Telecom provider T-Mobile has become the latest company name to come under fire for its alleged negligence and failure to protect customer information, indirectly leading to a “SIM swap attack” that led to the successful theft of $ 450,000 or 15 Bitcoin (BTC).
SIM swap attack – also referred to as port scam – has proven to be a popular tactic with criminals in recent years. Such an attack includes theft of the victim’s cell phone number, which can then be used to hijack the victim’s online social media and financial accounts by intercepting automated messages or phone calls that are used in two-factor authentication security measures.
The lawsuit against T-Mobile on February 8 in the Southern District of New York by plaintiff Calvin Cheng – the victim who claims to have lost $ 450,000 in bitcoin after such an attack – explains exactly how telecom companies came to play like this. A critical role in this specific type of fraud:
“A third-party criminal convinces a wireless carrier like T-Mobile to transfer access to the cell phone number of its legitimate clients from the SIM card registered for the legitimate customer. […] To the SIM card controlled by the criminal third party […] This type of account hijacking is not a separate criminal act, in and of itself, because it requires the active participation of the wireless carrier to swap the SIM card with an unauthorized person’s phone.
The incident in question occurred in the lawsuit, according to Cheng, after a successful SIM swap in May 2020 against a T-Mobile customer and co-founder of crypto-focused Iterative Capital investment fund, Brandon Buchanan.
Cheng made several successful transactions with Iterative to purchase Bitcoin in the months leading up to the incident, communicating with Buchanan and others at Iterative via Telegram and using a crypto exchange managed by the fund.
After the SIM swap, the culprits allegedly impersonated Buchanan in a Telegram conversation with Cheng, contacting him to ask him if he wanted to sell Bitcoin to a repeat customer at an attractive premium. After calming down into thinking the connections were from Buchanan, Cheng agreed to the deal and transferred Bitcoin to a digital wallet that he believed was under Buchanan’s control and / or duplicates – a misconception, as it turned out later.
Two days later, Buchanan reached out to Iterative’s exchange clients to inform them that several of his accounts had been compromised by SIM swapers, who mistakenly assumed his identity and used them to initiate trades on the supposed Iterative’s behalf. The remainder of the complaint details Cheng’s appeal to the FBI, which is investigating the incident and trying to identify the perpetrators. Buchanan also tried to mediate directly with T-Mobile on Cheng’s behalf, but failed to secure a refund on his behalf.
As the lawsuit confirms, SIM card swapping is not a new phenomenon and has been actively discussed by federal agencies since 2016 at the latest. It is not the first time that T-Mobile has become embroiled in SIM swap lawsuits involving cryptocurrency investors.
The lawsuit accuses T-Mobile of failing to implement adequate security policies to prevent unauthorized access to its customers’ accounts, failure to train or supervise its employees to prevent successful fraud, and illicit behavior in “reckless disregard” of various obligations and duties under federal and state law. Consequently, the carrier is charged with violating the Federal Communications Law Fraud and Misuse Act, and the New York Protection Act, plus two counts of negligence.