SIM Swapping: How Hackers Stole Millions Worth of Crypto Via Victim’s Telecoms Operator

Published at: Aug. 18, 2018

On Aug. 15, American investor Michael Terpin filed a $224 million lawsuit against AT&T. He believes that the telecoms giant had provided hackers with access to his phone number, which led to a major crypto heist.

Michael Terpin is a Puerto Rico-based entrepreneur and CEO of TransformGroup. He is also a co-founder of an angel group for Bitcoin (BTC) investors named BitAngels and of a digital currency fund, the BitAngels DApps Fund.

Terpin claims that he lost $24 million worth of cryptocurrencies as a result of two hacks that occured over the course of seven months: The 69-page complaint he filed with California law firm Greenberg Glusker mentions two seperate episodes, dated June 11, 2017 and Jan. 7, 2018. In both cases, as per the document, AT&T, of which Terpin was a longtime subscriber since the 1990s, failed to protect his digital identity.

Now, Terpin is seeking $200 million in punitive damages and $24 million in compensation from the telecommunications corporation.

SIM swapping scam: What does a telecoms provider have to do with crypto savings?

"What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner," the complaint states, arguing that Terpin fell victim to a SIM swap fraud, also known as SIM hijacking or a “port out scam.”

SIM swapping is a process of leading a telecoms provider like, say, T-Mobile transferring the target’s phone number to a SIM card held by the attacker. Once they receive the phone number, hackers can use it to reset the victims’ passwords and break into their accounts, including accounts on cryptocurrency exchanges.

Occasionally, that allows thieves to bypass even two-factor authentication, as Motherboard writes. According to their investigation, SIM swapping “is relatively easy to pull off and has become widespread,” adding that “cryptocurrency accounts are common targets.”

The tactics employed by criminals to perform such hacks may vary. Sometimes, they trick customer representatives into believing they are the targets and make them hand over their data. However, as per Motherboard, fraudsters often use the so-called “plugs”: telecom company insiders who get paid to do illegal swaps. An anonymous SIM hijacker told the publication:

“Everyone uses them[…] When you tell someone [who works at a telecoms company] they can make money, they do it.”

An anonymous source at Verizon told Motherboard that he had been approached via Reddit, where he was offered bribes in exchange for SIM swaps. Another Verizon employee claimed that the hacker promised that they would make “$100,000 in a few months” if he would cooperate — all he had to do is “either activate the SIM cards for [the hacker] when [he was] at work or give [the attacker his] Employee ID and PIN.”

More related to the Terpin case, Motherboard’s dialogue with an AT&T employee suggested that their system’s design reportedly allows some employees to supersede security features, such as the phone passcode that AT&T requires when porting numbers:

“From there, the passcode can be changed[…] With a fresh passcode, the number can be ported out with no hang ups.”

How was Terpin hacked?

As mentioned above, Terpin was hacked twice: in June 2017 and in January 2018.

First, in the summer of 2017, he found out that his AT&T number had been hacked when his phone suddenly went dead, according to the complaint. He then learned from AT&T that his password had been changed remotely “after 11 attempts in AT&T stores had failed.”

After gaining access to Terpin’s phone, the attackers used his personal information, including calls and text messages, to break into his accounts that use telephone numbers as a means of verification, including his “cryptocurrency accounts” — although it doesn’t specify the type of those accounts. The hackers also reportedly hijacked Terpin’s Skype account to impersonate him and convince one of his clients to send them cryptocurrency.

AT&T reportedly cut off access to the hackers only after they managed to steal “substantial funds” from Terpin. The document also states that after the incident, on June 13, 2017, Terpin met with AT&T representatives to discuss the attack and was promised by AT&T that his account would be moved to a “higher security level” with “special protection,” akin to the ones used by celebrities:

“AT&T further told Mr. Terpin that the implementation of the increased security measures would prevent Mr. Terpin’s number from being moved to another phone without Mr. Terpin’s explicit permission, because no one other than Mr. Terpin and his wife would know the secret code.”

Nevertheless, half a year later, on Saturday, Jan. 7, 2018, Terpin’s phone reportedly turned off again — he got attacked yet another time. The complaint claims that “an employee in an AT&T store cooperated with an imposter committing SIM swap fraud,” despite extra security measures being taken back in June 2017:

“As AT&T later admitted, an employee in an AT&T store in Norwich, Connecticut ported over Mr. Terpin’s wireless number to an imposter in violation of AT&T’s commitments and promises, including the higher security that it had supposedly placed on Mr. Terpin’s account after the June 11, 2017 hack that had supposedly been implemented to prevent precisely such fraud.”

This time the thieves allegedly stole about $24 million worth of cryptocurrency, even though he tried to contact AT&T “instantly” after his phone stopped working. AT&T allegedly “ignored” his request, leaving the hackers enough time to get enough information about Terpin’s crypto accounts to move his funds to their own accounts. The plaintiff complaint argues that Terpin’s wife also tried calling AT&T at the time, but was put on “endless hold” when she asked to be connected to AT&T’s fraud department.

The Terpin case could be a legal precedent for SIM swapping scams

As the complaint sums up, emphasising the potential scale of port out scams:

“AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”

When Gizmodo contacted AT&T for a comment on the story, the company reportedly denied the accusation, stating that they are ready to stand their ground:

“We dispute these allegations and look forward to presenting our case in court.”

Terpin told Gizmodo that such crypto heists are commonly performed by “college kids who go online in these Discord groups.” He also insisted that in his case, the thieves used an AT&T employee:

“The one thing that’s been a link between [the crypto hacks] is that in every case they’ve had an insider[…] [Trading cryptocurrencies] is safe as long as nobody gives out your digital identity.”

He added that he contacted the FBI, Homeland Security and the U.S. Secret Service, and they’ve identified the AT&T employee who allegedly participated in the attack.

Terpin also claimed that he doesn’t give out his phone number anymore, relying on Google Voice instead.

Cointelegraph has contacted Terpin’s lawyers to specify which tokens were stolen from him, and where he had his cryptocurrency account. This story will be updated as soon as the comment request gets returned.

Tags
Related Posts
Are crypto and blockchain safe for kids, or should greater measures be put in place?
Crypto is going mainstream, and the world’s younger generation, in particular, is taking note. Cryptocurrency exchange Crypto.com recently predicted that crypto users worldwide could reach 1 billion by the end of 2022. Further findings show that Millennials — those between the ages of 26 and 41 — are turning to digital asset investment to build wealth. For example, a study conducted in 2021 by personal loan company Stilt found that, according to its user data, more than 94% of people who own crypto were between 18 and 40. Keeping children safe While the increased interest in cryptocurrency is notable, some …
Adoption / Feb. 26, 2022
Digital intelligence must overcome challenges to solving crypto crimes
While the value of cryptocurrencies has varied wildly in the last year, this has not diminished crypto’s attractiveness to criminals. Many of them are moving their illegal activities underground and outside the view of law enforcement. Because of the public nature of most blockchains, however, this rapid movement shouldn’t be a major concern to law enforcement agencies. With the right tools and training, following the proceeds of crypto-enabled crime is actually not as difficult as it may seem. However, intelligence agencies must have a cryptocurrency investigation plan that includes the right tools to lawfully collect digital evidence and the properly …
Technology / Aug. 20, 2021
Ransomware Gangs Are Teaming Up to Form Cartel-Style Structures
Recent ransomware attacks from well-known cybercriminal groups have been suggesting that gangs are forging cartel-style alliances to pressure their respective victims to pay the ransom requests. Cointelegraph has obtained access to what seems to be a darknet site that belongs to the Maze group. On the site, Maze has been leaking stolen data beginning sometime after Sunday. The central feature to highlight is that the gang notes that Ragnar Locker, another ransomware group, provided the info, as the title of the blog post says: “MAZE CARTEL Provided by Ragnar.” Some of the victims listed are United States-based companies. Speaking with …
Bitcoin / June 9, 2020
California Cybercrime Police Focus on Cryptocurrency SIM Swapping as ‘Highest Priority’
U.S. law enforcement consider so-called “SIM swapping” one of its “highest priorities” in a bid to fight cryptocurrency fraud, security news and investigation blog KrebsonSecurity reported Nov. 7. Speaking to the publication, Samy Tarazi, a police sergeant in Santa Barbara and a supervisor of the REACT Task Force — a group dedicated to fighting cybercrime — said the number of instances of the crime had increased dramatically. “For the amounts being stolen and the number of people being successful at taking it, the numbers are probably historic,” he said. SIM swapping refers to the act of remotely hijacking the SIM …
Bitcoin / Nov. 7, 2018
21-Year-Old Jailed for 10 Years After Stealing $7.5M in Crypto By Hacking Cell Phones
A 21-year-old man has been sentenced to 10 years in prison after becoming one of the first people in the United States to be convicted of stealing cryptocurrency by hacking into cell phones. Prosecutors in Santa Clara announced the jail sentence on April 22. In February, Joel Ortiz had pleaded guilty and to theft and accepted the 10-year plea deal. Ortiz stole more than $7.5 million from at least 40 victims: the press release notes that he then spent $10,000 a time at Los Angeles nightclubs, hired a helicopter to fly him and his friends to a music festival, and …
Blockchain / April 23, 2019