A Seattle-based angel investor has sued a cryptocurrency exchange claiming he was fleeced in a high-stakes SIM swap heist that netted the crooks 100 bitcoin worth roughly $1 million.
In a SIM card (Subscriber Identification Module technology that authenticates a mobile phone subscriber) swapping ruse, the hacker convinces a service provider to port the legitimate user’s SIM card to a device used by the robber. It potentially allows hackers to bypass two-factor authentication cybersecurity that MSPs and MSSPs increasingly embrace to lock-down their internal and customers’ systems. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed.
The case: Greg Bennett, the angel investor, sued Bittrex, the cryptocurrency exchange, in King County (Washington) Superior Court, claiming that Bittrex could have but didn’t stop the April 15, 2019 SIM attack on his account because it didn’t adhere to the exchange’s own security protocols or accepted industry standards, a CoinDesk account said. (CoinDesk is a news site focused on bitcoin and digital currencies).
SIM Swapping Explained
In the SIM scam, the burglars took control over Bennett’s online identity. He said the hacks apparently originated from a Florida IP address, which he claimed he had never used. Bittrex should have suspected it wasn't Bennett who was dipping into his account, he said. While the swap was from cellular carrier AT&T, the telecom was not a named defendant in the lawsuit. At this point, it’s not known where Bennett’s bitcoin has landed. So far no criminal charges have been filed.
“What I fault Bittrex for is their inability to see obvious suspicious activity,” Bennett reportedly said. He also alleged that Bittrex failed to act as the breach was in progress or respond quickly enough once notified by him directly. Bennett seems to have some corroboration for his claims in the Department of Financial Institutions for Washington state, which in its examination concluded that Bittrex failed to respond to Bennett’s notice and may have violated its own terms of service.
Meanwhile, AT&T has been involved in other notable SIM swapping heists. Earlier this year, a college student accused of stealing $5 million by hijacking the phone numbers of at least 40 victims has been sentenced to 10 years in prison. One of the victims, Michael Terpin, a co-founder of an angel group of bitcoin investors, sued AT&T in a $224 million case claiming that the telecom giant allowed hackers to pose as him to steal $24 million worth of cryptocurrency.
Service Provider: Beware?
Bennett also intends to go after AT&T, the CoinDesk report said. An AT&T spokesperson told CoinDesk that customers shouldn’t consider their cell phones as secure. “Fraudulent SIM swaps are a form of theft committed by sophisticated criminals,” the spokesperson reportedly said. “We are working closely with our industry, law enforcement and consumers to stop and prevent this type of crime.”
Another SIM swapping case dates to 2016 when customers of a U.S. banking institution were targeted by a hacker who ported their phone numbers to a phone he owned in an attack.