In 2017, the Michael Terpin SIM Swap attack netted hackers $23.8 million after they bribed an AT&T employee to transfer Michael's phone number to a new SIM card. This allowed them to receive SMS text messages and reset the passwords to his crypto accounts, ultimately enabling them to drain his cryptocurrency.
In 2018, Michael Terpin, an entrepreneur and marketing advisor, sued AT&T to recover the value of the cryptocurrencies stolen from him ($23.9 M) and for $200M of punitive damage. In 2023, the judge ruled against him, but his campaign to recover what was stolen from him did not stop. He and his lawyer had become experts in SIM Swapping. He bribed members of the SIM-Swapping community to gain information on their peers and won $75.8 million in damages from one hacker who stole from him. He waited until another one turned 18 to sue him as well. Terpin and his lawyer gained in-depth knowledge of SIM Swapping to mount an effective campaign.
What is a Sim Swap Attack?
A SIM Swap, also known as SIM hijacking, SIM jacking, or SIM splitting, is a malicious tactic where an attacker hijacks a victim’s phone number by transferring it to a new SIM card, giving him access to all the information associated with the victim's phone number. Attackers obtain the details they need to hack their victim’s SIM by bribing employees or through social engineering. Social engineering uses deception to manipulate individuals to share confidential or personal information that may be used to commit fraud.
Michael Terpin SIM Swap attack started when hackers took control of his phone number and used Google’s ‘Forgotten Password’ feature to access his email. Acquiring possession of the two personal accounts (phone and e-mail) allowed them to hack his crypto wallet, steal the digital assets, sell them to convert all of them into Bitcoins, and distribute them among those who took part in the heist.
They stole digital assets worth $24 million. Michael Terpin managed the custody of his crypto-assets.
Who Was Behind Michael Terpin SIM Swap?
In 2022, the FBI received 2,056 SIM-Swapping complaints, and losses reached $71.6 Million. An increase of 27.6% in complaints from the previous year and 5.3% in losses reached (in 2021, they received 1611 complaints, and the estimated losses reached $68 Million).
The actual figures are higher. SIM Swapping doesn’t require deep technological knowledge. The weak link is the telecoms industry's focus on convenience and cost over security. A hacker needs to be willing to deceive or bribe a telecom customer service rep. There is no need for any specific expertise.
A teenager, Ellis Pinsky (15 at the time), masterminded the original theft of Michael Terpin’s crypto assets. SIM Swapping for Pinsky was the last step in a progression that started when he met online another player of the video game ‘Call of Duty’, @Ferno, who turned out to be a hacker. By the time he was 15, he had several Telco customer representatives on his payroll.
On the evening of January 6th, 2018, a message from a contact called Harry told him he had the name of their ‘biggest whale yet’. It was Michael Terpin. Pinsky looked at Terpin’s social media and found a phone number in one of the many press releases. He then checked with Jahmil Smith, an AT&T customer representative he had on his payroll, to see whether he could see the phone number. Pinsky offered him money to swap the SIM details. Smith ported Terpin’s number from his Blackberry to a phone held by another member of the hacker community called Cold, who acted as the “holder”. He manually overrode the six-digit security code that had been placed on Terpin’s account after an earlier attack. Pinsky tried to get access to the password of Michael Terpin’s cryptocurrency account. Unfortunately (for Pinsky), the two-factor authentication required a code generated by an app rather than a code texted to a mobile number. Pinsky had to gain access to Terpin’s email accounts. He figured out Terpin would be on Gmail and went to the Google account recovery. He entered Michael Terpin’s name and phone number and had a list of all his Gmail accounts. Once he had access to Terpin’s emails, he started fishing for an email or an attachment with a crypto wallet password. It took him over an hour. During that time, Michael Terpin was on the phone with AT&T and being put on hold. In the end, Pinsky found out that he had a Microsoft OneDrive cloud storage service. He reset the password with the two-factor authentication code sent to Cold phone and found a document listing a dozen types of crypto-wallets with random words next to them, and they were seed phrases, a method to access a wallet used in the crypto world.
Pinsky and Harry now could open the Steem, Skycoin, and Triggers wallets. The value of the Trigger wallet surprised them. It was the highest-valued heist anybody had ever made through Sim Swapping. They had a problem. Binance was one of the few exchanges that could allow them to access the Trigger wallet. Minors couldn’t open a Binance account, and adults needed to provide a valid government ID to open one.
Pinsky organized a group of eight on a Skype call and deposited a small amount of Triggers in the accounts of each one of the mules. He asked them to convert them into Bitcoins and send them to a wallet he and Harry controlled, minus a small cut. He repeated the operation with larger amounts until he concentrated the exchange with one mole, Nicholas Truglia, a 25-year-old.
At the end of the operation, the group had between $15M and $20M in Bitcoins. Pinsky and Harry divided most of the money. It was Pinsky’s final hack.
Michael Terpin’s Legal Battle With AT&T
Michael Terpin's original claim against AT&T included allegations of negligence, breach of contract, violation of the Communications Act, and more.
In 2020, the judge awarded AT&T a partial dismissal but allowed Terpin to pursue part of his claim. Last year, a judge decided in favour of AT&T because their contracts had limited the telcos liability for losses suffered by customers.
Persky, who had abandoned his hacking activities, offered to testify in Terpin’s favour to placate the victim of his last hack. His testimony did not help. He conceded that ‘conducting a SIM Swap’ was not enough to steal cryptocurrency if the victim stored all their crypto credentials offline or used strong multifactor authentication.
The outcome of the court case opened a debate about telcos security obligations. Michael Terpin and his legal team argued customer service agents should not have access to passwords or PINs. They also maintained that the judgement ignored AT&T legal duties to protect its customers from that type of cybercrime, long-standing federal law, and evidence of AT&T negligence.
The defeat in the court did not stop Terpin. He continued his quest for restitution. Thanks to his willingness to pay people from the SIM Swapping community for information, and because Nicholas Truglia did not stop his criminal activities as Persky did, he won $75.8M in damages from him. Terpin waited for Pinsky to turn 18 and then he sued him. In October 2022, Persky agreed to pay $22M in damages on top of what he'd handed over three years earlier.
Increased Awareness Of The Need For Security Measures For Crypto Assets
Michael Terpin used his money and his PR experience to make sure the theft of $24M in crypto assets would not go unnoticed, whatever the result of his court case against AT&T.
Bloomberg wrote a detailed piece on how a group of young people managed to perpetrate the fraud. He and his lawyers learned a lot about SIM Swapping. He lost his case against AT&T, but he raised awareness of the security measures investors in cryptocurrencies need to take to minimize the chance of being defrauded.
· Be aware of your digital footprint. In Michael Terpin SIM Swap’s case, Persky found his mobile number in a press release. Lock your privacy setting. Avoid putting your birth date on your social profile. Be careful what you post. You need to go beyond the advice not to post things you wouldn’t want to read on the front page of a paper. You need to be careful not to post anything that could verify your identity. Cyber fraud aside, identity theft is also very common, and it is used to commit fraud against your assets or other actions that will damage you.
- Do not use SMS as a second factor identification. Use an app like, for instance, Google Authenticator.
- Switch to a password manager with a very strong master password and keep a hard copy of the master password.
- Reduce the amount of your data collected online. For instance, switch to a secure browser.
- Pay for content. Searching and downloading pirated material is too often a way to get hacked.
- Do not use public Wi-Fi unless you have a secure way of browsing the internet (like using a VPN)
You are aware of the risks and have taken some prudential measures to mitigate them. You have a wide choice of cryptocurrency and exchange options. What do you need to look to assess the level of security of a crypto exchange? There are certain things you can check before you open an account, such as:
- Crypto insurance coverage in case of theft
- Two-factor authentication availability for user accounts
- Account recovery accessibility
- Customer service accessibility
- Cold storage reserves
- Consumer sentiment
Cold storage wallets are a way of storing Crypto Currency keys offline. In this way, it is almost impossible for hackers to access your wallets. Consumer sentiment is important, but it is not always a guarantee. It is important to note that PlasBit holds 100% of users’ crypto-currencies offline in call storage. All customer assets are responsibly backed by Plasbit and accessible at customer convenience. Moreover, all sensitive account information is encrypted at system and data levels using Secure Socket Layer (SSL) technology.
What Are The Exchanges Doing To Prevent SIM Swap Attacks?
Michael Terpin SIM Swap was not the only attack where the victim took AT&T to court. Seth Shapiro, a California-based investor, took AT&T to court, alleging that one of their employees helped to perpetrate a SIM Swap that resulted in the theft of assets worth $1.8M, including Crypto Currency. The number of complaints related to SIM Swapping received by the FBI Internet Crime Complaints Centre (IC3) is rising exponentially year on year. The three major Telco Companies in the US (Verizon, T-Mobile, and AT&T) tell their customers to set up a PIN on their account to make it more difficult to access them via social engineering, but the easiest way to Swap SIMs remains to bribe one of their customer service employees.
Governments and regulators treat cryptocurrencies as securities, but they are still unregulated. The industry has tried to regulate itself. The Cryptocurrency Security Standards (or CCSSs) have been around since 2014. It hopes to reduce the risk of funds being lost to human error, fraud, or natural disaster, but it does not address SIM Swapping. PlasBit’s solution follows CCSS Level 3. All critical actions require multiple parties, and sophisticated authentication solutions are used to guarantee the accuracy of data. However, PlasBit does not hold user's passwords or account access and cannot transfer cryptocurrencies out of customers’ online ‘hot’ storage. That is the best defence against SIM Swap.
Exchanges are verifying the identity of those who open accounts or are trying to restore access to accounts, but Michael Turpin’s case proves it is possible to circumvent that; in a different case, Nicholas Truglia bought a fake ID with the name and details of a deceased person and his photograph.
So, What Can You Do?
SIM Swapping could be compared to somebody getting hold of your house keys and the code to open your safe. Michael Turpin SIM Swap attack has proven that the giant telcos companies have terms and conditions that protect them from liability even if one of their employees has accepted bribes to share your information with hackers.
Hackers stay in touch through messages and protect their anonymity using handles instead of names. They are teenagers themselves or use teenagers because they are more difficult to prosecute. Michael Terpin lost his case against AT&T but recovered the value of the stolen assets because he used the knowledge he had gained to penetrate the SIM-Swapping community and offer to pay for information. He spent over $5M on legal fees. So, if you do not have some spare millions available to spend on legal fees or in bribes to gain information from other hackers, what can you do?
Hackers rely on the value people place on convenience and on how difficult it is to differentiate between people’s legitimate need to restore access to their wallet and a hacker using your details to access your wallet fraudulently. Even using a PIN doesn’t help if hackers steal your identity and convince a customer service employee they are you and you have forgotten your PIN and need to reset it. The best way to protect yourself against SIM Swapping is to be aware of the possibility and follow the security measures discussed above. Think of what you share online. If you want the convenience of having an SMS as a second-factor identification, do not share that number on social media. Be careful of what you post on social media or what you put inyour e-mails. Do not use public Wi-Fi.
SMS, as a second-factor of identification, relies on you being in possession of your phone/SIM Card. If a hacker swapped your SIM card, they have your virtual phone and will have access to all the information. An identifier app as a second factor of identification may be less convenient, but it is safer. Remember, think of your SIM Card as your house keys and leaving an electronic trail of your identity as leaving the code to open your safe available to everybody.
Be aware that SIM Swapping happens more and more frequently. Your personal data and your phone number, shared on social media or in documents that can be retrieved online, is like leaving your house keys and your address somewhere public. Remember, Michael Terpin SIM Swap attack started in earnest when the hacker found his phone number in a press release.