Cryptocurrency investor Michael Terpin is understandably upset that he lost a combined $24 million in two different hacks of his phone over the course of seven months. Terpin alleges that the hacks were only possible because the hackers had an inside person at AT&T who provided access to Terpin’s account. And he’s suing the telecommunications giant for both the money he lost and $200 million in punitive damages.
“The wheels of justice grind slowly, but we made really good-faith efforts to get a settlement out of court,” Terpin told Gizmodo this morning over the phone. “But we feel that AT&T is absolutely at fault here.”
Terpin thought he was playing it safe, employing two-factor authentication on everything and even consulting security experts to make sure that nobody could access his accounts. But all of that apparently doesn’t mean much if an employee on the inside gives up your digital identity. Especially as criminal gangs allegedly use LinkedIn to find people who work at AT&T stores and recruit them to help with a hack, whether they know it or not, which is what Terpin says happened to him.
Terpin’s lawsuit dubs the attacks against him “SIM swap fraud,” which involves thieves gaining access to mobile customers’ private information, including their phone numbers, and in turn making it possible to take over a target’s phone.
From the complaint:
After the hackers took charge of Mr. Terpin’s telephone number, the hackers accessed Mr. Terpin’s telephone to divert texts and telephone calls to gain access to Mr. Terpin’s cryptocurrency accounts. The hackers also used the phone to hijack Mr. Terpin’s Skype account to impersonate him. By that means, the hackers convinced a client of Mr. Terpin to send them cryptocurrency and diverted a payment due to Mr. Terpin to themselves.
AT&T finally cut off access by the hackers to Mr. Terpin’s telephone number on June 11, 2017, but only after the hackers had stolen substantial funds from Mr. Terpin. Moreover, because of the hack, Mr. Terpin expended a substantial amount of time investigating the hack and attempting to repair his computer accounts.
Terpin says that these large cryptocurrency hacks are often perpetrated by “college kids who go online in these Discord groups” to organize their heists.
“The one thing that’s been a link between [crypto hacks] is that in every case they’ve had an insider,” Terpin told Gizmodo. “[Trading cryptocurrencies] is safe as long as nobody gives out your digital identity.”
Terpin says he’s been in contact with the FBI, Homeland Security, and the U.S. Secret Service and claims they’ve found the AT&T employee whom they believe assisted in the hacks.
“What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner,” the complaint says.
The lawsuit continues: “AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”
Terpin approached AT&T in February and hashed things out as best they could with a federal mediator, but the two parties couldn’t come to a settlement. Terpin says that AT&T more or less told him that they’re not responsible for him getting hacked.
AT&T did not yet return Gizmodo’s request for comment. [Update, August 16, 2018, 7:40am: AT&T sent us the following statement via email: “We dispute these allegations and look forward to presenting our case in court.”]
Terpin comes from the news business, having started out at small newspapers in his 20s during the early 1980s and eventually making his money founding the Los Angeles-based PR firm Internet Wire (now Marketwired) in the 1990s. Terpin sold out to private equity firms before Marketwired landed a permanent home at NASDAQ in 2016. He’s now an angel investor in a number of different crypto-based start-ups.
Terpin, for his part, doesn’t give out his phone number to anyone, as just one more step to hopefully avoid getting hacked in the future.
“I now pretty much only give people my Google Voice [number],” Terpin said.