(CN) – A federal judge in California has given a cryptocurrency entrepreneur another shot to make his case that AT&T’s negligence allowed hackers to steal $24 million in digital currency.
Hackers attacked blockchain and cryptocurrency investor Michael Terpin’s cellphone on two separate occasions, according to his initial complaint filed in the Central District Court of California in August 2018. Following the hacks, Terpin says he told AT&T he was also the victim of a SIM card swap.
The relatively low-tech hacking technique involves a hacker posing as a customer and asking the mobile carrier to transfer the phone number to a separate phone SIM card, which then gives the hacker access to the victim’s online accounts – including bank accounts and cryptocurrency wallets used to store digital currency.
Terpin says after the attacks, AT&T provided him with a 6-digit code that only he and his wife would know. Despite this added layer of protection, Terpin says he was hacked again in January 2018.
According to the complaint, the hacker used Terpin’s telephone number to access his cryptocurrency accounts and then impersonated him over Skype to convince a client to send the hacker digital currency.
By the time AT&T was able to cut off the hacker’s access to Terpin’s phone account, about $24 million worth of cryptocurrency was stolen from Terpin, according to his initial complaint. His lawsuit includes claims of negligent supervising and training, breach of implied contracts, violation of California Consumer Legal Remedies Act and other claims.
The U.S. Department of Justice identified the hacker as Manhattan resident Nicholas Truglia, then 21, who was arrested in November 2018 and extradited to Northern California on unrelated SIM-swapping charges. In May, a Los Angeles County judge ordered Truglia to pay Terpin $75.8 million in a civil judgment stemming from the hack.
In a July 19 order, U.S District Judge Otis D. Wright II dismissed the bulk of Terpin’s lawsuit but gave him another chance to show AT&T is liable for the loss of his cryptocurrency.
“Based on the allegations of the complaint, Mr. Terpin asserts that AT&T assisted the hackers with a SIM card swap, thus granting the hackers access to Mr. Terpin’s phone number,” writes Wright. “However, Mr. Terpin does not explain how the hackers accessed Mr. Terpin’s cryptocurrency account(s), whether they sold Mr. Terpin’s cryptocurrency then transferred the money, or whether they transferred the cryptocurrency to a cold wallet.
“At this stage, the court is left to speculate how having access to Mr. Terpin’s phone number resulted in the theft of cryptocurrency,” writes Wright, noting Terpin has not adequately shown how the flaws in AT&T’s security resulted in the $24 million theft.
Terpin says AT&T was put on notice after the first hacking attempt and claims an AT&T employee in a Norwich, Connecticut, phone store helped the hackers complete the SIM card hijacking on the second attempt. He also points to a Federal Communications Commission investigation of AT&T which showed employees had been paid by criminals to hand over customers’ information, including login credentials, and the phone carrier had not properly supervised how employees accessed that information.
Wright denied AT&T’s request to strike Terpin’s references to the FCC probe and a subsequent consent decree, writing, “Thus, the FCC investigation and corresponding consent decree could be relevant on the issue of notice, that such actions were previously occurring, and that the acts perpetrated on Mr. Terpin were reasonably foreseeable.”
The judge also gave Terpin – a resident of Puerto Rico with a home in California – another shot at showing why his claims involving California law should survive dismissal.
Wright also dismissed with leave to amend claims of extraterritoriality of California Statutory claim, because Terpin was not able to show that the crimes occurred in the Golden State. Terpin says he has a home in California, but actually resides in Puerto Rico.
Terpin’s lead counsel Pierce O’Donnell praised Wright’s ruling and said they will file an amended complaint.
“Judge Wright strongly repudiated AT&T’s audacious bid to prevent Michael from demonstrating to a jury the carrier’s contempt for consumers’ privacy and utter disregard of its legal obligations to prevent this very type of SIM swap and financial crime,” O’Donnell said in an email. “The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card.”
The attorney added: “SIM swaps are a cancer on consumer’s privacy rights. Sadly, this cancer is metastasizing at a furious pace within AT&T’s porous ‘security system.’ AT&T’s unwitting customers are largely unprotected victims of identity theft that costs them their privacy and untold millions of dollars every year. Our lawsuit seeks to force sweeping, technologically feasible remediation by AT&T.”