Bitcoin backer sues AT&T for $240m over stolen cryptocurrency

Michael Terpin not happy about funds-draining SIM swap fraud

Got Tips? 41 Reg comments

A bitcoin investor is suing AT&T for $240m after it allegedly ported his phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency.

Michael Terpin is suing the phone giant [PDF] for the value of the three million electronic coins plus $216m in punitive damages after he claims an AT&T employee at a store in Connecticut agreed, in person, to transfer his personal phone number to a new SIM card, despite the account having "high risk" protection following an earlier hacking effort.

The anonymous hacker then used his access to Terpin's phone number to bypass security on his cryptocurrency accounts, thanks to two-factor authentication sent by text, and transferred millions of dollars to a different account: an approach known as "SIM swap fraud."

Terpin claims AT&T admitted to him that the employee in question agreed to shift the SIM despite the security requirement that they ask for a valid form of ID and having ignored an additional "VIP" requirement that they provide a special six-digit passcode before changes are allowed on the account.

That six-digit extra security step was introduced after Terpin says his account had been targeted – and hacked – six months earlier through the same approach. That time, he says, a hacker made no less than 11 in-store attempts to steal his SIM information before finally succeeding.

On both occasions, the first Terpin knew of the hack was when his phone went dead. The second time, he says he knew immediately what had happened and tried immediately to contact AT&T to shut the phone down but was stymied by the fact it was a Sunday and "AT&T's fraud department apparently does not work on Sundays." By the time he regained access, $23.8m in bitcoin had gone missing, he claims.

By failing to follow procedures and given the extra security on his accounts, Terpin claims that AT&T has broken multiple laws and lists no less than sixteen claims for relief ranging from negligence to breach of contract to insufficient security and providing unlawful access to personal information.


SIM swap fraud became an issue more than six years ago and has become an increasing problem, particularly with the growing use of two-factor authentication with hackers often targeting specific individuals.

There are a number of different ways that criminals carry it out but broadly they first gain access to an individual's username and password – often through malware introduced on their computer – and then contact their mobile phone company and provide a plausible story why their number needs to be transferred to a new SIM card.

Once an attacker has access to their mobile phone, they are able to use it to provide the secondary identification that many online services now require before making significant changes.


Korean cryptocoin exchange $30m lighter after hacking attack


Mobile phone companies responded to early attacks by adding the requirement that employees require a valid ID of the account holder before making any such changes but a number of cases have emerged where criminals paid phone company employees to make changes. Terpin alleges that's what happened in this case, given that neither a valid ID nor the special six-figure passcode were asked for porting his details to a new SIM.

The big legal question of course is whether AT&T is then liable for what is done with that access. Although it appears to have failed to implement its own security requirements – if we take Terpin's account of the theft to be entirely accurate – AT&T's lawyers will no doubt argue that it cannot be held responsible for everything that happens subsequently.

After all, a hacker would still have required Terpin's username and password to access a secure cryptocurrency wallet.

Carry case

There are several elements in the lawsuit that suggest Terpin's lawsuit may not have the tightest legal case, including a colorful but somewhat meandering and irrelevant legal argument in which SIM swap fraud is called a "metastasizing cancer" and AT&T's security a "modern-day Maginot line."

It cites a relevant FCC fine against AT&T for not protecting its users' privacy but also goes into some depth on an irrelevant argument about media coverage of other SIM fraud cases. The lengthy claims for relief rely heavily on California business law and contractual arguments – which is rarely a good sign when going up against a huge corporation.

Regardless, if Terpin's version of events are comprehensive, it would appear that AT&T failed to implement its own security arrangements and the fact that the account had already been flagged as high risk makes Terpin's case that much stronger.

AT&T for its part has promised to fight the lawsuit. "We dispute these allegations and look forward to presenting our case in court," said a representative. ®

Sponsored: Ransomware has gone nuclear


Keep Reading

Someone shocked by 5G

AT&T slapped down for its '5GE' ads: You don’t have a proper 5G network, so stop saying so, says watchdog

Pah, fine, OK, we’ll do what you say... in marketing, pouts telco to NARB
map on a mobile phone cellphone

FCC sucks its teeth, clicks its tongue, says: Yeah, AT&T, Sprint, T-Mobile US, Verizon gleefully sold your location data. Guess we should fine them?

How much you make, Randy? Wanna cough up, I dunno, twice that or something?
T-Mobile store next to a Sprint store

Sprint-T-Mobile US merger: Bad for competition? Good for standing up to Verizon, AT&T? NYC court goes with the latter

Judge approves $26bn deal, individual states not quite so happy

AT&T tracked its own sales bods using GPS, secretly charged them $135 a month to do so, lawsuit claims

See, it's not just users getting shafted
Image of woman holding mask of her own face

Relying on AT&T, Verizon and T-Mob US to protect you from SIM swapping? You better get used to disappointment

Study shows top telcos are naff at fending off cellphone number hijackings

RSA Conference loses one more abbreviated tech giant after AT&T disconnects over novel coronavirus fears

RSA Alternative headline: Killer bio-nasty linked to former alien vault and cyber-hacker gathering

AT&T: We did nothing wrong in promising unlimited data that wasn't. We're just giving the FTC $60m for fun

Comment Watchdog agrees one day of profit ought to be enough after 5 years of arguing

AT&T insists it's not blocking Tutanota after secure email biz cries foul, cites loss of net neutrality as cause

Updated Monster telco says it's working to resolve whatever's going on

Biting the hand that feeds IT © 1998–2020