Unknown Sim Swapping Michael Terpin

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Unknown

On an unknown exchange platform, Michael Terpin was successfully SIM-swapped despite instituting extra protections on his AT&T account. The case went before the courts. Parts of the case were dismissed, while the claim for the lost funds was allowed to proceed. It does not appear that any judgement against AT&T has been successful.

Michael Terpin did later manage to determine the individual responsible for the SIM-swap and bring a judgement against them. Whether they will ever be able to collect on that judgement is another matter.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.

About Unknown

"Michael Terpin, a serial cryptocurrency entrepreneur and technology startup extraordinaire, claimed that AT&T’s lack of security allowed hackers to enter his wireless account and steal crypto coins worth roughly $24 million."

"On June 11, 2017, Mr. Terpin's phone suddenly became inoperable because his cell phone number had been hacked. After hackers attempted and failed eleven times to change Mr. Terpin's AT&T password in AT&T retail stores, the hackers were able to change his password remotely. Mr. Terpin alleges that this allowed the hackers to gain control of his phone number, which allowed them to gain access to his accounts that use his telephone number for authentication. Mr. Terpin asserts the hackers used his telephone number to access his cryptocurrency accounts and also impersonated him by using his Skype account. By impersonating him, the hackers convinced one of Mr. Terpin's clients to send them cryptocurrency and diverted the cryptocurrency to themselves. Later that day, AT&T was able to cutoff the hackers' access to Mr. Terpin's telephone number. However, by this time, the hackers had stolen substantial funds from Mr. Terpin."

"Around June 13, 2017, Mr. Terpin met with AT&T representatives in Puerto Rico to discuss the hack. AT&T allegedly promised to place Mr. Terpin's account on a "higher security level with special protection." This included requiring a six-digit passcode (known only to Mr. Terpin and his wife) of anyone attempting to access or change Mr. Terpin's account settings or transfer his telephone number to another phone. Mr. Terpin alleges that this form of "celebrity" protection was created with the knowledge and approval of AT&T's officers, including Bill O'Hern and David S. Huntley, who are in charge of AT&T's security and privacy efforts. Mr. Terpin maintains that he "relied upon AT&T's promises that his account would be much more secure against hacking, including SIM swap fraud, after it implemented the increased security measures," and this led him to remain an AT&T customer. Mr. Terpin alleges that AT&T and its officers, such as Mr. O'Hern and Mr. Huntley, knew at the time he adopted the six-digit security code that it would not provide adequate protection because it could be overridden by AT&T employees."

"AT&T allegedly placed Mr.Terpin’s account on a higher security level with special protection. This included requiring a six-digit passcode (known only to Terpin and his wife) of anyone attempting to access or change his account settings or transfer his telephone number to another phone."

"On Sunday, January 7, 2018, Mr. Terpin's phone again became inoperable. Mr. Terpin alleges that an employee at an AT&T store in Norwich, Connecticut assisted an imposter with a SIM card swap. This resulted in AT&T transferring Mr. Terpin's phone number to an imposter. Mr. Terpin alleges that when his phone became inoperable, he attempted to contact AT&T to have his telephone number canceled, but AT&T failed to promptly cancel his account. By having access to Mr. Terpin's phone number, Mr. Terpin alleges that "the hackers were able to intercept Mr. Terpin's personal information, including telephone calls and text messages, change passwords, access programs and files and locate information that allowed them to gain access to his cryptocurrency wallets and/or accounts." "Mr. Terpin alleges that, as a result, between January 7 and 8, 2018, the hackers stole nearly $24 million worth of cryptocurrency from him."

"Terpin had complained of losing three million unspecified cryptos via the hack in early 2018."

"However, the phone and internet service provider claimed that it is not responsible for a series of recent SIM-swapping complaints. But the Judge engaged in the lawsuit denied AT&T’s request to dismiss the case or disregard its legal obligations, saying the company “can be held to answer a lawsuit by Michael Terpin for enabling the theft of $24 million of his cryptocurrency by giving his SIM card to hackers.”

"Once the thieves had access to his phone number, they were able to request a password change and reset the security on many of his accounts, effectively locking him out. The hackers also changed the password on his cryptocurrency account and initiated the transfer of digital assets to their own wallets."

"However, the court recognized that AT&T disclosed the limits of its security protections and that its privacy policy explicitly states it cannot guarantee that customers’ personal info will never be disclosed “as the result of unauthorized acts by third parties.”"

“Even if AT&T knew that the six-digit code could not prevent every potential security breach; the Court cannot infer from Mr. Terpin’s allegations that AT&T intended for the code to provide no increase to security when it promised additional protection. A defendant may be ‘overly optimistic’ in making its promise, but “an erroneous belief, no matter how misguided, does not justify a finding of fraud,” the judge further explained."

"The lawsuit described the case as an example of classic identity theft, in which hackers gained access to sensitive financial information by stealing personal data." "Although it is unclear exactly how the thieves replaced Terpin’s mobile SIM, the “lawsuit suggests they impersonated him to AT&T’s customer service agents and requested that the phone number be transferred to their own device.”"

"According to a report, Terpin accused the telecoms giant of “allowing hackers to swap his SIM card, in what appears to be an elaborate scheme by fraudsters.” Terpin, a crypto entrepreneur, also claims that AT&T’s lax security “allowed hackers to enter his wireless account and steal crypto coins worth roughly $24 million.”"

"In its findings, however, the U.S. court “recognized that AT&T disclosed the limits of its security protections and that its privacy policy explicitly states it cannot guarantee that customers’ personal info will never be disclosed as the result of unauthorized acts by third parties.”"

"After gaining access to his phone number, the criminals were able “to request a password change and reset the security on many of his accounts.” The hackers then “changed the password on his cryptocurrency account and initiated the transfer of digital assets to their own wallets.”"

"Terpin also sued telecoms firm AT&T [in] August [2020], claiming the company had failed to protect his cellphone data. “In recent incidents, law enforcement has even confirmed that AT&T employees profited from working directly with cyber terrorists and thieves in SIM swap frauds,” he contended at the time."

"A California judge overseeing litigation accusing AT&T of negligence, fraud, and other violations dismissed a $200 million damages claim against the telecommunications giant. The court narrowed allegations filed by Michael Terpin, but it allowed him to sue AT&T for the $24 million he lost after a company agent was allegedly bribed by a criminal gang."

"Terpin filed the case against 21-year-old Nicholas Truglia earlier this year, saying the Manhattan resident had defrauded him of cryptocurrencies after gaining control of his cellphone number. California Superior Court has now ordered Truglia to pay Terpin $75.8 million in compensatory and punitive damages, Reuters reported Saturday citing court documents."

"Truglia is also reportedly alleged to have used the SIM-swapping method to steal from a number of individuals. He was arrested in New York last November and faces 21 felony counts related to six victims, the New York Post reported late last year."

"We are pleased that the Court recognizes that cyber-crime is still crime, setting a precedent with its record racketeering judgment against Truglia under the RICO Act as participating in an ongoing criminal enterprise dedicated to stealing millions upon millions of dollars from innocent victims," said Terpin. "Truglia did not act alone, and we are preparing actions against other gang members we have identified with the help of law enforcement and our own investigations. We, of course, are still actively pursuing our federal court case against AT&T, whose gross negligence we contend allowed these crimes to occur."

Lead attorney Pierce O’Donnell stated, "We are pioneering in championing the rights of victims of cyber crypto crime in recovering their stolen from funds and punishing the crooks. They can hack but we will fight back. We have a courageous client in Michael Terpin who has been clear from the beginning that he intends to pursue his rights to the end. This is a significant step, but we have every expectation that this Judgment against Nick Truglia is only the beginning, not the end, of our efforts to secure legal relief for Michael. We still have a case pending in federal court against AT&T for its responsibility in this matter and we are continuing to look at numerous other perpetrators responsible for this theft.”

This exchange or platform is based in United States, or the incident targeted people primarily in United States.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Unknown Sim Swapping Michael Terpin
Date	Event	Description
January 7th, 2018 12:00:00 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

The use of cell phones as the common factor of authentication, withdrawal, and to enable password change is the vulnerability. In order to be effective, multi-factor authentication must feature unique factors. If only one factor (the phone number) is effectively required, then this defeats the point of the multi-factor authentication. One might as well allow a login with the phone number directly. As all factors are vulnerable, large withdrawals need to require distinct factors. Platforms should give care to factors that may be linked, such as the phone number and email.