Judge rules that phony SIM swap leading to a $24M crypto theft was not AT&T’s fault

by techlowdown · 5 April 2023

Last week, the U.S. District Court for the Central District of California granted AT&T Mobility’s request for Summary Judgment in a case involving the theft of $24 million in cryptocurrency that belonged to investor Michael Terpin. Judge Otis Wright II had previously tossed a $200 million damages claim filed by Terpin against AT&T Mobility noting that the carrier’s privacy policies didn’t guarantee protection from third-party attacks.

A judge grants AT&T’s request for Summary Judgment in a case involving a SIM swap and the theft of crypto

The judge allowed Terpin to file for punitive damages but this was the suit that AT&T’s motion successfully ended before going to trial. The mastermind behind the theft, according to Gizmodo, was a teenager named Ellis Pinsky who reportedly led a 20-man crew that stole $100 million in cryptocurrency through SIM swaps and other illegal methods. In a SIM swap, the thief uses faked identity papers and asks the carrier to send a new SIM card to the thief’s address where it is entered into the criminal’s phone.

By doing this, the thief can even bypass two-factor authorization (2FA) and gain access to financial accounts. 2FA is supposed to stop fraud by sending a PIN to a user’s phone when he tries to log in to an app. But after the SIM swap, the code will be sent to the thief’s phone allowing him access to the app.

Considering that the victim’s carrier can be involved in approving the SIM swap, Terpin said that the court’s ruling ignores “a mountain of evidence that AT&T was grossly negligent and consciously disregarded its legal duties to protect its customers from this type of cybercrime.” In a previous case against T-Mobile, a rogue employee inside the wireless provider helped the scam succeed by allowing the SIM swap to take place without any issues; as a result the unlucky subscriber got ripped off.

In a previous case involving AT&T, a nine-person gang used a SIM swap to steal 57 Bitcoins current valued at over $1.6 million, but was worth $470,000 at the time of the theft. That gang got busted when the mother of one of the gang members overheard her son on the phone pretending to be an AT&T employee. She shut down the crew by calling the cops who found multiple handsets, a large number of SIM cards, and on his computer “an extensive list of names and phone numbers of people from around the world.”

The number of fraudulent SIM swap cases should be declining thanks to eSIM

In a statement following the ruling, AT&T said, “As we’ve maintained, fraudulent SIM swaps are a form of theft committed by sophisticated criminals. It is unfortunate that these criminals targeted Mr. Terpin, but we are pleased the court agrees that we were not responsible for Mr. Terpin’s losses.”

The good news is that with more phones using embedded SIM (eSIM) instead of physical SIM cards, the number of SIM swaps should be declining. Because an eSIM is embedded on the phone’s motherboard, previous excuses that allowed thieves to ask for a new SIM card such as “I’ve lost my SIM card” or “The dog ate my SIM card” are no longer valid excuses.

Still, for those who use a phone with a physical SIM card, carriers should request that customers desiring a new SIM card show up to one of the wireless firms’ retail locations and bring photo identification (such as a valid driver’s license) in order to obtain a new SIM card.

If you’re using your phone and see a notification stating that your SIM card has been updated and you did not personally request such a change, immediately get in touch with your carrier. What has happened in the past is that once this notification has been received, cell and data services to the phone are cut off quickly as the thief takes over control of the phone.