21-Year-Old Jailed For 10 Years After Stealing $7.5M In Crypto By Hacking Cell Phones (#GotBitcoin?)
A 21-year-old man has been sentenced to 10 years in prison after becoming one of the first people in the United States to be convicted of stealing cryptocurrency by hacking into cell phones. Prosecutors in Santa Clara announced the jail sentence on April 22. 21-Year-Old Jailed For 10 Years After Stealing $7.5M In Crypto By Hacking Cell Phones (#GotBitcoin?)
In February, Joel Ortiz had pleaded guilty and to theft and accepted the 10-year plea deal.
Ortiz stole more than $7.5 million from at least 40 victims: the press release notes that he then spent $10,000 a time at Los Angeles nightclubs, hired a helicopter to fly him and his friends to a music festival, and bought top-end Gucci clothes and luggage.
In May 2018, one cryptocurrency entrepreneur in Cupertino lost $5.2 million in a matter of minutes, prosecutors note.
Prosecutors described the one-time high school valedictorian as a “prolific SIM swapper who targeted victims to steal cryptocurrency and to take over social media accounts with the goal of selling them for bitcoin (BTC).”
Illegal SIM swaps often involve duping phone companies into switching cell phone numbers to a new SIM card by providing stolen addresses and social security numbers. From here, hackers can circumvent two-step authentication measures that are designed to keep crypto safe.
Ortiz was detained at the Los Angeles International Airport last year, and investigators say they have only been able to recover $400,000 of the stolen funds. They believe the rest has either been hidden or spent. Prosecutor Erin West said:
“These are not Robin Hoods. These are crooks who use a computer instead of a gun. They are not just stealing some ethereal, experimental currency. They are stealing college funds, home mortgages, people’s financial lives.”
Oritz had been sentenced on April 19 by a judge after two hearings where victims described the financial devastation caused by his crimes.
In February in a separate case, an individual was indicted in New York for stealing identities and funds, including crypto, in the state’s first SIM swapping prosecution.
He Thought His Phone Was Secure; Then He Lost $24 Million To Hackers
Security researchers agree that for most people, adding text-message authentication is a big step up from only using a password, but that can leave you open to a relatively new attack called SIM swapping.
The first hint that Michael Terpin was about to have his digital life turned upside down—and lose a cryptocurrency windfall potentially valued at $24 million—seemed like an unremarkable annoyance. His mobile phone lost its signal.
But Mr. Terpin wasn’t driving between cell towers. He was working at a desk in his Las Vegas home. Way off in Norwich, Conn., someone had just taken over his phone number.
Within minutes, the hackers began trying to take over his Gmail accounts, using Google’s “Forgot password?” account reset feature. With access to his phone number and email, they were quickly able to steal millions in cryptocurrency from digital wallets Mr. Terpin believed to be secure.
Online, phone numbers have been slowly taking over passwords as our last line of defense against digital intrusions. As it has become clear that passwords alone don’t do enough to keep users secure, technology companies have been pushing an alternative—what they call a second factor of authentication. Most of the time, this second factor is a text message to a user’s mobile phone.
This past May, Google released research showing that by adding a phone number, users could block most types of attacks on their accounts.
Security researchers agree that for most people, adding text-message authentication is a big step up from only using a password. But Google also said that while using a phone number as a security layer stopped most targeted attacks, about a third of them still worked on Google users.
That is partly because of SIM swapping, a relatively new attack where criminals steal a victim’s phone number. It is what undid Mr. Terpin; and it is how hackers were able to post racist and anti-Semitic tweets to the feed of Twitter Chief Executive Jack Dorsey in August.
The odds of someone being hit with a SIM-swapping attack are infinitesimal, but the people who investigate these attacks consider them some of the most harmful they have ever seen. In its rush to jury-rig the mobile phone to fix the glaring problems with password security, the tech industry might have created another long-term risk.
Even before Mr. Dorsey’s incident, law-enforcement agencies across the country have been seeing a rise in SIM-swapping complaints, and the attackers are getting better organized and more adept at covering their tracks, said Nick Selby, director of cyber intelligence at the New York City Police Department.
SIM swappers can operate with surgical precision. Within minutes of breaking into a victim’s Gmail account, they will scour through old email messages looking for any evidence of financial accounts—cryptocurrency accounts for sure, but also social media, bank accounts and even IRAs, Mr. Selby said. In New York, the NYPD is now seeing victims whose online bank accounts were compromised.
“The speed in which this can happen is astounding,” he said.
To get your number, criminals pretend to be you. They might bribe employees, or walk into retail outlets with a fake identity card or enough stolen data to trick the carrier into putting your number on a new phone. (The term “SIM swap” refers to those little “subscriber identity module” chips that your phone uses to store your number.)
In May, federal authorities charged two former AT&T contract employees, saying criminals paid them between $50 and $150 per SIM swap. Authorities say they performed 41 SIM swaps for a group of identity thieves that called themselves “the Community.” A third man, who worked at Verizon, allegedly received $3,500 to provide SIM swappers with the inside information needed to answer security questions designed to protect user accounts, prosecutors said. Verizon said it had fired the former employee and is working with law enforcement on the investigation.
With your phone number under their control, the SIM swappers use the “Forgot my password” tool in various popular online services to take over online accounts. Gmail is usually first, because Google will typically let you reset a password if you control the associated phone number.
Once inside a Gmail account, the criminals lock you out. That means switching Google security settings so that the account can’t be reset via text message when you finally do recover your number. (Carriers can often restore your service in as little as an hour.) Instead, the crooks use Authenticator, a slick mobile app built by Google itself. With the app, even if you recover your phone number, you can still be locked out of your Gmail.
The attack is “super dead simple,” said Allison Nixon, a researcher with the cybersecurity firm Flashpoint.
Back in 2013, online gamers pioneered SIM swapping as a way of stealing prestigious Twitter and Instagram accounts. Sometimes they would do this for laughs, sometimes for money, Ms. Nixon said. By 2016, some realized that they could make big money by targeting cryptocurrency enthusiasts, who were often big holders of digital cash.
Mr. Terpin, a cryptocurrency investor and marketer, was hit on Jan. 7, 2018, at the height of bitcoin mania. The thieves stole some lesser-known cryptocurrencies from him, which they quickly traded for about 1,500 bitcoins. At the time, the booty was ostensibly valued at $24 million.
Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.
Mr. Terpin believes employees at an AT&T authorized dealer handed hackers control of his phone number, and those hackers found a way into his digital wallets by breaking into accounts of his that couldn’t be protected by Authenticator.
“On a scale of 1 to 10, I’d say my security protections were a 9.8 or higher,” he said. “But these hackers, all they do is they sit around in a basement and figure out ways of hacking people.”
“It is unfortunate that Mr. Terpin experienced this, but we dispute his allegations,” an AT&T spokesman said in an email message. (The company didn’t say which specific allegations it disputed.) The company is working with law enforcement, industry partners and consumers to combat SIM swapping, he said.
SIM swapping can cost millions, but it is also a deeply personal attack. Investigators with the Regional Enforcement Allied Computer Team, a law-enforcement task force in Santa Clara County, said they know of more than 3,000 victims, accounting for $70 million in losses nationwide. Most of those victims were holding cryptocurrency, said Erin West, a deputy district attorney with the county, but these investigators have also seen SIM swapping used to gather compromising photos for extortion and blackmail, she said.
Victims are often too embarrassed to pursue charges, Ms. West said. “You’re accessing everything about them. You’re accessing their emails of their kids’ soccer games, but also the dispute they had with their sister about their mom’s inheritance,” she said. “It’s a hideous violation of privacy.”
Meanwhile, phone carriers are getting better at flagging warning signs and putting holds on accounts that might be at risk, the NYPD’s Mr. Selby said. But some carriers are better at this than others, he said, and he doesn’t think they can stop it outright.
“What is easier to do is to protect the accounts that are the ultimate target,” he said. “You want to protect your accounts from being able to be reset simply because somebody has your phone number.”
Here’s How To Protect Yourself
Getting to the heart of SIM swapping means understanding the different ways your account can be recovered when you forget your password. The harder you make things for the SIM swappers, the harder it is going to be for you when you lose your phone or forget your password. These steps will take you closer to a state of super-security.
• Call your carrier and add a passcode on your mobile-phone account, and save that passcode in a place where you won’t lose it. (If you are paranoid, call your carrier to see if you can get into your account without it.) AT&T offers an “extra security” option here.
• Get a password manager like Dashlane and make sure you are using different passwords for your different accounts.
• Try out the “Forgot my password” option on your important accounts and see how they work. You are likely to find that many important accounts—bank accounts for example—can be reset with little more than access to your email, so lock that down first.
• If you want to add an additional factor, try adding a security key such as Yubikey or Google’s Titan. Many companies that offer online services—from Facebook and Dropbox to Microsoft and SquareSpace—have added support for them, which you can generally find in the security settings.
• Once you have a good second factor in place (such as Google’s Authenticator app or a security key), turn off SMS authentication wherever possible. This is a tricky step, since it is hard to recover if you lose your phone or security key, and not all online services will let you. But if they do, it will be in your account’s security settings. For Google, go here. For Microsoft, go here.
• If you are a high-net-worth individual and want to really lock down your account, you can enroll in Google’s free Advanced Protection program. Just make sure that you have several security keys so you don’t get locked out permanently.
Developer Flags Big-Money Loophole For Stealing All The ETH In MakerDAO
What if there were a way to empty all the ETH held by the Maker protocol?
That’s $300 million worth of crypto right now. That’s a lot of money. Even if doing it caused the price to drop in half or even by two-thirds, it could still be well worth the attempt.
Micah Zoltu, an independent software developer who is also one of the co-authors of the original white paper for the decentralized prediction market Augur, published a blog post on Monday describing an attack on MakerDAO that, he argued, could empty all the ETH from the system.
(Users Lock ETH Into The Maker Protocol To Generate Loans Of The Dollar-Pegged DAI Stablecoin.)
The problem, Zoltu writes, is in how Maker is governed: “Some group of plutocrats can control how the system behaves.”
The attack would only be feasible for a few MKR whales if they wanted to act quickly. Zoltu said that 40,000 MKR would be enough if the attack had some sophistication. As of this writing, 48,400 MKR, based on the staking approach of the Maker voting system, could do it right away.
So somewhere between $20 million and $25 million in crypto would need to be deployed to do it. That’s assuming a person could accumulate MKR in a way that didn’t drive up the price, which is unlikely.
“It is worth noting that Maker Foundation could attack the system in this way right now if they wanted,” Zoltu writes. “What is worse, [venture capital firm] a16z has enough MKR on hand right now to execute the attack the patient way!”
Aside from an inside job by the parties most invested in seeing ethereum’s flagship decentralized finance (DeFi) application survive, accumulating enough MKR to carry out the attack may be a significant hurdle.
“I feel like it’d at least double the price,” Joey Krug, a partner at Pantera Capital who has been briefed on the vulnerability, said. “You could probably get a lot of whales to sell to you OTC [over-the-counter] if you were paying double market.”
On the open market, the price would “go bonkers, multiples of what it is now,” Krug said.
That’s only if the attacker had to start from zero MKR, though. So first let’s get into the attack that Zoltu describes and then circle back to the Foundation’s objections.
How It Works
The Maker protocol is governed by the MKR token.
One million MKR has been minted, a sliver of that has been burned. The Maker Foundation still controls several hundred thousand, both in its treasury and in smart contracts that hold them in escrow.
One MKR sells for about $510 as of this writing. Daily turnover is quite variable but lately, there’s been about $4 million to $10 million in MKR turning over daily.
Anyone who holds MKR can put up a proposal as a smart contract on the protocol, one that can change any number of parameters. Maker uses continuous governance so that provisions can be voted to change at any time.
This is especially important right now because the system just made a major upgrade, implementing multi-collateral DAI and the DAI savings rate. This new upgrade is a whole new version of the protocol, such that there are really two kinds of DAI now and users are being asked to convert their old DAI (now called SAI) to the new.
The new system institutes some important security changes, such as a delay on how long it takes for changes voted through to go into effect and an emergency shutdown provision.
The biggest weakness allowing Zoltu’s attack is the fact that the current parameter for governance delay is zero seconds. That is, any governance provision that gets voted through goes into effect immediately.
This is something Wouter Kampmann, head of engineering at the Maker Foundation, said has been discussed in detail by the MakerDAO community, which has decided it is better to have zero delay for now while it determines which kinds of changes should be able to bypass the delay and which ones should still have a delay.
“It’s really a matter of finding that sweet spot there,” Kampmann said.
As long as it’s in place, though, Zoltu argues, the funds locked in MakerDAO are “not safu.”
In a call with CoinDesk, Kampmann said it would not be as simple as saying that all the ETH currently held as collateral by MakerDAO could just be directly moved to a wallet controlled by the attacker.
“The way permissionless, unstoppable code works is that there is certain business logic that determines the rules of how to interact with the contract – and these rules are unchangeable,” Kampmann said.
Zoltu admits it would take cleverness and planning, but at this point, readers who remember the DAO hack may be experiencing familiar chills. Your threat tolerance may vary.
The attack described by Zoltu would also need to be fairly fast. Kampmann expects that the governance delay may well be increased sometime in the first quarter, possibly in January.
Though it’s important to note that this decision is not up to him or foundation staff.
On The Other Hand
“You cannot just ignore the economics of it,” Kampmann said. “The problem with the model that’s set forth is really in the incentive model.”
There are a small number of whales that have enough MKR to execute this attack now, but they are extremely unlikely to do so. It would send shockwaves across ethereum and likely if they hold that much MKR, they would lose more in other assets than they would gain in stealing the ETH (which would likely drop in value too).
The best thing MKR holders who care about securing the protocol can do, according to Kampmann, is stake their MKR on votes. The more that’s staked, the more expensive this attack will be, and there is a lot of MKR on the sidelines right now.
Krug, who is well acquainted with the crypto investor class, acknowledged that MKR whales are probably well-intentioned, but he also said, “We can’t assume it for sure.”
There are over 16,000 ETH addresses with some MKR, however. If a bunch of minor whales were able to collude without warning the MakerDAO community, they might be able to assemble enough tokens without causing price movements.
The Maker Foundation said this would be very unlikely based on what’s known about MKR liquidity. That is, MKR just doesn’t move around that much.
But Zoltu insists this is not safe enough. He said, “They [the Maker Foundation] are operating under the assumption that there are no dark pools of liquidity available to attackers. This is, kind of by definition, something one cannot know.”
Cryptojacking Malware Devs Sentenced To 20 Years In Prison
Two members of the prolific Romanian hacker gang Bayrob Group were sentenced to two decades in U.S. prison apiece after their malware mined crypto on 400,000 infected computers.
Group leader Bogdan Nicolescu and co-conspirator Radu Miclaus were sentenced to 20 and 18 years respectively after being found guilty on 21 different counts of wire fraud, money laundering aggravated identity theft and other crimes, a press release announced Friday. The gang was also accused of developing malware which mined bitcoin and monero using their host computers’ processing power.
Tiberiu Danet, a third Bayrob Group member, pleaded guilty in Nov. 2018 to eight charges. His sentencing is scheduled for Jan. 8.
From its founding in 2007 to its members’ apprehension and eventual extradition in late 2016, the Bayrob Group, which operated out of Bucharest, Romania, ran a sprawling hacking and malware operation. They deployed trojan malware in seemingly mundane emails from well-known companies and groups, but when victims attempted to download attachments apparently from Norton, the IRS and Western Union, their computers instead became infected with the Bayrob botnet, according to an indictment.
The botnet allowed its Romanian handlers to steal $4 million total, prosecutors claimed.
The botnet also installed crypto mining software, according to the July 2016 indictment. And it was not discreet; the Bitcoin and Monero mining operation hogged hosts’ processing power.
“Once a bot was instructed to mine for cryptocurrency, much of its processing speed and power would be unavailable to its legitimate owner.”
Bayrob also scanned for and transferred ownership of victims’ crypto wallets, if they had one.
Brazilian Police Bust Alleged Crypto Fraud That Cost Investors $360M
Brazilian police have shut down a purported bitcoin investment scheme they allege stole 1.5 billion Brazilian reals ($359 million).
According to the Paraná state government, civil police in the state raided an unnamed organization in Sao Paulo, Curitiba and other regional cities last Thursday, claiming the group promised as many as 5,000 victims that they could produce sky-high returns on bitcoin investments.
Scammers targeted their network of victims through social media. After the victims sent funds, the suspects told them to wait as their investments grew three to four percent daily. But victims were not allowed to withdraw, the police alleged, and their money disappeared.
The four-month investigation culminated Thursday when police filed charges of fraud, money laundering, criminal association and forgery against the group. They arrested nine individuals in a SWAT operation that involved 50 officers, 20 vehicles and a helicopter.
Previously, Brazilian government officials have used bitcoin for illicit purposes too. In 2018, police busted a $22 million operation that siphoned funds from a prison budget and laundered them through the cryptocurrency.
The country’s government is no fan of bitcoin – whether used criminally or not. President Jair Bolsonaro bad-mouthed bitcoin on national TV in June while simultaneously stating he “doesn’t know” what it is, and former chief central banker Ilan Goldfajn compared it to a “pyramid scheme” during his tenure.
Pennsylvania Man Charged With SIM Swap Conspiracy To Steal Crypto
United States authorities have charged a Pennsylvania man with conspiracy to commit wire fraud and extortion via a series of SIM swaps targeting cryptocurrency execs and investors.
SIM-swapping — alternatively known as a port-out scam — involves the theft of a cell phone number in order to hijack online financial and social media accounts, enabled by the fact that many firms use automated messages or phone calls to handle customer authentication.
As per a Dec. 11 news release from the U.S. Department of Justice, Anthony Francis Faulk, 23, allegedly used “fraud, deception, and social engineering techniques” to persuade telecoms employees to transfer numbers from SIM cards belonging to his targets.
The charges were filed by U.S. Attorney David L. Anderson and FBI Special Agent in Charge John Bennett and were submitted to the U.S. District Court in Northern California.
Charges Carry A Maximum Sentence Of 20 Years
Faulk and his co-conspirators, none of whom are identified, are alleged to have perpetrated their scheme between Oct. 2016 and May 2018.
While the court documents do not disclose the amount of allegedly stolen cryptocurrency, the indictment claims that Faulk used the proceeds to purchase a house, a Ferrari and three other cars, jewelry, a Rolex watch, and royalty rights to twenty songs.
The ill-gotten property will be subject to criminal forfeiture if Faulk is convicted. Following his arrest, Faulk appeared before a court in the Western District of Pennsylvania on Dec. 11.
He has been charged with one count of conspiracy to commit wire fraud and one count of interstate communications with intent to extort.
The former charge carries a maximum statutory sentence of 20 years in prison and a $250,000 fine, the latter a maximum statutory sentence of 2 years and likewise, a $250,000 fine.
Faulk has temporarily been released on a $250,000 bond and is due to appear in court on Jan. 9, 2020.
A persistent threat
SIM-swapping has become an increasing concern for law enforcement and has accordingly brought telecoms firms — gatekeepers of user identity data — under the spotlight for their alleged complicity in the crime.
Michael Terpin — a blockchain and crypto investor who filed a SIM-swapping-related lawsuit against telecoms provider AT&T — told Cointelegraph that the biggest risk to crypto investors “is that major phone companies promise you security and don’t deliver it.”
US Lawmakers Urge FCC to Step Up Its Action Against SIM Swaps
United States lawmakers have appealed to the Federal Communications Commission (FCC) to hold telecoms providers to account for failing to protect consumers against SIM swap attacks.
SIM-swapping — alternatively known as a port-out scam — involves the theft of a cell phone number in order to hijack online financial and social media accounts, enabled by the fact that many firms use automated messages or phone calls to handle customer authentication.
On Jan. 9, six Democrats from the U.S. House of Representatives and Senate sent a letter to FCC Chairman Ajit Pai, requesting that the agency impose more robust requirements on mobile carriers to mitigate the risks of such attacks.
“Consumers have no choice but to rely on phone companies to protect them”
The lawmakers’ letter reveals that the number of complaints pertaining to SIM swaps has increased from 215 in 2016 to 728 through November 2019, according to the Federal Trade Commission. They note that consumer complaints usually reflect just a small fraction of the actual number of total incidents.
They further point to a November 2019 Wall Street Journal report claiming that a law-enforcement task force in Santa Clara County had revealed it was aware of over 3,000 SIM swap victims, accounting for $70 million in losses nationwide.
In some cases, as the lawmakers underscore, SIM swaps are successful thanks to corrupt telecoms firm employees. While additional security measures — i.e. requiring customers to show IDs in-store to conduct SIM swaps — have been adopted by some carriers in the U.S. and abroad, their implementation in the states allegedly remains “spotty and consumers are unlikely to find out about the availability of these optional security features until it is too late.”
Aside from risks to consumers, the letter argues that such attacks may endanger national security, noting that “countless […] U.S. government websites used by millions of Americans either allow password resets via email or support two-factor authentication via SMS, which can both be exploited by hackers using SIM swaps.”
The lawmakers posed eight questions to the FCC, among them how many SIM swap incidents it had received, if indeed it had tracked them, as well as inquiries into its coordination with third parties such as banks and its regulations over mobile carriers’ reporting to law enforcement.
The prevalence of SIM-swapping has brought telecoms firms — gatekeepers of user identity data — under increasing pressure for their alleged complicity in the crime.
AT&T, for example, has faced more than one lawsuit accusing it of repeatedly failing to protect user accounts in violation of the Federal Communications Act.
One plaintiff, tech advisor Seth Shapiro, today accused AT&T of marshaling a “host of red herring whataboutism inquiries” in its December motion to dismiss a lawsuit over its role in indirectly facilitating the theft of over $1.8 million in cryptocurrency from Shapiro’s accounts.
Michael Terpin — another blockchain and crypto investor who filed a SIM-swapping-related lawsuit against AT&T — told Cointelegraph that the biggest risk to crypto investors “is that major phone companies promise you security and don’t deliver it.”
Canadian Teen Charged For $50 Million Cryptocurrency Theft
An eighteen-year-old from Montreal is facing four criminal charges connected to a $50 million SIM-swapping scam targeting cryptocurrency holders, Infosecurity Magazine reported on Jan. 17.
The hacker, Samy Bensaci, is accused by Canadian authorities of being part of a ring that stole millions of dollars in cryptocurrency from American and Canadian holders. The theft is said to have occurred in spring of 2018, with Québec police representative Hugo Fournier saying that the hackers were responsible for the theft of “$50 million from our neighbors to the south and $300,000 in Canada.”
Among the purported victims were Don and Alex Tapscott, renowned Canadian crypto entrepreneurs and co-authors of the book “Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World.”
Don Tapscott confirmed to The Star to have been targeted by the scheme, while denying that the hackers succeeded in stealing his funds:
“We can confirm that last year a hacker attempted steal crypto assets from our company and its employees. That attempt was unsuccessful. We cooperated with the police [and] have been impressed with their determination to bring those responsible to justice.”
Bersaci was arrested in Victoria, British Columbia in November 2019. The following month, he was released on a 200,000 Canadian dollar bail ($153,000) and prohibited from accessing any online-capable device, including gaming consoles, as well as owning or exchanging any form of cryptocurrency.
Infosecurity Magazine reports that many of the individuals supposedly targeted by the hackers had attended the Consensus conference in New York. Rob Ross, SIM-swapping victim and manager of StopSIMCrime.org, told Infosecurity Magazine that hackers spot targets during these events.
What Is Sim-Swapping?
A SIM-swapping attack occurs when the hackers are able to trick the telecom company to transfer the victim’s phone number to the attacker’s SIM card. Though it is possible to do this by impersonating the victim with the telecom’s customer service, the companies are plagued by insiders that use their access to facilitate this type of crime. With a SIM-swap, attackers can bypass most authentication and password recovery mechanisms that rely on phone numbers.
Cointelegraph previously reported many such cases, including an August 2018 victim who sued AT&T for its alleged negligence in preventing the thefts.
Judge Says Plaintiff Can Proceed Against AT&T In $24M Hack Case
On Feb. 24, a California federal judge ruled that cryptocurrency investor Michael Terpin can proceed with his lawsuit against telecom corporation AT&T over a $24 million SIM hacking incident.
Terpin is arguing that an AT&T agent who was bribed by a criminal gang supplied data that allowed the hackers to steal $24 million worth of cryptocurrency in January 2018. Terpin is a prominent cryptocurrency investor who founded BitAngels in 2013.
On June 11, 2017, hackers were purportedly able to gain control of the investor’s phone number through a SIM swapping attack — allowing them to impersonate Terpin and convince one of his clients to send them cryptocurrency.
After meeting with AT&T representatives during June 2017 to discuss the hack, Terpin’s account was placed on a “higher security level with special protection.”
On Jan. 7, 2018, Terpin’s phone was hacked for a second time, with the investor alleging that an AT&T employee facilitated the SIM swap. Terpin attempted to contact AT&T to cancel his telephone number, however, “AT&T failed to promptly cancel his account.”
This resulted in the hackers using 2-Factor Authentication to reset the passwords for Terpin’s cryptocurrency wallets and steal $24 million in digital assets.
Three Claims Against AT&T Upheld
Judge Otis Wright II dismissed 13 of the 16 claims brought against AT&T, however, he ruled that the telecoms giant must face statutory, contract, and tort damages claims. The court will also allow Terpin the opportunity to amend the rejected claims — except for a previously dismissed breach of implied contract claim.
Terpin intends to file a second amended complaint within three weeks to supplement his request for damages. The complaint will seek to demonstrate that AT&T was both aware of, and responsible for, “an ongoing sequence of cryptocurrency thefts due to SIM swaps dating back to well before Terpin’s hack.” Terpin stated:
“We look forward to demonstrating with compelling evidence the ‘advance knowledge and conscious disregard’ threshold by AT&T in its prior knowledge and ratification of ongoing SIM swaps causing economic loss.”
AT&T Was Aware Of Clients’ Vulnerability To SIM Hacking
The judge attributed the hack to AT&T providing “inadequate security measures to protect his SIM card.” Wright added that the telecom company is “morally culpable” through failing to prevent SIM swapping despite being “aware of the vulnerability of its customers” to the practice.
The court rejected AT&T’s motion to dismiss the claims, with the telecoms company claiming that Terpin had been unable to prove that he owned cryptocurrency or the precise method through which his crypto was stolen. Judge Wright concluded:
“The court finds this allegation adequate because Mr. Terpin alleges sufficient facts for the court to reasonably infer the hackers may have used [2-Factor Authentication] methods to glean Mr. Terpin’s personal information from various accounts, such as email or cloud storage.”
An AT&T representative stated that the company disputes the allegations and will continue to fight them in court.
NEM Partners With Israeli-Lithuanian Telecom Startup On Cell Phone Security
NEM, one of the oldest peer-to-peer blockchain networks, has partnered with Israeli-Lithuanian telecom startup FIX Network to increase security and data protection for cell phone users and to solve the issue of SIM swapping.
FIX Network will implement SYMBOL from NEM’s enterprise-grade blockchain into its existing cellular infrastructure. The goal is to secure the world’s eight billion SIM cards from cybercriminals with new privacy, security, management and safety solutions.
Phone Numbers May End Up More Important Than Social Security Numbers
FIX Network’s architecture is designed to allow mobile operators to deliver services such as digital identity management, cryptocurrency wallets, and personal data firewalls to mobile subscribers, enabled by the safekeeping of private keys on the subscribers’ SIM cards.
The first product will be the FIX ID app, which securely identifies participants through subscriber-owned global phone numbers that serve as unique digital identities. The initial consignment of 10,000 FIX Secure ID SIMs, pre-ordered in June 2019, is expected to ship by the end of April this year.
FIX Network has launched its own global mobile service that provides roaming agreements in 186 countries.
Nate D’Amico, CTO of NEM Foundation said that, “FIX Network takes established infrastructure — the worldwide cellular network — and uses it to create a better, fairer, and safer way to transact.”
Itamar Kunik, The CEO Of FIX Network Added:
“The enterprise nature of Symbol and the native features inherent in its platform are fundamental to the steady adoption and implementation of the FIX Network solution by the telecommunications industry.”
AT&T Seeks Dismissal Of $200M In Damages For 2018 SIM-Swap Attack
AT&T is again seeking to have punitive damages claims of $200 million dismissed in an ongoing court case between the telecoms giant and crypto investor Michael Terpin — who asserts he lost $24 million in crypto as a result of AT&T’s negligence in 2018.
In response to Terpin’s second amended complaint — filed with the court on March 16, AT&T is seeking to have two of his eight claims dismissed, alongside $200 million in punitive damage claims.
Speaking to Cointelegraph, AT&T’s Jim Kimberley stated: “Fraudulent SIM swaps are a form of theft committed by sophisticated criminals. It is unfortunate that these criminals targeted Mr. Terpin, but we dispute his allegations and will continue to fight them in court.”
AT&T Pushes Back Against Two Of Eight Claims
During a March 30 hearing, AT&T’s representation asserted that the amended complaint fails to address the flaws with Terpin’s previous complaint, arguing that Terpin does not adequately demonstrate that the telecoms firm is guilty of deceit by concealment or deceit by misrepresentation.
“Mr. Terpin ignores the undisputed fact […] that AT&T disclosed to him that it could not guarantee that third parties would not take unauthorized actions that would disclose his personal information,” AT&T argued, adding:
“Mr. Terpin’s deceit and misrepresentation claims seek to punish AT&T not for concealing or misrepresenting material facts, but simply for failing to provide further specifics on how Mr. Terpin’s information could be stolen.”
AT&T’s Lawyers Are Also Seeking The Dismissal Of $200 Million In Damages
Terpin Submits Second Amended Complaint
Terpin, a prominent crypto investor who founded BitAngels in 2013, first filed his complaint against AT&T in August 2018 — presenting 16 claims against the company.
Judge Wright dismissed 13 of the 16 claims in July 2019, before Terpin filed an amended complaint the following month bringing nine claims.
Terpin’s second amended complaint seeks to demonstrate that the company was aware of and disregarded the prevalence of SIM-swap attacks resulting from its employees’ actions.
During June 2017, hackers were able to gain control of the investor’s phone number through a SIM-swapping attack.
By impersonating Terpin using the compromised device, the hackers were able to convince one of the investor’s clients to send them cryptocurrency. Terpin’s account was then placed on a “higher security level with special protection” after he met with AT&T representatives concerning the attack.
On Jan. 7, 2018, Terpin’s phone was hacked for a second time — which the investor alleges was facilitated by an employee of AT&T — resulting in the loss of nearly $24 million in digital assets after Terpin’s 2-Factor Authentication passwords were reset by the hackers.
Huobi Wallet And Crypto Lender Cred Now Enable Users to Earn Interest
Major cryptocurrency exchange and wallet provider Huobi has partnered with decentralized crypto lending platform Cred to enable users to earn interest on their holdings.
An announcement on April 1 revealed that Cred’s lending and borrowing services will be fully integrated into the Huobi Wallet, which supports over 1,000 crypto assets, including 8 stablecoins, for users across 200 countries and regions.
The two firms did not provide a comprehensive list of supported crypto assets, but noted that Bitcoin (BTC), Ether (ETH) and stablecoins such as Universal Dollar (UPUSD) would be part of the new offering.
Monthly Interest On Pledged Assets
As previously reported, California-based Cred is a licensed lender and a founding member of the Universal Protocol Alliance, a coalition of cryptocurrency and blockchain firms. The firm is backed by established industry names such as Binance Labs, Arrington XRP Capital, Blocktower and FBG Capital.
Commenting on the new partnership, Cred CEO Dan Schatt said that the firm was keen to offer its decentralized financial services to customers in these “times of financial instability.”
With the integration of Cred’s services, Huobi users will be able to lend their crypto holdings to receive monthly interest payments, with the possibility of rolling over their pledged assets for additional periods of time. There is no minimum requirement to participate in the program, and interest is payable in stablecoins or other crypto assets.
Holders with $150,000 in their wallets can also develop a custom program by consulting with Cred’s Private Client Associates.
An Emerging Sector
Huobi and Cred’s partnership has been cemented at a time when cryptocurrency lending and borrowing services are gaining increasing traction across the industry.
In January, Celsius Network — the fastest-growing crypto-lender with $4.25 billion in coin loan origination — announced that it would be implementing compounding interest on all cryptocurrencies deposited in its wallet — a feature that had been requested by the Celsius community.
Other major players in the crypto lending space include BlockFi, Nexo, YouHolder and SALT Lending.
Crypto Investor Sues New York Teen For $71.4 million In SIM-Swap Saga
A crypto investor is suing a New York teenager for $71.4 million in damages for allegedly snatching cryptocurrency from his phone.
Investor Michael Terpin is suing a New York teenager for $71.4 in damages for allegedly stealing $23.8 million in cryptocurrency from him in 2018.
It’s the latest legal action in a long running saga. Ellis Pinsky of Irvington, New York, along with his co-conspirators reportedly managed to snatch $23.8 million worth of cryptocurrency in a SIM swap from the plaintiff.
At the time of the alleged crime, Pinsky was just 15 and a representative for Terpin said he had returned $2 million of the funds. Now he is 18 Terpin is suing for the remaining millions plus three times the damages under RICO for a grand total of $71.4 million.
In May 2019, Terpin won a $75 million civil case against Nicholas Truglia, an alleged co-conspirator of PInsky’s. Reuters quoted Terpin in the court documents as saying:
“On the surface, Pinsky is an ‘All American Boy’. The tables are now turned.”
It’s not clear whether Pinsky’s has the money to compensate Terpin if the court decides in the plaintiff’s favor.
Terpin’s legal battles
Terpin is also involved in a legal quagmire with the AT&T. He has accused company officers of instilling inadequate security measures and is suing the company for $240 million. In a court filing his lawyers stated:
“Mr. Terpin’s primary argument is that AT&T through its corporate officers and managing directors created an inadequate ‘security’ system that allowed its employees and contractors to bypass controls to implement SIM swaps.”
AT&T Loses Bid To Dismiss $1.8M Crypto Theft Lawsuit
AT&T’s bid to dismiss a lawsuit alleging it was negligent for failing to prevent the theft of $1.8 million worth of crypto has been rejected.
U.S. District Judge Consuelo Marshall has rejected AT&T’s bid to dismiss a lawsuit that alleges the company was negligent for failing to prevent the theft of $1.8 million in crypto from investor Seth Shapiro.
In the judge’s order allowing the suit to continue, Shapiro’s claims of negligence, negligent supervision, claims brought under the Computer Fraud and Abuse Act, and request for punitive damages, were left intact.
Shapiro, an Emmy Award-winning media tech consultant who has previously worked for the likes of Disney and Showtime, filed the suit against AT&T in December 2019, alleging that the firm’s security failures resulted in thefts across multiple attacks.
SIM-swap attacks require the participation of employees from a telecom company. The telecom employee deliberately, or unwittingly, reassigns the victim’s account to a SIM controlled by a malicious actor — who is then able to gain access to information or accounts belonging to the target.
The court order states that Shapiro suffered his first SIM-swap attack during May 2018, to which an AT&T employee “noted the SIM swap activity in [Plaintiff’s] account and assured [Plaintiff] that his SIM card would not be swapped again without his authorization.”
“AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead standing by as its employees used their position at the company to gain unauthorized access to Mr. Shapiro’s account in order to rob, extort and threaten him in exchange for money,” Shapiro’s complaint stated.
Shapiro has until May 29 to file an amended complaint in response to the order.
15-year-old Hacker Steals $24m In SIM-swap Attack
AT&T also faces an ongoing lawsuit from pioneering crypto investor Michael Terpin, who is seeking more than $200 million in compensation for a $23.8 million SIM-swap attack that took place during January 2018.
Last month, the case took a surprising twist when Terpin launched a new lawsuit against the alleged perpetrator of the attack — who has recently turned 18 years old.
At the time of the attack, the defendant, Ellis Pinsky, was just 15 years old and returned $2 million of the funds. Now that he is of legal age, Terpin is suing for the remaining sum plus damages — $71.4 million in total.
Speaking to Cointelegraph, Terpin stated that he was “a bit shocked to find out the alleged mastermind was only 15 at the time,” adding his surprise that “allegedly, this was not his first hacking or theft.”
Terpin asserted that Pinsky is in possession of $100 million, stating: “we believe he was being truthful when he told one of our informants via text that he still had $100 million hidden offshore.”
Teenage Crypto Hacker Allegedly Threatened Life of 16yo Accomplice
The teenage hacker who allegedly stole $23.8 million in crypto from Michael Terpin may have threatened the life of a 16-year-old enlisted to help launder the money.
Ellis Pinksy, the hacker who allegedly masterminded the theft of $23.8 million worth of crypto from pioneering investor, Michael Terpin, planned on retiring after the heist at the age of 15.
However, after turning 18, Pinsky became the subject of a $71.4 million civil suit from Michael Terpin, who is seeking damages equal to triple the sum that was stolen three years ago.
18-Year-Old Sued For $71.4 Million For Crypto Theft
At one point, Pinsky allegedly told the informant “I could buy you and all your family. I have 100 million dollars.” In the complaint, the acquaintance also noted spotting “records indicating that Ellis had $70 million.”
Speaking to Cointelegraph, Terpin stated he and his legal team “believe [Pinsky] was being truthful when he told one of our informants via text message that he still had $100 million hidden offshore.”
Pinsky’s primary interest had previously been gaming — which the informant claimed provided a gateway into hacking for the teen. Pinsky frequented gaming chat rooms in which hackers would brag about their heists. This allegedly led to Pinsky teaching himself how to steal usernames for Skype and Discord.
After becoming interested in SIM-swap attacks, Pinsky allegedly began to recruit accomplices, including Nick Truglia.
Truglia was arrested in November 2018 in relation to other SIM-swap attacks, with Terpin winning a suit against him last year for $75.8 million.
Earlier in 2018, a 16-year-old accomplice of Pinsky filed a police report with New York police claiming that he had been enlisted to help launder the Terpin funds and had been threatened after sending $700,000 to the wrong wallet.
“[Pinsky] asked me to start getting him some money through selling drugs, shoes, or in any way possible. He requested $3,000 to $4,000 a week,” the police report said.
The same accomplice recollected Pinsky threatening to have them or their mother murdered after the 16-year-old accidentally let strangers into their chat.
Pinsky Sends Crypto, Cash, And Luxury Watch To Terpin
After Terpin’s attorney contacted Pinsky’s mother, the teen sent $2 million in cryptocurrency and cash, and a $100,000 watch to the investor, however, made no admission of guilt.
Pinksy used his riches to lead a lavish lifestyle, driving an Audi R8, maintaining an account with a private jet service, and dressing in Louis Vuitton and Supreme clothing.
The hacker pretended to be a high-rolling crypto trader, and told his parents that he had earned Bitcoin (BTC) through playing video games and “got lucky” when the markets rallied.
Pinsky currently lives at his mother’s residence.
Mobile Firm Employee Charged With Aiding Crypto SIM-Swap Attacks Targeting 19 Victims
Stephen Defiore was allegedly paid to transfer cellphone accounts to ones owned by a co-conspirator.
A 36-year-old Florida-based telco employee was charged Monday over a SIM-swapping scam that stole one victim’s cryptocurrency.
Stephen Defiore, 36, received a one-count Bill of Information – a waiver of indictment and agreement to prosecution in court – with conspiracy to commit wire fraud, according to a U.S. Department of Justice press release.
Defiore is the second person charged in connection with a scheme that hit 19 victims in SIM-swap attacks, and stole a “significant portion” of cryptocurrency held by a doctor in New Orleans.
According to the report, Defiore worked as a sales representative between August 2017 and November 2018 for an unnamed phone company. Having access to the company’s customer accounts, he allegedly performed SIM swaps – reassigning a SIM card to another user – as part of a $500 per day arrangement with a co-conspirator.
For each SIM-swap, which netted Defiore over $2,300 in total via 12 payments, co-conspirator Ricard Li sent him a customer’s cellphone number, a four-digit PIN and a new SIM-card number for the swap. Li was charged for his alleged involvement in June 2020.
A SIM-swap hack occurs when an attacker gains access to a victim’s cellphone account, allowing incoming calls and text messages to be routed to a different device. The attacker is then able to change passwords on a victim’s various accounts including emails and cryptocurrency exchange and bank accounts via SMS verification.
If convicted of the charge, Defiore faces a maximum of five years in prison and a fine of up to $250,000, as well as up to three years of supervised release after imprisonment and a mandatory $100 special assessment per count.
21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,21-Year-Old Jailed For 10,
Your Questions And Comments Are Greatly Appreciated.
Monty H. & Carolyn A.Go back