UNKNOWN

DESCRIPTION OF EVENTS

"Michael Terpin, a serial cryptocurrency entrepreneur and technology startup extraordinaire, claimed that AT&T’s lack of security allowed hackers to enter his wireless account and steal crypto coins worth roughly $24 million."

"On June 11, 2017, Mr. Terpin's phone suddenly became inoperable because his cell phone number had been hacked. After hackers attempted and failed eleven times to change Mr. Terpin's AT&T password in AT&T retail stores, the hackers were able to change his password remotely. Mr. Terpin alleges that this allowed the hackers to gain control of his phone number, which allowed them to gain access to his accounts that use his telephone number for authentication. Mr. Terpin asserts the hackers used his telephone number to access his cryptocurrency accounts and also impersonated him by using his Skype account. By impersonating him, the hackers convinced one of Mr. Terpin's clients to send them cryptocurrency and diverted the cryptocurrency to themselves. Later that day, AT&T was able to cutoff the hackers' access to Mr. Terpin's telephone number. However, by this time, the hackers had stolen substantial funds from Mr. Terpin."

"Around June 13, 2017, Mr. Terpin met with AT&T representatives in Puerto Rico to discuss the hack. AT&T allegedly promised to place Mr. Terpin's account on a "higher security level with special protection." This included requiring a six-digit passcode (known only to Mr. Terpin and his wife) of anyone attempting to access or change Mr. Terpin's account settings or transfer his telephone number to another phone. Mr. Terpin alleges that this form of "celebrity" protection was created with the knowledge and approval of AT&T's officers, including Bill O'Hern and David S. Huntley, who are in charge of AT&T's security and privacy efforts. Mr. Terpin maintains that he "relied upon AT&T's promises that his account would be much more secure against hacking, including SIM swap fraud, after it implemented the increased security measures," and this led him to remain an AT&T customer. Mr. Terpin alleges that AT&T and its officers, such as Mr. O'Hern and Mr. Huntley, knew at the time he adopted the six-digit security code that it would not provide adequate protection because it could be overridden by AT&T employees."

"AT&T allegedly placed Mr.Terpin’s account on a higher security level with special protection. This included requiring a six-digit passcode (known only to Terpin and his wife) of anyone attempting to access or change his account settings or transfer his telephone number to another phone."

"On Sunday, January 7, 2018, Mr. Terpin's phone again became inoperable. Mr. Terpin alleges that an employee at an AT&T store in Norwich, Connecticut assisted an imposter with a SIM card swap. This resulted in AT&T transferring Mr. Terpin's phone number to an imposter. Mr. Terpin alleges that when his phone became inoperable, he attempted to contact AT&T to have his telephone number canceled, but AT&T failed to promptly cancel his account. By having access to Mr. Terpin's phone number, Mr. Terpin alleges that "the hackers were able to intercept Mr. Terpin's personal information, including telephone calls and text messages, change passwords, access programs and files and locate information that allowed them to gain access to his cryptocurrency wallets and/or accounts." "Mr. Terpin alleges that, as a result, between January 7 and 8, 2018, the hackers stole nearly $24 million worth of cryptocurrency from him."

"Terpin had complained of losing three million unspecified cryptos via the hack in early 2018."

"However, the phone and internet service provider claimed that it is not responsible for a series of recent SIM-swapping complaints. But the Judge engaged in the lawsuit denied AT&T’s request to dismiss the case or disregard its legal obligations, saying the company “can be held to answer a lawsuit by Michael Terpin for enabling the theft of $24 million of his cryptocurrency by giving his SIM card to hackers.”

"Once the thieves had access to his phone number, they were able to request a password change and reset the security on many of his accounts, effectively locking him out. The hackers also changed the password on his cryptocurrency account and initiated the transfer of digital assets to their own wallets."

"However, the court recognized that AT&T disclosed the limits of its security protections and that its privacy policy explicitly states it cannot guarantee that customers’ personal info will never be disclosed “as the result of unauthorized acts by third parties.”"

“Even if AT&T knew that the six-digit code could not prevent every potential security breach; the Court cannot infer from Mr. Terpin’s allegations that AT&T intended for the code to provide no increase to security when it promised additional protection. A defendant may be ‘overly optimistic’ in making its promise, but “an erroneous belief, no matter how misguided, does not justify a finding of fraud,” the judge further explained."

"The lawsuit described the case as an example of classic identity theft, in which hackers gained access to sensitive financial information by stealing personal data." "Although it is unclear exactly how the thieves replaced Terpin’s mobile SIM, the “lawsuit suggests they impersonated him to AT&T’s customer service agents and requested that the phone number be transferred to their own device.”"

"According to a report, Terpin accused the telecoms giant of “allowing hackers to swap his SIM card, in what appears to be an elaborate scheme by fraudsters.” Terpin, a crypto entrepreneur, also claims that AT&T’s lax security “allowed hackers to enter his wireless account and steal crypto coins worth roughly $24 million.”"

"In its findings, however, the U.S. court “recognized that AT&T disclosed the limits of its security protections and that its privacy policy explicitly states it cannot guarantee that customers’ personal info will never be disclosed as the result of unauthorized acts by third parties.”"

"After gaining access to his phone number, the criminals were able “to request a password change and reset the security on many of his accounts.” The hackers then “changed the password on his cryptocurrency account and initiated the transfer of digital assets to their own wallets.”"

"Terpin also sued telecoms firm AT&T [in] August [2020], claiming the company had failed to protect his cellphone data. “In recent incidents, law enforcement has even confirmed that AT&T employees profited from working directly with cyber terrorists and thieves in SIM swap frauds,” he contended at the time."

"A California judge overseeing litigation accusing AT&T of negligence, fraud, and other violations dismissed a $200 million damages claim against the telecommunications giant. The court narrowed allegations filed by Michael Terpin, but it allowed him to sue AT&T for the $24 million he lost after a company agent was allegedly bribed by a criminal gang."

"Terpin filed the case against 21-year-old Nicholas Truglia earlier this year, saying the Manhattan resident had defrauded him of cryptocurrencies after gaining control of his cellphone number. California Superior Court has now ordered Truglia to pay Terpin $75.8 million in compensatory and punitive damages, Reuters reported Saturday citing court documents."

"Truglia is also reportedly alleged to have used the SIM-swapping method to steal from a number of individuals. He was arrested in New York last November and faces 21 felony counts related to six victims, the New York Post reported late last year."

"We are pleased that the Court recognizes that cyber-crime is still crime, setting a precedent with its record racketeering judgment against Truglia under the RICO Act as participating in an ongoing criminal enterprise dedicated to stealing millions upon millions of dollars from innocent victims," said Terpin. "Truglia did not act alone, and we are preparing actions against other gang members we have identified with the help of law enforcement and our own investigations. We, of course, are still actively pursuing our federal court case against AT&T, whose gross negligence we contend allowed these crimes to occur."

Lead attorney Pierce O’Donnell stated, "We are pioneering in championing the rights of victims of cyber crypto crime in recovering their stolen from funds and punishing the crooks. They can hack but we will fight back. We have a courageous client in Michael Terpin who has been clear from the beginning that he intends to pursue his rights to the end. This is a significant step, but we have every expectation that this Judgment against Nick Truglia is only the beginning, not the end, of our efforts to secure legal relief for Michael. We still have a case pending in federal court against AT&T for its responsibility in this matter and we are continuing to look at numerous other perpetrators responsible for this theft.”

On an unknown exchange platform, Michael Terpin was successfully SIM-swapped despite instituting extra protections on his AT&T account. The case went before the courts. Parts of the case were dismissed, while the claim for the lost funds was allowed to proceed. It does not appear that any judgement against AT&T has been successful.

Michael Terpin did later manage to determine the individual responsible for the SIM-swap and bring a judgement against them. Whether they will ever be able to collect on that judgement is another matter.

HOW COULD THIS HAVE BEEN PREVENTED?

The use of cell phones as the common factor of authentication, withdrawal, and to enable password change is the vulnerability. In order to be effective, multi-factor authentication must feature unique factors. If only one factor (the phone number) is effectively required, then this defeats the point of the multi-factor authentication. One might as well allow a login with the phone number directly. As all factors are vulnerable, large withdrawals need to require distinct factors. Platforms should give care to factors that may be linked, such as the phone number and email.

Check Our Framework For Safe Secure Exchange Platforms

Judge Dismisses $200M Damages Claim in SIM-Swap Crypto Lawsuit Against AT&T – News Bitcoin News (Oct 3)
Court Drops Crypto Theft Suit against AT&T, $24M Damage Claim Continues (Oct 3)
AT&T Official Site - Unlimited Data Plans, Internet Service, & TV (Oct 18)
Europol Arrests 26 SIM Swapping Fraudsters For Stealing Over $3 Million (Oct 18)
Sim Swap Fraud: How to Protect Yourself (Oct 18)
AT&T asks court to dismiss $200M claim in SIM-swap case - CoinGeek (Oct 19)
https://www.pymnts.com/news/security-and-risk/2021/nudata-passive-biometrics-help-battle-sim-swap-fraud/ (Oct 19)
FBI Warns Digital Currency Exchanges and Crypto Owners of Possible Threats – Bitcoin News (Oct 3)
Terpin v. AT&T Mobility, LLC, Case No. 2:18-cv-06975-ODW (KSx) | Casetext Search + Citator (Dec 1)
Judge Dismisses $200M Damages Claim in AT&T Crypto Hack Lawsuit - CoinDesk (Jun 6)
WATCH OUT For these Crypto SCAMS!! - YouTube (May 6)
SSC (Jun 6)
Cryptocurrency Investor Michael Terpin Wins $75.8 Million Judgment in First-Ever SIM Swap Racketeering Case (Jun 6)
Crypto Investor Awarded Over $75 Million in SIM-Swapping Hack Case - CoinDesk (Jun 6)
AT&T Sued for $224 Million After Phone Hackers Rob Crypto Investor - CoinDesk (Jun 6)
https://www.crowdfundinsider.com/2020/02/157944-michael-terpins-sim-swap-lawsuit-against-att-moves-forward/ (Jun 6)
What To Do When Sim Swapping Happens To You (Oct 14)
Darknet Diaries - 112: Dirty Coms (Feb 5)

More case studies

CoinsMarkets
Exit Scam

Telegram ICO
Phishing