Bitcoin Investor Sues AT&T After Losing $23 Million In SIM Swap Hack

A cryptocurrency investor who says he lost $24 million after his phone number was stolen in two hacks wants AT&T to pay him more than $200 million in damages.

Michael Terpin, founder of Transform Group and BitAngels, filed a lawsuit against AT&T on Tuesday. Terpin argues that AT&T didn’t do enough to protect his phone number despite the fact that the company was fully aware of the fact that criminals are increasingly targeting cryptocurrency investors by stealing their phone numbers in a fraud commonly known as SIM swapping, SIM hijacking, or “port out scam.”

In the last few months, several criminals have stolen millions of dollars in Bitcoin or other virtual currency by targeting people who work in the cryptocurrency world. In July, police in California accused a 20-year-old of being part of a group who stole $5 million from more than 40 victims. A couple of weeks later, police in Florida charged a 25-year-old for similar crimes.

As a Motherboard investigation revealed, dozens of people have been hit by these kind of attacks.

Terpin alleges that his phone number was stolen in two different occasions. The first on June 11, 2017, and the second in January 7, 2018. When hackers took control of his number earlier this year, they were able to access one of his online exchanges accounts and steal $24 million. The hackers were able to hijack his phone number despite the fact that AT&T had added extra security to Terper’s account after the first hack and assured him that he was on a “higher security level” with “special protection,” Terper alleged in his complaint.

“What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner,” the lawsuit alleges. “AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”

An AT&T spokesperson sent a statement via email: "We dispute these allegations and look forward to presenting our case in court."

Terper’s lawyers did not respond to a request for comment via email.

According to Stephen Palley, a lawyer who is not involved in the lawsuit but who has reviewed it, the case is unlikely to go to trial because carrier’s include arbitration clauses in their terms of services with their customers. Palley said that the security issues pointed out in the lawsuit are serious, but may not be appropriate to deal with them in court.

“Some of that maybe more appropriately addressed by regulation or updated legislation. I’m not sure that after-the-fact litigation will solve that,” Palley told Motherboard in a phone call.

One of Terpin's lawyers, however, said the arbitration clause will not be an issue.

”We’re confident we’re going to go forward wth this and the customer agreement is not a problem,” Tim Toohey told me in a phone call.

Terpin said in the lawsuit that he has yet to recover the $24 million the hackers stole.

This story has been updated to add comments from AT&T ant Terpin's lawyer.

Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.