SIM Swapping: How Hackers Stole Millions Worth of Crypto Via Victim’s Telecoms Operator
On Aug. 15, American investor Michael Terpin filed a $224 million lawsuit against AT&T. He believes that the telecoms giant had provided hackers with access to his phone number, which led to a major crypto heist.
Michael Terpin is a Puerto Rico-based entrepreneur and CEO of TransformGroup. He is also a co-founder of an angel group for Bitcoin (BTC) investors named BitAngels and of a digital currency fund, the BitAngels DApps Fund.
Terpin claims that he lost $24 million worth of cryptocurrencies as a result of two hacks that occured over the course of seven months: The 69-page complaint he filed with California law firm Greenberg Glusker mentions two seperate episodes, dated June 11, 2017 and Jan. 7, 2018. In both cases, as per the document, AT&T, of which Terpin was a longtime subscriber since the 1990s, failed to protect his digital identity.
Now, Terpin is seeking $200 million in punitive damages and $24 million in compensation from the telecommunications corporation.
SIM swapping scam: What does a telecoms provider have to do with crypto savings?
"What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner," the complaint states, arguing that Terpin fell victim to a SIM swap fraud, also known as SIM hijacking or a “port out scam.”
SIM swapping is a process of leading a telecoms provider like, say, T-Mobile transferring the target’s phone number to a SIM card held by the attacker. Once they receive the phone number, hackers can use it to reset the victims’ passwords and break into their accounts, including accounts on cryptocurrency exchanges.
Occasionally, that allows thieves to bypass even two-factor authentication, as Motherboard writes. According to their investigation, SIM swapping “is relatively easy to pull off and has become widespread,” adding that “cryptocurrency accounts are common targets.”
The tactics employed by criminals to perform such hacks may vary. Sometimes, they trick customer representatives into believing they are the targets and make them hand over their data. However, as per Motherboard, fraudsters often use the so-called “plugs”: telecom company insiders who get paid to do illegal swaps. An anonymous SIM hijacker told the publication:
“Everyone uses them[…] When you tell someone [who works at a telecoms company] they can make money, they do it.”
An anonymous source at Verizon told Motherboard that he had been approached via Reddit, where he was offered bribes in exchange for SIM swaps. Another Verizon employee claimed that the hacker promised that they would make “$100,000 in a few months” if he would cooperate — all he had to do is “either activate the SIM cards for [the hacker] when [he was] at work or give [the attacker his] Employee ID and PIN.”
More related to the Terpin case, Motherboard’s dialogue with an AT&T employee suggested that their system’s design reportedly allows some employees to supersede security features, such as the phone passcode that AT&T requires when porting numbers:
“From there, the passcode can be changed[…] With a fresh passcode, the number can be ported out with no hang ups.”
How was Terpin hacked?
As mentioned above, Terpin was hacked twice: in June 2017 and in January 2018.
First, in the summer of 2017, he found out that his AT&T number had been hacked when his phone suddenly went dead, according to the complaint. He then learned from AT&T that his password had been changed remotely “after 11 attempts in AT&T stores had failed.”
After gaining access to Terpin’s phone, the attackers used his personal information, including calls and text messages, to break into his accounts that use telephone numbers as a means of verification, including his “cryptocurrency accounts” — although it doesn’t specify the type of those accounts. The hackers also reportedly hijacked Terpin’s Skype account to impersonate him and convince one of his clients to send them cryptocurrency.
AT&T reportedly cut off access to the hackers only after they managed to steal “substantial funds” from Terpin. The document also states that after the incident, on June 13, 2017, Terpin met with AT&T representatives to discuss the attack and was promised by AT&T that his account would be moved to a “higher security level” with “special protection,” akin to the ones used by celebrities:
“AT&T further told Mr. Terpin that the implementation of the increased security measures would prevent Mr. Terpin’s number from being moved to another phone without Mr. Terpin’s explicit permission, because no one other than Mr. Terpin and his wife would know the secret code.”
Nevertheless, half a year later, on Saturday, Jan. 7, 2018, Teprin’s phone reportedly turned off again — he got attacked yet another time. The complaint claims that “an employee in an AT&T store cooperated with an imposter committing SIM swap fraud,” despite extra security measures being taken back in June 2017:
“As AT&T later admitted, an employee in an AT&T store in Norwich, Connecticut ported over Mr. Terpin’s wireless number to an imposter in violation of AT&T’s commitments and promises, including the higher security that it had supposedly placed on Mr. Terpin’s account after the June 11, 2017 hack that had supposedly been implemented to prevent precisely such fraud.”
This time the thieves allegedly stole about $24 million worth of cryptocurrency, even though he tried to contact AT&T “instantly” after his phone stopped working. AT&T allegedly “ignored” his request, leaving the hackers enough time to get enough information about Terpin’s crypto accounts to move his funds to their own accounts. The plaintiff complaint argues that Terpin’s wife also tried calling AT&T at the time, but was put on “endless hold” when she asked to be connected to AT&T’s fraud department.
The Teprin case could be a legal precedent for SIM swapping scams
As the complaint sums up, emphasising the potential scale of port out scams:
“AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”
When Gizmodo contacted AT&T for a comment on the story, the company reportedly denied the accusation, stating that they are ready to stand their ground:
“We dispute these allegations and look forward to presenting our case in court.”
Terpin told Gizmodo that such crypto heists are commonly performed by “college kids who go online in these Discord groups.” He also insisted that in his case, the thieves used an AT&T employee:
“The one thing that’s been a link between [the crypto hacks] is that in every case they’ve had an insider[…] [Trading cryptocurrencies] is safe as long as nobody gives out your digital identity.”
He added that he contacted the FBI, Homeland Security and the U.S. Secret Service, and they’ve identified the AT&T employee who allegedly participated in the attack.
Terpin also claimed that he doesn’t give out his phone number anymore, relying on Google Voice instead.
Cointelegraph has contacted Terpin’s lawyers to specify which tokens were stolen from him, and where he had his cryptocurrency account. This story will be updated as soon as the comment request gets returned.