Bitcoin Investor Robbed of Cryptocurrency Blames AT&T

(Image credit: Jonathan Weiss/Shutterstock)

U.S. investor Michael Terpin has filed a lawsuit against AT&T, accusing the company of allowing thieves to change his phone number and then use it to steal $24 million worth of his cryptocurrency.

A Victim of SIM Swap Fraud

Terpin co-founded the first angel group for Bitcoin investors, called BitAngels, in 2013. A year later, he co-founded the first digital currency funding group, BitAngels/Dapps Fund.

In January, Terpin was robbed of millions of cryptocurrency tokens, worth $23.8 million at the time. According to Terpin’s lawsuit filing, the attack happened through what is called a “SIM swap fraud.” Criminals use this relatively common tactic to transfer a victim’s phone number to their own phone by contacting the wireless carrier and pretending to be the victim.

The complaint says:

"What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”

Criminals employ this tactic because many internet services and their users continue to use SMS-based two-factor authentication (2FA) to protect their accounts, despite this method of authentication being declared no longer secure by the National Institute of Standards and Technology more than two years ago.

Terpin now wants AT&T, which he considers the sole responsible party for the attack, to give him the $24 million back, as well as pay him an additional $200 million as punitive damages. AT&T said that it disputes the allegations.

Yet Another Lesson In SMS 2FA Insecurity

What happened to Terpin is yet another lesson that you can no longer rely on just SMS 2FA codes to protect any of your online accounts, whether it’s for email, social media, or your banking services. SIM swap frauds and SS7 hacks have been demonstrated many times over the past few years, and the number for such incidents will likely keep rising in the coming years as more criminals learn how to do them.

In contrast, as Google recently unveiled, accounts protected by hardware security keys, such as Universal 2nd Factor (U2F) tokens, have proven to be “un-phishable.” That means accounts protected by U2F tokens no longer have to depend on the user or third-party’s vigilance to ensure they aren’t tricked by criminals into giving them account credentials.

The U2F tokens are cryptographically paired with the original websites so that they won't work with any other website that pretends to be those websites. Unlike mobile phone numbers that can be switched from one SIM card to another, the encryption keys on the U2F tokens can’t be transferred either, so they are always in your possession.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • soccerdude84
    I don't know why he's seeking punitive damages unless he can prove ATT intentionally defrauded him. That sounds ridiculous.
  • rix340
    He's seeking punitive damage hoping they will settle for the $24 million instead of the $200. Those are just tactics.
  • araczynski
    the $200 million is to cover lawyer fees. i'd say this suit would be funny to watch, but I seriously don't give a F about cryptocurrency or anything that happens to anyone that enjoys gambling in it.
  • cryoburner
    So, he kept $24 million protected by his phone number? And how do we even know that his number getting stolen wasn't an inside job, and that he didn't orchestrate the "theft" himself? And where do $200 million in punitive damages come from? The whole thing sounds a bit shifty, much like cryptocurrency in general.
  • Zaporro

    Good for him and this whole crypto scam. Hate people like that leeching on others, pretending they work, not contributing anything to society.
    Goes for both these wannabe "Crypto investors" and people who live off others work using stock markets and alikes.
  • owhansson
    Yet another lesson in the dangers and pointlessness of cryptogarbage.
  • gggplaya
    If a user needs a new sim card, they should just mail it out to their house or they should prove their identities in a local store for a more immediate solution. Doing a sim swap over the phone is too dangerous, you simply don't know who is on the other end.
  • evilpaul
    Punitive damages are to punish like the name suggests.

    Punitive damages aren't to cover attorney's fees. You ask the court to "award attorney's fees" to cover attorney's fees.

    I'm not sure how anyone's supposed to know whether or not this is a sinister conspiracy theory involving an "inside job", or somebody just did some social engineering on AT&T. My gut would say the latter.