Posted on 07-04-2020.
AT&T has been involved in a lawsuit alleging that its employees facilitated the hijacking of a client’s SIM card, which then allowed attackers to steal crypto the client’s cryptocurrency. The telecom giant is yet to defend in court over another similar lawsuit going back to 2018. According to the complaint filed by a California-based business and technology advisor Seth Shapiro, at least $1.8 million worth of crypto stored in his wallet was stolen in an attack that involved active help from AT&T employees.
“On at least four occasions between May 16, 2018, and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro’s AT&T wireless number from Mr. Shapiro’s phone to a phone controlled by third-party hackers in exchange for money,” the complaint claims. “The hackers then utilized their control over Mr. Shapiro’s AT&T wireless number—including control secured through cooperation with AT&T employees—to access his personal and digital finance accounts and steal more than $1.8 million from Mr. Shapiro.”On May 16, 2018, Seth Shapiro was at the conference in New York. He noticed that his phone had no connection to the AT&T network. Suspecting a security breach, Shapiro contacted the company to address the problem and told the customer service agent that he holds “large amounts of digital currency” that may be at risk. After waiting on hold, Mr. Shapiro was told to turn off his phone and visit an AT&T shop to get help. At the shop, he was advised to get a new phone with a new SIM, which he immediately did. The service has been restored and AT&T reportedly told Shapiro that they have noted malicious activity and assured that such a thing won’t happen again. Yet, it happened again before Seth Shapiro had left the AT&T shop. This time, he had to wait for about 45 minutes to get help as the employees were busy with other clients.
“In that time, third-party individuals were able to use their control over Mr. Shapiro’s AT&T cell phone number to access Mr. Shapiro’s personal and financial accounts and rob him of approximately $1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for the company’s help,” the complaint reads.Aside from the stolen coins, hackers gained access to Shapiro’s accounts on crypto-exchanges
“By utilizing their control over Mr. Shapiro’s AT&T cell phone number—and the control of additional accounts (such as his email) secured through that number by utilizing two-factor authentication—these third-party hackers were able to access Mr. Shapiro’s accounts on various cryptocurrency exchange platforms, including the accounts he controlled on behalf of his business venture. The hackers then transferred Mr. Shapiro’s currency from Mr. Shapiro’s accounts into accounts that they controlled. In all, they stole more than $1.8 million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16, 2018.”
“Criminal investigations into the May 2018 breaches to Mr. Shapiro’s AT&T account and the resulting theft revealed that at least two AT&T employees, acting in the scope of their employment, accessed and permitted others to access Mr. Shapiro’s AT&T account and the confidential information contained therein.”AT&T confirmed the involvement of its employees in two SIM swaps in Shapiro’s case. Yet, the complaint further alleges that the two employees have facilitated 41 unauthorized swaps in total just in May 2018.