The Curious Case of AT&T, Seth Shapiro’s SIM Card and a Stolen $1.8M

Two AT&T employees have been accused of indulging in illegal SIM swap-related activities. Cointelegraph spoke with Seth Shapiro
Two AT&T employees have been accused of indulging in illegal SIM swap-related activities. Cointelegraph spoke with Seth Shapiro

Over the past week, the global crypto community bore witness to a unique case wherein California resident and blockchain entrepreneur Seth Shapiro filed a lawsuit against American telecom giant AT&T — alleging that a couple of the firm’s employees had perpetrated a nefarious SIM-swap scheme that resulted in the former losing $1.8 million in various crypto assets.

Shapiro, who is a two-time Emmy Award-winner, as well as an author and adjunct professor at the University of Southern California School of Cinematic Arts, filed the aforementioned lawsuit against AT&T on Oct. 17, claiming that between May 16, 2018 and May 18, 2019, the telecom provider’s employees perpetrated four hacks in total that lead to his personal and confidential data — including usernames, passwords, event calendar, etc. — being leaked to third-party hackers. 

In this regard, the submitted court documents highlight that the aforementioned developments resulted in the miscreants gaining control of Shapiro’s various cryptocurrency exchange accounts on platforms, such as KuCoin, Bittrex, Coinbase, Huobi, Cryptopia, Livecoin, HitBTC, Coss.io, Liqui and Bitfinex. Not only that, but they were also able to seize control of some of his other digital accounts, such as Evernote.

In addition, the plaintiff has also alleged that he is currently in possession of chat logs that clearly show the AT&T employees and hackers discussing their plans to use the stolen funds to acquire their dream cars and other valuable objects. The logs also contain details of how the hackers planned on rerouting the funds to avoid being caught by the police. On the subject, the lawsuit reads as follows:

“AT&T employees obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control [...] to a phone controlled by third-party hackers in exchange for money. [...] The hackers then utilized their control over Mr. Shapiro’s AT&T wireless number [...] to access his personal and digital finance accounts and steal more than $1.8 million.”

Jim Greer, an AT&T assistant vice president for corporate communications, told Cointelegraph in a statement: “We are working closely with our industry, law enforcement and consumers to stop and prevent this type of crime.”

Cointelegraph spoke with Shapiro

To gain a better understanding of the situation, Cointelegraph reached out to Shapiro and asked him to share some comments regarding the matter. First, Cointelegraph wanted verified whether Shapiro had indeed made repeated attempts to get AT&T’s service operators to prioritize his calls in order to protect his account. 

Additionally, Cointelegraph also asked him why he failed to notify local police authorities immediately after the first hack — after all, it has been alleged that a total of four breaches took place. Shapiro responded to this by saying:

“I did. There’s not much local PDs can do — AT&T has all the information. In my case, I was lucky that the REACT Task force in Santa Clara got a lead and pursued the case. As did the Department of Homeland Security, who have been amazing. I am very grateful to both groups and can give you contacts at each.”  

When asked about the crypto assets that were lost as a result of the repeated intrusions, Dwayne Sam — an attorney at Pierce Bainbridge Beck Price & Hecht LLP — and a member of Shapiro’s legal team, provided a legal document that contained the following data:

  • Approximately 1,200 Ether (ETH) — estimated to be worth around $500,000 — was stolen from the claimant’s Bittrex account.
  • Another $400,000 was illegally siphoned from an associated Wax cryptocurrency account. 
  • Shapiro claims that he had been able to raise between $700,000 to $1 million in crypto for a project he was undertaking — the proceeds for which commingled with his personal crypto savings.

In all, Shapiro alleged that he has had to face a total loss of around $1.7 million in cryptocurrency — $1 million of which consists solely of his personal funds, which he said was savings for his retirement.

It should be mentioned that AT&T has had a poor track record when it comes to SIM-swapping incidents, with occurrences more than doubling between January 2013 and 2016. 

Also, in an earlier case relatively similar to this one — Terpin v. AT&T — a United States court did lay some responsibility on the claimant for failing to secure the account adequately. Thus, when asked if Shapiro’s legal team expected to face similar responsibility from the judge presiding over their case, Sam replied by saying:

“Mr. Shapiro’s case will be judged on its own merits. That said, nothing in the Terepin court’s most recent decision could or should be construed as blaming the victim.”

Lastly, when asked about how the legal team foresees the judgment of his case panning out in court Shapiro pointed out:

“The evidence in this case of AT&T’s culpability and negligence is overwhelming. We fully anticipate that AT&T will be held legally accountable for its actions and those of its employees.”     

AT&T’s Greer told Cointelegraph that the company has security measures in place to combat fraudulent SIM swapping, adding:

“However, recent high profile cases reinforce the importance of businesses and consumers taking steps to protect against SIM swap fraud, such as not using mobile phone numbers as the single source of security and authentication.

Greer went on to say that the company believes what happened to Shapiro is unfortunate, but added: 

“We dispute his allegations. We look forward to presenting our case in court.”

Community reaction

To better understand if the responsibility in relation to this matter lies with AT&T alone or with the firm’s employees who reportedly stole Shapiro’s data, Cointelegraph got in touch with David Reischer, an attorney and CEO of LegalAdvice. He responded by saying Shapiro’s allegation that AT&T being in violation of the Federal Communications Act is absolutely true — especially in regard to the firm failing to protect the confidentiality of his mobile telephone account and other related data. He then went on to add:

“AT&T is liable for its employees criminal acts via a theory of vicarious liability that holds a company accountable for the acts of its employees. The chat logs introduced into evidence by Mr. Shapiro further detail the scheme to steal Mr. Shapiro's cryptocurrency and AT&T is equally negligent for not protecting Mr. Shapiro against this scheme and fraud.”

Similarly, another important facet is whether or not the issue of contributory negligence arises — i.e., would Shapiro’s activities qualify as contributing to the damage, as he should have known not to use a SIM card as an authenticating factor. On the subject, Jonathan Klinger, an Israeli cyber law attorney and blogger, told Cointelegraph:

“It is also quite hard to believe that such a material amount of funds were held in an account that merely needed these factors. One should expect the protection of personal data to be proportionate to the amount of funds that he might lose. In this case, these factors weigh in favor of AT&T. Shapiro has a long way ahead before he might get any compensation, in my opinion."

It is also worth remembering that SIM swapping is a relatively new type of fraud that has been growing at a rapid pace over the past decade or so — especially in the wake of the recent crypto boom. 

Related: Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques

Thus, investments made through smartphones, laptops and other digital devices are now prone to certain third-party interference, which one needs to be wary of at all times. On the subject, Alina Kiselevich, a communication specialist with a legal background at Enigma Securities, pointed out to Cointelegraph that, “Mr. Shapiro did everything that a responsible client should do” by repeatedly reporting an attack to AT&T and seeking help from the telecoms company:

“As you can see, it was impossible for Shapiro to call the police, because it did not happen between long periods of time, but rather very quickly. Robert Jack and Jarratt White, two people standing behind the theft from AT&T’s side, were confirmed to be employed there, their involvement in the case was also confirmed.”

Other notable cases involving AT&T

Terpin v. AT&T Mobility: Last year, Michael Terpin, a prominent cryptocurrency advocate and the founder of Marketwire, was the victim of SIM swap fraud involving AT&T. He filed a lawsuit against the firm in August 2018, later winning $75.8 million in a civil judgment — even though AT&T filed for a dismissal of the lawsuit, the plea was eventually overruled by the court.

Liu v. AT&T: On Feb. 12, 2018, after Mitch Liu's smartphone started malfunctioning, he immediately went to an AT&T store and spoke to the customer care representative, revealing his Social Security number as proof of identification. 

He was then provided with a new SIM card, which, once installed, allowed hackers to obtain control of his cell phone data. On March 19, 2018, Liu received a message stating that his social media and cryptocurrency exchange accounts had been compromised, and that a total of $10,000 worth of crypto assets had been moved from his wallets.

Sidhu v. AT&T: As per court documents recently obtained by Cointelegrah, early last year, AT&T user Jagdeep Sidhu started experiencing issues with his cell phone. He subsequently acquired a new SIM card and upon restarting his phone, Sidhu immediately realized that his Gmail, Coinbase, Facebook and Instagram accounts had been compromised. 

Basu v. AT&T: On Aug. 27, 2018, REACT investigators confirmed that an unknown individual was able to gain control of Saswata Basu’s phone and steal his AT&T cell phone account via a SIM swap. Shortly afterward, his Yahoo and Gmail addresses were accessed without authorization. In all, it is estimated that Basu lost around 9,000 DASH and 1,287 ETH.

Hui v. AT&T: According to legal data acquired by Cointelegraph, on Nov. 20, 2017, Tina Hui tried to log into her Gmail account only to be told that she had changed her password four hours prior. Upon seeing the message, she immediately sent in a request for a password reset and waited for a two-factor authentication text message to arrive. However, when the message did not come, Hui realized that her cell phone might have been compromised. She rushed to an AT&T store to rectify the issue, but by then, a number of her personal accounts, including her Coinbase wallet, had been hacked into.