facebook call on his laptop from his frantic partner.
The hacker hadn't wasted any time with this second opportunity. Various bank accounts had been stripped of cash, the funds swiftly transferred to CoinJar, a crypto exchange.
Mr Donnelly tried in vain to contact CoinJar, but the company's website displayed no phone number which could have helped intercept the malicious activity.
Mr Donnelly fears for what might happen in the coming weeks and months.
The hacker gained access to Mr Donnelly's IMMI account, which contained all manner of identifying documentation, which often ends up sold on the dark net.
"I've completely lost my identity," he said.
"Mark Donnelly is ruined."
A source from cybersecurity support service IDCARE told 9news.com.au that sim swapping is now a major issue for telcos.
Hackers had turned their focus to simjacking after a long-favoured and lucrative technique known as "porting" was shut down, the source said, following a spike in attacks and more stringent security protocols and measures being applied by telcos.
Porting also allows hackers to take control of someone's phone.
The TIO received over 500 complaints from consumers in the last financial year who said they had fallen victim to telco-related fraud.
In a report investigating how fraud and simjackings are executed which was released last month, the TIO blamed "weak security processes" at telcos as one of the key factors which help fraudsters gain access to accounts.
Australians lose millions of dollars from fraud each year, often facilitated through mobile phone scams and hacks.