Back in 2018 cryptocurrency investor Michael Terpin filed a $224 million lawsuit against AT&T, claiming the mobile carrier failed to protect his account from hackers that stole his phone number—then made off with his identity and $23 million in cryptocurrency.
This week a New York grand jury unsealed an indictment against the alleged perpetrator of the scam, 22-year-old Nicholas Truglia. The indictment charges Nicholas Truglia and up to 25 additional unnamed co-conspirators with several counts of wire fraud and money laundering. Truglia was arrested in late 2018 for a seperate SIM hijacking scam.
Terpin won a $75.8 million civil judgment against Tuglia last year. Both the civil lawsuit and related affidavits by associates highlight how the unemployed Truglia repeatedly flaunted the wealth gleaned from this and other scams, bragging about his $6,000 per month New York apartment, $100,000 Rolex, and plans to buy a $250,000 McLaren.
The affidavit also highlights how Tuglia, who claimed to have been subsequently tortured by “friends” trying to steal his ill-gotten gains, used Twitter to brag about the $24 million scam under a different name.
Videos by VICE
Motherboard investigations have revealed how users have been hit by SIM hijacking attacks thanks to wireless industry employees who are either paid—or conned—into “porting out” a target’s phone number to an attacker-owned device. From there, attackers routinely steal money, cryptocurrency, or even valuable social media accounts.
As with numerous other issues plaguing the telecom space (like the location data scandals exposed by Motherboard), the FCC has done little to nothing to seriously address the problem. In a letter sent to FCC bos Ajit Pai on Thursday, Oregon Senator Ron Wyden and five other lawmakers demanded that the agency explain why it hasn’t taken the threat more seriously.
“Consumers have no choice but to rely on phone companies to protect them against SIM swaps—and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” the lawmakers wrote.
The letter noted that carriers in countries like Nigeria, the UK, and Australia often give SIM swap data to financial institutions to help them take additional security countermeasures in the wake of SIM hijacking theft. It also notes how overseas carriers will often only conduct a SIM swap after confirming the receipt of a one-time password sent via email.
“Consumers have limited options to protect their wireless accounts from SIM swaps and are often not informed about these options by carriers until after they have been victimized,” the lawmakers said.
The letter asks the FCC for additional details on what its doing to hold wireless carriers accountable for their ongoing failure to protect consumers, with responses expected by February 14. The FCC did not respond to a request for comment.
Terpin, whose lawsuit against AT&T is ongoing, also sent an open letter to Pai mirroring lawmakers concerns. In it, he notes how the FCC’s fixation on problems like robocalls doesn’t appear to extend to the growing scourge of SIM hijacking scams.
“There are more than 200 articles on the FCC website mentioning robocalls—and yet not one addressing the fastest growing cancer on the mobile consumer landscape: the hacking of personal information, accounts, identity theft and money via a growing crime called ‘SIM swapping’ or ‘simjacking,’” Terpin wrote.
AT&T is facing a separate $1.8 million lawsuit by another SIM hijacking victim that alleges AT&T isn’t doing enough to protect its customers. T-Mobile was also sued last year by a SIM hijacking victim that lost 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins—at the time worth more than $20,000.
While carriers have taken some steps to shore up their security practices and better inform customers about the scams, both lawmakers and Terpin believe carriers like AT&T and T-Mobile should be doing more; and if they don’t, the FCC should be prepared to force the issue.