The Story of a $24mn SIM Swap

Entrepreneur and marketing advisor Michael Terpin made news in 2018 when he sued AT&T for USD224mn; Terpin wanted USD23.8mn compensation for cryptocurrency stolen from his wallets after a SIM swap, and another USD200mn in punitive damages. Terpin had amassed considerable wealth not just from running his own PR agency but because he worked with cryptocurrency ventures before the Bitcoin boom began. His lawsuit ultimately failed in March of this year when a judge decided the contract with AT&T had limited the telco’s liability for losses suffered by customers. However, Terpin’s campaign for restitution had already taken on epic proportions, including the offer of payment to members of the SIM swap community willing to snitch on their peers. Terpin consequently won USD75.8mn in damages from Nicholas Truglia, one of the SIM swappers who stole from him, and waited for another member of the gang to turn 18 in order to sue him too. It could be argued that Terpin and his lawyers learned more about SIM swapping than anyone working for law enforcement ever had, and more than anyone outside of the fraternity of SIM swappers. Given his PR nous, it is no surprise that Terpin has also been keen to use the media to pursue his goals, and now Bloomberg has written a lengthy feature on Terpin and the kids who stole from him.

The article confirms many of the lessons that should have already been learned about SIM swapping:

  • Phone numbers are not swapped at random; intelligence is gathered about high-value targets first.
  • Bribing telco employees is much easier than socially engineering them or hacking into computer systems; the SIM swap community assembles and uses databases of employee contact details so they can be approached and offered bribes.
  • The practice of SIM swapping is dominated by young men who are spread around the world but who learn their criminal trade by interacting with each other via the dark web, Discord and Telegram.
  • However, some claim that the boys who were never caught have matured into the role of criminal kingpins, recruiting teenagers to do the riskiest work because their youth means they will be less severely punished.

Bloomberg depicts Terpin as a man on a mission.

As the hackers and their friends spent Terpin’s money, Terpin was doing everything he could to bring attention to his legal crusade. When he filed his suit, he gave an exclusive story to Reuters and penned an open letter to the chairman of the Federal Communications Commission, proposing that the government require cellphone companies to conceal customer passwords and PINs from rank-and-file employees.

Terpin started getting tips. He and [his wife] Maxine would be awakened by calls from untraceable numbers at their terraced hillside mansion in Puerto Rico, where they keep their primary residence for tax reasons. Some of the callers disguised their voice with audio processing tools, though Terpin remembers that one kept moving his mouth away from the phone to talk to someone else, revealing an Irish brogue. Terpin made it clear to the tipsters that he was happy to pay for solid information.

The interconnected nature of the SIM swap community meant Terpin also received tips naming another infamous SIM swapper, Joseph O’Connor, also known as ‘PlugwalkJoe’. O’Connor was recently given a 5 year prison sentence for unrelated crimes. Though certainly known to other members of the community, O’Connor contacted Terpin directly to insist he had not stolen from him.

But around then, from another caller, Terpin heard a new name. The caller said he was Joseph O’Connor, whom Sauce had identified as a ringleader of the 2018 hack of Terpin. His Liverpudlian accent was audible through the voice-disguising app. O’Connor said he wasn’t the person Terpin should be after, and neither was Truglia. The real culprit was someone named Pie, a feared figure who’d been professionally hacking since he was in puberty. After taking some time to think it over, O’Connor texted Terpin a name and hometown: “Ellis Pinsky, Irvington.”

Bloomberg interviewed Pinsky, who explained the origins of the community of SIM swappers.

The members of the Community originally came together on a web forum called OGUsers, dedicated to the unlikely topic of online usernames. To a certain sort of gamer, having a particularly cool handle in a multiplayer game or for your social media accounts — @anonymous or @evil, say — confers status, and the most desired ones fetched tens of thousands of dollars on the forum. Or members could just take them for free, by hacking into the owner’s account to steal them. A subset of the community dedicated itself to developing techniques to do this. Some of them branched out into hacking celebrity social media handles, to troll or swindle the accounts’ followers.

One key method used by Pinsky was to obtain the contact details of telco employees so he could attempt to bribe them.

He wrote a script in the programming language Python to scrape Twitter for mentions of cell service companies by people who worked at one — “You know, somebody saying, ‘Oh, just finished my shift at AT&T’ or something like that,” he says. He turned up plenty. Anytime he found a current employee, he’d contact them to see if they were willing to be bribed. About 10%, he estimates, replied yes. “At one point in time, I had a person at every carrier on my payroll,” he says. His roster of so-called plugs brought him cachet. As @Pie, he gloated online about the thousands of dollars he might make with a successful attack. Others in the Community began bringing him targets and invitations to collaborate.

But despite the efforts of Terpin to focus attention on telcos and protections against fraudulent SIM swaps, the criminals need to do much more than swapping a SIM in order to steal from a victim’s cryptocurrency wallet.

To further placate the man he robbed, Pinsky also agreed to give a deposition in Terpin’s suit against AT&T. It may not entirely have helped, though. Under questioning, he readily conceded that he had never been able to steal cryptocurrency “just by conducting a SIM swap.” The swap itself was simply the first step, and if the intended victim used strong multifactor authentication, or stored all their crypto credentials offline, there wasn’t much Pinsky could do with the stolen phone number.

The full article is well worth a read, although it is hidden behind Bloomberg’s paywall here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.