A US court has ordered Anthony Francis Faulk of Pennsylvania to pay USD2.8mn in compensation and sentenced him to three years in prison for stealing cryptocurrency worth approximately USD20mn. Faulk agreed to a plea deal where he admitted that he and his accomplices took control of the phone accounts of victims by socially engineering staff at telcos. These phone services were then used to take over emails and other accounts, until the gang was eventually able to transfer cryptocurrency from wallets or reassign the ownership of other digital assets.
The gang also engaged in extortion per a press release from the US Attorney’s Office in the Northern District of California:
Faulk also admitted that, in addition to transferring cryptocurrencies, the co-conspirators contacted some of their victims by telephone and threatened to compromise further accounts unless the victims paid additional money to the fraudsters.
11 victims will receive USD2,816,433 in restitution between them. Faulk also forfeited a string of valuable possessions.
Those assets include a nearly $1 million home in Latrobe, Pennsylvania; three J.P. Morgan Chase accounts totaling approximately $12,525,592, $6,242,919, and $18,118, respectively; a 2018 Mercedes-Benz GTS; a 2018 Nissan Rouge; a 2019 Chevrolet Silverado K1500; diamond jewelry; a Rolex; Tiffany earrings; and a Louis Vuitton handbag and wallet.
Faulk’s accomplices, Matthew Ditman and Ahmad Hared, will be sentenced on August 31 and October 12 respectively. Their crime spree began in 2016, when Faulk was barely out of his teenage years, and it lasted for just 20 months. Such enormous criminal wealth was amassed during this period that Faulk barely knew how to spend his ill-gotten gains. The original indictment has a list of property that prosecutors wanted to confiscate which includes the royalty rights for 20 rap songs that Faulk had purchased. Presumably Faulk thought the rights to songs could be used to launder the proceeds of his crimes and turn them into a legitimate source of income, but the authorities were able to follow the trail of digital breadcrumbs he left behind.
Regular readers of Commsrisk will recognize the familiar pattern to this crime. A boy has barely become a man when he is lured by fantasies of easy riches. A little bit of work goes into identifying individuals with large cryptocurrency holdings and discovering their mobile phone numbers. The customer service departments of telcos are targeted as the weakest link in the security chain because of the thousands of times staff have to deal with genuine customers who need to switch their accounts to a replacement SIM because of a lost phone. Lax controls around other online services place too much reliance on authenticating users by sending passwords to phones. Rich people who possess assets that are worth millions of dollars and which can be moved around the world in seconds are left out of pocket because they depended on decisions made by poorly-paid staff working in a telco’s call center. The police and prosecutors engage in many years of work to deliver justice, but prevention would surely have been cheaper for society as a whole than trying to recover what had been stolen.
Thankfully, a new report from the US Cyber Safety Review Board has recommended the urgent replacement of SMS messages and voice calls used for multi-factor authentication, as well as calling for ‘whole of society’ intervention to discourage juveniles from committing SIM swaps and associated crimes. But the truth is that it never required expert analysis to reach these conclusions. It just required individuals and organizations to be more realistic about risk, and less lazy about protecting themselves. There will always be many people who lose their phones and will want the rapid restoration of services that have become essential to their lives. Telcos can do more to reduce SIM swap fraud, but millionaires and the businesses that court them could also have done much more to prevent these crimes. And the illusion of easy money needs to be tempered by parents, teachers and journalists who explain that stealing digital money is not a victimless crime that society can permit to go unpunished.