Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phones
That's just the tip of the iceberg – and now he faces potentially years in the clink
A now-former T-Mobile US store stole at least 50 employees' work credentials to run a phone unlocking and unblocking service that prosecutors said netted $25 million.
Argishti Khudaverdyan, 44, of Burbank, California, was found guilty of 14 criminal charges [PDF] by a US federal jury on Friday.
According to the Dept of Justice, Khudaverdyan co-owned a T-Mobile US store in Los Angeles, operating as a business called Top Tier Solutions, for about five months in 2017. The shop's other co-owner, Alen Gharehbagloo, 43, of nearby La Cañada Flintridge, pleaded guilty to three felony fraud charges last month [PDF].
T-Mo ended its contract with Khudaverdyan in June 2017 after being sketched out by his suspicious use of the carrier's computer system. It turned out he had been unlocking phones for customers without T-Mobile US's permission so that the devices could be used on different networks.
Even after the self-styled un-carrier gave him the boot, he continued his illicit scheme, advertising unlocking and unblocking services through brokers, email spam, and websites that Khudaverdyan and Gharehbagloo controlled, such as unlocks247[.]com and swiftunlocked[.]com.
The men falsely claimed their work was officially sanctioned by T-Mo. As well as carrier unlocking handsets, the pair also offered to unblock devices that had been reported lost or stolen and banned from networks as a result.
To perform these services, Khudaverdyan sought access to the relevant management functions within T-Mobile US's internal computer system. And so he sent phishing emails to T-Mo employees so he could steal their login credentials, prosecutors said.
The emails, which looked like legitimate T-Mobile US correspondence, contained links to phony websites that Khudaverdyan controlled. Once the workers clicked on the malicious links, they were taken to a fake website that asked them to login using their employee ID. The sites then harvested the submitted user names and passwords for Khudaverdyan.
He also socially engineered T-Mo's IT support, and seems to have got some inside help from rogue call center workers to gain access to staff accounts. According to prosecutors:
Working with others in overseas call centers, Khudaverdyan also received T‑Mobile employee credentials which he then used to access T-Mobile systems to target higher-level employees by harvesting those employees’ personal identifying information and calling the T-Mobile IT Help Desk to reset the employees’ company passwords, giving him unauthorized access to the T-Mobile systems which allowed him to unlock and unblock cellphones.
According to the DoJ, Khudaverdyan and his criminal associates stole more than 50 credentials from T-Mo employees across the US, and they used that info to login into T-Mo internal systems and unlock and unblock "hundreds of thousands" of phones for paying customers.
The miscreants raked in about $25 million via PayPal, Uncle Sam's lawyers said. This caper started back in 2014 and ran until 2019, we're told, meaning that the retail store was only one chapter in this saga.
- T-Mobile US to cough up $550m after info stolen on 77m customers
- FBI: BlackCat ransomware scratched 60-plus orgs
- Charges filed over $300m 'textbook pyramid and Ponzi scheme' crypto startup
- Twitter launches probe after miscreants claim to have swiped 5.4m users' details
Khudaverdyan is due to be sentenced on October 17. He was convicted on one count of conspiracy to commit wire fraud, three counts of wire fraud, two counts of accessing a computer to defraud and obtain value, one count of intentionally accessing a computer without authorization to obtain information, one count of conspiracy to commit money laundering, five counts of money laundering, and one count of aggravated identity theft.
He faces potentially decades behind bars.
Gharehbagloo's sentencing hearing is set for December. ®
PS: Looking through the court documents we spotted that at least one of the web-based unlocking systems provided to T-Mobile US representatives had no authentication on it: it simply checked to see if the user was connecting in from an allow-listed IP address.