AT&T Loses Bid to Dismiss $1.8M Crypto Theft Lawsuit

Published at: May 20, 2020

U.S. District Judge Consuelo Marshall has rejected AT&T’s bid to dismiss a lawsuit that alleges the company was negligent for failing to prevent the theft of $1.8 million in crypto from investor Seth Shapiro.

In the judge’s order allowing the suit to continue, Shapiro’s claims of negligence, negligent supervision, claims brought under the Computer Fraud and Abuse Act, and request for punitive damages, were left intact.

SIM-swap attack

Shapiro, an Emmy Award-winning media tech consultant who has previously worked for the likes of Disney and Showtime, filed the suit against AT&T in December 2019, alleging that the firm’s security failures resulted in thefts across multiple attacks.

SIM-swap attacks require the participation of employees from a telecom company. The telecom employee deliberately, or unwittingly, reassigns the victim’s account to a SIM controlled by a malicious actor — who is then able to gain access to information or accounts belonging to the target.

The court order states that Shapiro suffered his first SIM-swap attack during May 2018, to which an AT&T employee “noted the SIM swap activity in [Plaintiff’s] account and assured [Plaintiff] that his SIM card would not be swapped again without his authorization.”

"AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead standing by as its employees used their position at the company to gain unauthorized access to Mr. Shapiro's account in order to rob, extort and threaten him in exchange for money,” Shapiro’s complaint stated.

Shapiro has until May 29 to file an amended complaint in response to the order.

15-year-old hacker steals $24m in SIM-swap attack

AT&T also faces an ongoing lawsuit from pioneering crypto investor Michael Terpin, who is seeking more than $200 million in compensation for a $23.8 million SIM-swap attack that took place during January 2018.

Last month, the case took a surprising twist when Terpin launched a new lawsuit against the alleged perpetrator of the attack — who has recently turned 18 years old. 

At the time of the attack, the defendant, Ellis Pinsky, was just 15 years old and returned $2 million of the funds. Now that he is of legal age, Terpin is suing for the remaining sum plus damages — $71.4 million in total.

Speaking to Cointelegraph, Terpin stated that he was “a bit shocked to find out the alleged mastermind was only 15 at the time,” adding his surprise that “allegedly, this was not his first hacking or theft.”

Terpin asserted that Pinsky is in possession of $100 million, stating: “we believe he was being truthful when he told one of our informants via text that he still had $100 million hidden offshore.”

Tags
Related Posts
Law Decoded: Public companies, private markets, crypto offerings and you, Aug. 28–Sept. 4
Editor’s note It is a cruel twist of fate that during the first hiatus week in Law Decoded’s existence, the SEC put out long-awaited updates to accredited investor qualifications. Upon reading the news, your faithful and ever-vigilant policy editor put down his phone and cast a wistful eye upon the sun’s reflection dancing in the midground of the Atlantic Ocean. Bracing himself with a deep quaff of Corona, he thought ‘Not today.’ Before the sorrow of not being the one to bring the news to you could overwhelm him, he grabbed a battered borrowed surfboard and made for the waves. …
Regulation / Sept. 4, 2020
Why technology assurances are a must for crafting EU crypto regulation
When Malta set out to provide a regulatory framework for the cryptocurrency sector, policymakers and advisers recognized how blockchain, distributed ledger technology and smart contracts, as well as related technologies, imposed new challenges to providing consumer protection and to fitting within existing legal structures. Immutability of data — and subsequently code, or rather smart contracts — is a desirable feature to provide guarantees to users that data (and smart contracts) cannot be tampered with. However, this also poses a critical challenge: Often, it is impossible, or infeasible, to change code once it has been written to such a distributed ledger. …
Technology / Sept. 16, 2020
Hacker Group Amassed $7M in Crypto by Selling Stolen Credit Cards
A hacker gang known as “Keeper” established an interconnected network to steal credit card data from over 570 e-commerce sites. Since 2017, they have profited around $7 million in crypto by selling card information through the dark web. According to a July 7 study by threat intelligence firm, Gemini Advisory, the hacker group managed to create 64 attacker domains and 73 exfiltration domains. These domains were used to retrieve user credit card data from numerous e-commerce sites located across 55 countries. The malicious domains hosted an identical login panel from each e-commerce website. They inserted a malware payload to get …
Regulation / July 7, 2020
Major Victim of Cryptopia Hack Prepares to Sue Liquidator Grant Thornton
On July 21, legal representation for GNY, a firm focused on artificial intelligence and the issuer of LML, filed a final notice of liquidators’ failure to comply with duties. The liquidator in question is accounting firm Grant Thornton, which GNY accuses of botching their handling of hacked and defunct crypto exchange Cryptopia. Such a notice is the final step before a lawsuit, which would add to an already entangled case of trying to return funds from a compromised exchange. The hack and the drawn-out distribution of funds Hackers accessed New Zealand-based crypto exchange Cryptopia for two weeks in January 2019, …
Regulation / July 21, 2020
Dutch University set to recover more than twice the paid BTC ransom in 2019
Netherland-based Maastricht University (UM) is set to recover nearly €500,000 ($512,150) worth of Bitcoin (BTC) after the police authorities managed to solve the infamous ransomware attack in December 2019. In 2019, a ransomware hack targeted the said university and froze all its research data, emails and library resources. The hackers demanded €200,000 in BTC and the university, fearing losing critical research data, decided to pay the said amount . The Dutch Public Prosecution Service (DDPS) managed to track down one of the crypto wallets associated with the hack in 2020 to Ukraine and froze funds in the account valued at …
Bitcoin / July 5, 2022