Kris Carlon / Android Authority
TL;DR
- T-Mobile was ordered to pay $33 million in damages after losing an arbitration case tied to a major security failure.
- The case involved a SIM swap attack that allowed hackers to steal $38 million in cryptocurrency from a customer’s account.
- The breach happened even though the victim had extra protections, raising concerns that hackers bypassed T-Mobile’s security through a backdoor.
T-Mobile has paid $33 million to settle a private arbitration case involving a major SIM swap incident that resulted in the theft of tens of millions of dollars in cryptocurrency. The payout, revealed through a petition filed in a Los Angeles court, follows a high-profile legal battle brought forward by California law firm Greenberg Glusker.
According to Security Week, which reviewed the legal filings, the arbitration award stems from a February 2020 cyberattack that targeted tech entrepreneur Joseph “Josh” Jones. The attackers managed to hijack Jones’ T-Mobile account and port his phone number to a SIM card they controlled. Once in possession of the number, they were able to access and drain his cryptocurrency holdings, stealing over 1,500 Bitcoin and roughly 60,000 Bitcoin Cash. At the time, the stolen assets were valued at $38 million.
The report claims that despite Jones having added enhanced security to his T-Mobile account, including an eight-digit PIN, the attackers may have exploited internal vulnerabilities or a backdoor within T-Mobile’s systems. Greenberg Glusker alleges that “numerous security failures” at the wireless provider enabled the breach, and argued that the company’s internal safeguards were not up to the mark.
The arbitration award, finalized in late 2023, had been kept confidential until recently. The law firm said T-Mobile tried to seal details of its security lapses, but a recent petition to confirm the award brought those details into public view.
In a statement to Security Week, Greenberg Glusker attorney Paul Blechner didn’t mince words: “SIM swapping has been an unchecked security flaw for years. Carriers like T-Mobile have known about it and failed to take basic precautions. This award makes it clear: they must do better.”
SIM swapping (also known as SIM hijacking) is a long-running cybercrime tactic where attackers convince a carrier’s employees to transfer a victim’s number to a new SIM card, giving them control of two-factor authentication codes and access to sensitive accounts. Once an attacker has control of a target’s number, they can reset passwords, bypass authentication protections, and gain entry into email, banking, or cryptocurrency platforms.
Law enforcement later identified the person behind the Jones attack as a 17-year-old diagnosed with ADHD. The individual reportedly had links to hackers Nima Fazeli and Joseph O’Connor, who were involved in the 2020 Twitter hack that compromised dozens of high-profile accounts, including those of Elon Musk, Joe Biden, and Bill Gates.
This case isn’t the only time T-Mobile has been linked to SIM swap-related incidents. In recent years, the tactic has gained notoriety for its use in high-stakes heists and major data breaches. In 2023, advisory firm Kroll suffered a SIM swapping attack involving T-Mobile that exposed data from several bankrupt crypto firms, including FTX, BlockFi, and Genesis. A year earlier, a US man was sentenced for stealing $20 million in crypto via SIM swapping.
