Search Articles
LOS ANGELES (CN) — A Ninth Circuit Court of Appeals panel says a well-known cryptocurrency investor can pursue one of his claims against AT&T over the hack of his mobile phone in 2018 by a teenager who stole $24 million.
The appellate panel on Monday upheld the dismissal of most of Michael Terpin’s fraud and negligence claims as well as the summary judgment a trial judge in Los Angeles had issued in favor of AT&T except for one related to the Federal Communications Act.
The reinstatement of Terpin’s claim comes as the panel found it was valid under Section 222 of the act, which provides that telecommunications carriers have a duty to protect customer proprietary network information. The panel said Terpin had created a triable issue whether, through a fraudulent SIM swap, AT&T gave hackers access to information that is protected under the act.
In a unanimous opinion authored by U.S. Circuit Judge Roopali Desai, a Joe Biden appointee, the panel said the lower court judge had incorrectly focused on whether AT&T had disclosed any of Terpin’s network information to the hacker, then 15-year-old Ellis Pinsky, during the SIM swap. But the statute, she said, also prohibits permitting access to the customer’s proprietary network information.
“Through the SIM swap, Pinsky updated Terpin’s wireless account to associate Terpin’s phone number with a new SIM in Pinsky’s control,” Desai wrote. “A jury could thus find that he necessarily gained ‘access’ to the technical configuration of Terpin’s account.”
“Even if the evidence at this stage does not ‘foreclose any possibility’” of AT&T’s success on Terpin’s claim, it is sufficient to ‘show a triable issue of material fact,’” she said.
However, the panel upheld the dismissal of Terpin’s fraud claim for deceit by concealment because AT&T had told him that its security measures had limits and that it couldn’t guarantee that no breach would ever occur. Likewise, the panel affirmed the dismissal of Terpin’s claim for as much as $216 million in punitive damages because he didn’t make a plausible argument that AT&T officials intended to harm him or consciously disregarded a known risk to his account.
U.S. Circuit Judge Richard Clifton, a George W. Bush appointee, and U.S. Circuit Judge Holly Thomas, a Biden appointee, joined in the opinion.
Terpin’s attorney Pierce O’Donnell said that they were thrilled with the court’s “pro-consumer” decision.
“This is a major precedential decision of national significance,” O’Donnell said. “Rejecting all of AT&T’s arguments, the court of appeal held that AT&T can be liable in damages under the Federal Communications Act when it allows a hacker to get into its system, access the customer’s AT&T account, and steal the customer’s private information or assets — in this case $24 million of cryptocurrency.”
The panel’s ruling paves the way for Terpin to go to trial and hold AT&T accountable after six years of litigation, O’Donnell added, where he will seek $24 million plus at least $14 million of interest and his attorney’s fees for a total of at least $45 million.
“Fraudulent SIM swaps are a form of theft committed by sophisticated criminals and it is unfortunate that these criminals targeted Mr. Terpin. We are pleased that the appellate court agreed with us and dismissed nearly all of the claims in his lawsuit. We will continue to defend ourselves against the one remaining allegation in this case,” an AT&T spokesperson said.
Hackers attacked blockchain and cryptocurrency investor Terpin’s cellphone on two separate occasions, he said in his initial complaint filed in the U.S. District Court for the Central District of California in August 2018.
SIM swap is a relatively low-tech hacking technique involves a hacker posing as a customer and asking the mobile carrier to transfer the phone number to a separate phone SIM card, which then gives the hacker access to the victim’s online accounts — including bank accounts and cryptocurrency wallets used to store digital currency.
Terpin said after the first attack in 2017, AT&T provided him with a 6-digit code that only he and his wife would know. Despite this added layer of protection, Terpin says he was hacked again in January 2018.
According to court documents, Pinsky bribed an employee at an AT&T authorized retailer to bypass AT&T’s security measures and swap Terpin’s phone number to a SIM Pinsky and an associate controlled.
After the swap, Pinsky requested password reset messages to Terpin’s phone number and used those messages to gain access to Terpin’s online accounts, including a Microsoft OneDrive account. The hacker then searched Terpin’s OneDrive and found a document in the trash folder with Terpin’s cryptocurrency access credentials. Pinsky used those credentials to access Terpin’s “wallets” and steal $24 million in cryptocurrency.
Pinsky turned himself in to the authorities and returned his share of the spoils, according to a 2022 Rolling Stone profile of the reformed hacker.
The U.S. Department of Justice identified the other hacker as Manhattan resident Nicholas Truglia, then 21, who was arrested in November 2018 and extradited to Northern California on unrelated SIM-swapping charges. In May 2019, a Los Angeles County judge ordered Truglia to pay Terpin $75.8 million in a civil judgment stemming from the hack.
Follow @edpetterssonSubscribe to our free newsletters
Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.