Telecom provider T-Mobile is being sued by a customer who has been attacked in a SIM swapping incident, resulting in the theft of 15 BTC or $450,000. The lawsuit has been filed on Feb. 8 in the Southern District of New York by plaintiff Calvin Cheng. The plaintiff’s attorneys claim that T-Mobile’s negligence to protect customers’ sensitive information despite frequent SIM attacks is to be blamed for the theft.
Several of Iterative’s Exchange Accounts Compromised by Sim Swappers
In May 2020, a SIM-swapping attack was carried out against a T-Mobile customer, also the co-founder of crypto-focused investment fund Iterative Capital, Brandon Buchanan.
The plaintiff received a message via Telegram, believing it was from Buchanan offering him an above market value rate for 15 BTC in May 2020. The hackers allegedly impersonated Buchanan on a Telegram chat with Cheng asking him whether he wanted to sell Bitcoin for an Iterative client at an attractive premium.
Previously, Cheng had successfully conducted various transactions with Iterative Capital, Buchanan, and others for trading Bitcoin in the months prior to the incident via Telegram.
Believing the chat was from Buchanan, Cheng agreed to transfer the Bitcoin to a cryptocurrency wallet, thinking it was controlled by Buchanan or Iterative Capital. A few days later, Buchanan reached out to Iterative Capital’s exchange clients informing them that several of their accounts had been compromised by SIM-swappers. Apparently, the sim swappers faked assumed his identity and used it to initiate trades on Iterative Capital’s behalf.
FBI Investing in the T-Mobile Matter
The rest of the complaint reveals that the FBI is investigating the incident and attempting to identify the perpetrators. According to the complaint, T-Mobile violated federal laws and was negligent in its hiring and training of customer service personnel.
A SIM-swap attack involves the theft of a victim’s cell phone number. It can then be used to hijack the victim’s online financial and social media accounts by intercepting automated messages or phone calls that are used for two-factor authentication security measures.