Here are some ways the've been going about it – or at least talking about online without having admitted anything incriminating.
How to crack a cell phone
There are a lot of ways to get the PIN, or get through without needing it, but none require a CS degree and years hacking firewalls at NSA to build up the expertise.
It's not even hard to find the information. Searching Google for "how to hack a mobile phone" turns up a lot of solutions so simple some people appear to be trying to make the whole thing harder just to keep it interesting.
You do have to know the victim's private cell phone number and the carrier providing the service, if only to know the generic voice-mail access number to dial.
Spoof your victim's ID
The big barrier is convincing the voice-mail servers you are calling from the victim's phone. Cell-phone networks identify every phone using a 17- or 15-digit International Mobile Equipment Identity number on GSM phones or the Electronic Serial Number (ESN) on CDMA phones.
The numbers are flashed onto the phone at the time of firmware burn-in and can't be easily changed.
In the U.S. at least, the FCC requires ways to change it not be easily accessible.
You can change it by taking the chip holding the IMEI out of the phone and replacing it with another, but you'd just be changing the IMEI, not adding a different one.
Tools like this one promise to give you a different IMEI appropriate to your model of phone, but not to imprint it on the phone or discover one owned by your target.
Finding the IMEI or ESN
On most phones the ID numbers are printed inside, often under the battery. If you can get access to the phone and open it, you can get your victim's ID. Most phones will also show the ID if you hit a specific key code -- *#06#, for example.
It's also possible to intercept the data stream between a cell phone and its access point and decode it, but if you have the equipment on hand you don't need my help to figure this out.
Cell phones use radio the same way WiFi does, but on different frequencies . WiFi is 2.4GHz; cell phones operate on 850 MHz, 900 MHz, 1800 MHz and/or 1900 MHz.
You could tune a receiver to pull in the signal, but carriers encrypt cell phone traffic using their own algorithms, so cracking the encryption to unencrypt the traffic and find the IMEI sent by the phone when it first connects to tower is possible. If you're with the NSA.