This article was published on July 23, 2019

Federal judge refuses to dismiss $224M lawsuit against AT&T for SIM-swap bungle

This investor lost $24M in cryptocurrency after he was SIM-swapped, twice


Federal judge refuses to dismiss $224M lawsuit against AT&T for SIM-swap bungle

A US federal judge has rejected AT&T’s request to dismiss a $224 million lawsuit over a SIM-swapping incident that led to $24 million in stolen cryptocurrency.

press release confirms the telecom giant will face court over allegations it violated the Federal Communications Act, a consumer contract, as well as several other laws, when hackers assumed the identity (and telephone account) of cryptocurrency investor Michael Terpin in 2017.

“Judge Wright strongly repudiated AT&T’s audacious bid to prevent [Terpin] from demonstrating to a jury the carrier’s contempt for consumers’ privacy and utter disregard of its legal obligations to prevent this very type of SIM swap and financial crime,” said Terpin’s defence.

“The evidence will show that AT&T not once, but twice allowed hackers posing as [Terpin] to obtain his SIM card,” they added.

NY’s ‘Bitcoin Bandit’ already has to pay Terpin millions

Terpin’s federal lawsuit relates to fraudster Nicholas Truglia, the alleged kingpin of a SIM-swapping crew believed to have stolen $80 million worth of digital assets from high-profile cryptocurrency owners, including Terpin.

“On January 7, 2018, [Terpin’s] phone with his AT&T wireless number went dead. As [Terpin’s] subsequent discussions with AT&T revealed, an AT&T employee on that date had ported over [Terpin’s] wireless number to an imposter,” said lawyers earlier this year.

That imposter was Truglia, dubbed New York’s “Bitcoin Bandit.

Together with a crew of 25 fraudsters known as the “OG Users,” Truglia is said to have sourced false identification documents via the dark web and phishing, later using them to trick customer support staff into porting their victim’s telephone numbers to phones under their control (SIM-swapping).

SIM-swapping allows text messages and 2FA codes to be intercepted, so stealing $24 million in cryptocurrency was as trivial as logging in and transferring it to external wallets.

Truglia later bragged: “I’m a millionaire. I’m not kidding. I have 100 Bitcoin,” and even boasted: “Nobody can get me in trouble. Nobody can put me in jail. I would bet my life on it, actually.”

In May this year, Truglia was ordered to pay $75.8 million in compensatory and punitive damages to Terpin — over three times the amount he originally stole, and reportedly one of the largest cryptocurrency-related court judgements awarded to an individual.

Let’s find out if AT&T is responsible for SIM-swap bungles

The ruling above resolved Terpin’s civil case against Truglia. Now, we’re set to discover (at a federal level) if telecom providers like AT&T can be held responsible when their staff are tricked into SIM-swapping plots.

According to Terpin’s press release, federal judge Otis Wright II said of AT&T’s potential negligence: “Mr. Terpin has sufficiently alleged that AT&T permitted unauthorized access to his proprietary information, specifically his account information and private communications.”

“Mr. Terpin’s claim […] seeks to declare AT&T’s wireless customer agreement as unconscionable, void against public policy, and unenforceable in its entirety,” said Terpin’s lawyers. “[Our client] alleges that as a result of these illegal contract provisions, the entire customer agreement is unenforceable because the central purpose of the agreement is tainted with illegality.”

Terpin now has 21 days to submit amendments to his lawsuit. Hard Fork has reached out to Terpin’s legal team to confirm what changes must be made, and will update this piece should we hear back.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with