SIM swapping victim lost $24 million in cryptocurrency, sues AT&T, calls for change

People holding digital assets may not realize how susceptible they are to a form of hacking known as SIM swapping. One SIM swapping victim lost close to $24 million in cryptocurrency, despite taking what he thought were the necessary protections.

Michael Terpin, a cryptocurrency investor and founder of Transform Group International, a blockchain public relations company, filed a $223.8 million lawsuit against AT&T following the theft of more than 3 million cryptocurrency tokens in January of 2018. Terpin claimed the theft was caused by an AT&T employee who was bribed by hackers to steal his digital identity, then gave it to the hackers so they could steal his cryptocurrency.

Terpin described his saga in an interview with Rob Pegoraro, a contributor to Yahoo Finance and USA Today, at the recent CES show in Las Vegas. Pegoraro said after writing about this topic, he has removed his cell phone number from his important accounts. Pegoraro said one security measure is to use Google Authenticator, a two-step verification code on a phone, or a security key on a USB stick which he said is phishing immune. But Terpin said these measures would not have prevented his hack.

"Even when you go and get a second level secret PIN that cannot be changed by email, cannot be changed by anything else authorized, you have to go through the fraud department, this is still happening," Terpin said. "That's what happened to me on Jan. 7 of last year."

In a 20-minute period, the hackers were able to access three cryptocurrencies Terpin owned that had hit their all-time high on that day, Jan. 7, Terpin said. The hackers then laundered the assets through several exchanges.

Terpin said he already had a second level PIN that AT&T recommended after he experienced an earlier hack. He said he followed best practices, including Google 2FA, a two-factor verification feature.

Hackers were nonetheless able to reset credentials tied to Terpin's cryptocurrency accounts and steal his digital assets, according to a report by KrebsonSecurity, a security consultancy. An AT&T investigation revealed that an AT&T store employee in Norwich, Connecticut executed a SIM swap on Terpin's account without having to enter an extra security feature that Terpin had on his account, KrebsonSecurity said.

Scam artists frequently trick mobile providers into tying a customer's service to a new SIM card which they, the hackers, control, the KrebsonSecurity report said, adding that such swaps occur after the fraudster has managed to steal someone's password.

Hacker bragged on social media

The individual Terpin believes to be responsible for the hack, Nick Truglia, who was arrested in Novemberon 21 felony counts connected to stealing millions of dollars worth of cryptocurrency via SIM swapping, according to Yahoo News. Terpin said Truglia even bragged on social media about hacking $24 million.

More arrests in the hack will be announced, Terpin predicted, because he believes there were between six and 12 other people involved in the theft. He said he believes one of the thieves has more than $100 million.

AT&T disputes charges

"The carriers are playing delay, delay, delay," Terpin said, noting that the defense has argued that all the charges are without merit.

Terpin has sued AT&T on 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background and related charges in U.S. District Court in Los Angeles.

"AT&T's studied indifference to protecting its customers' privacy and financial assets is a metastasizing cancer, threatening hundreds of millions of unsuspecting AT&T's customers," said Terpin's lawyer, Pierce O'Donnell, in a prepared statement. "Our client had no idea when he initially signed up, nor when later he was promised the highest level of security for his account, that low-level retail employees with access to AT&T records, or people posing as them, can be bribed by criminals to override every system that AT&T advertises as unassailable."

The complaint then goes on to detail the July 2018 arrests of multiple SIM swap gang members, including Joel Ortiz, who was arrested on July 12 in Los Angeles on 28 counts and is suspected of stealing at least $5 million in cryptocurrency in similar hacks, including a $1.5 million SIM swap of an AT&T subscriber during New York Blockchain Week; and the July 18 arrest of Ricky Joseph Handschumacher in Florida for his role in a gang that stole at least $460,000 in bitcoin by hijacking SIM identities from AT&T customers, allegedly using information from one of its members in Michigan to effectively impersonate an AT&T customer service representative.