AT&T Faces Lawsuit Over Alleged SIM Swapping Leading to Massive Cryptocurrency Theft 

News and Analysis
04.07.2020

AT&T has been involved in a lawsuit alleging that its employees facilitated the hijacking of a client’s SIM card, which then allowed attackers to steal crypto the client’s cryptocurrency. The telecom giant is yet to defend in court over another similar lawsuit going back to 2018.

According to the complaint filed by a California-based business and technology advisor Seth Shapiro, at least $1.8 million worth of crypto stored in his wallet was stolen in an attack that involved active help from AT&T employees.

What Happened

“On at least four occasions between May 16, 2018, and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro’s AT&T wireless number from Mr. Shapiro’s phone to a phone controlled by third-party hackers in exchange for money,” the complaint claims. “The hackers then utilized their control over Mr. Shapiro’s AT&T wireless number—including control secured through cooperation with AT&T employees—to access his personal and digital finance accounts and steal more than $1.8 million from Mr. Shapiro.” 

On May 16, 2018, Seth Shapiro was at the conference in New York. He noticed that his phone had no connection to the AT&T network. Suspecting a security breach, Shapiro contacted the company to address the problem and told the customer service agent that he holds “large amounts of digital currency” that may be at risk. After waiting on hold, Mr. Shapiro was told to turn off his phone and visit an AT&T shop to get help. At the shop, he was advised to get a new phone with a new SIM, which he immediately did. The service has been restored and AT&T reportedly told Shapiro that they have noted malicious activity and assured that such a thing won’t happen again.

Yet, it happened again before Seth Shapiro had left the AT&T shop. This time, he had to wait for about 45 minutes to get help as the employees were busy with other clients.

“In that time, third-party individuals were able to use their control over Mr. Shapiro’s AT&T cell phone number to access Mr. Shapiro’s personal and financial accounts and rob him of approximately $1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for the company’s help,” the complaint reads.

Aside from the stolen coins, hackers gained access to Shapiro’s accounts on crypto-exchanges

“By utilizing their control over Mr. Shapiro’s AT&T cell phone number—and the control of additional accounts (such as his email) secured through that number by utilizing two-factor authentication—these third-party hackers were able to access Mr. Shapiro’s accounts on various cryptocurrency exchange platforms, including the accounts he controlled on behalf of his business venture. The hackers then transferred Mr. Shapiro’s currency from Mr. Shapiro’s accounts into accounts that they controlled. In all, they stole more than $1.8 million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16, 2018.”

SIM Swap Attack

The attack in question is referred to as a SIM swap. Normally, cellphone companies can reassign a client’s phone number and whatever comes with it to a different SIM card, which is useful if a person lost their phone and needs to restore their number with a new device and SIM.

An attacker who has some personal information about a victim may be able to trick the company into cutting the actual SIM card off the network and connecting the attacker’s phone instead. By doing so, they hijack all communications for this particular number, including text messages received as part of a two-factor authentication procedure.

To pull off a SIM swap attack, a bad actor would need to either collect sufficient personal data of the victim to effectively mimic them when contacting the mobile carrier’s support. Another way is to have associates within the company who would agree to make the illegitimate swap. The complaint claims that AT&T employees have been involved:

“Criminal investigations into the May 2018 breaches to Mr. Shapiro’s AT&T account and the resulting theft revealed that at least two AT&T employees, acting in the scope of their employment, accessed and permitted others to access Mr. Shapiro’s AT&T account and the confidential information contained therein.”

AT&T confirmed the involvement of its employees in two SIM swaps in Shapiro’s case. Yet, the complaint further alleges that the two employees have facilitated 41 unauthorized swaps in total just in May 2018.

Aftermath

On November 1, 2018, Seth Shapiro’s AT&T SIM has been swapped again and his Google accounts with sensitive information compromised. Several more SIM swap attacks followed through 2018 and 2019, reportedly causing substantial financial and psychological harm to the Shapiro family.

On February 10, 2019, Mr. Shapiro received an anonymous threat text via the same AT&T wireless account. The sender demanded $800 in exchange for non-disclosure of Shapiro’s personal information and noted that they still have an AT&T representative “ready to hand over” the account.

As a result of this series of attacks, apart from “life savings” of $1.8 million in cryptocurrency, Shapiro lost access to a number of his accounts with crypto-exchanges and services like PayPal and Google. The complaint also notes that he had to end his venture and lay off his employees because some of the stolen funds were raised for the business.

Notably, AT&T faced a similar SIM swap lawsuit regarding the attacks on a Bitcoin investor Michael Terpin. The investor sued the company for $240 million over the $24 he allegedly lost because of AT&T’s failure to follow “its own agreed security protocol.” The company denied all allegations and tried to dismiss the case, albeit unsuccessfully.

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter

<

Related posts

Tags: , ,