T-Mobile Sued For Allowing $8.7m Cryptocurrency Hack via SIM Swap

T-Mobile was sued in the Eastern District of New York by plaintiffs Reginald Middleton and Veritaseum LLC on Tuesday for its alleged “failure to protect its customers’ highly sensitive personal and financial information,” which caused the plaintiffs to lose $8.7 million in a cryptocurrency SIM card swap hack.  

Specifically, the plaintiffs alleged that T-Mobile’s gross negligence to protect consumer information have caused the plaintiffs to allegedly lose $8.7 million in cryptocurrency.  The plaintiffs alleged that recently, bad actors have been “using schemes to access customer personal and financial information by causing unauthorized changes in customers’ wireless accounts. The purpose of these schemes is to compromise customers’ mobile identities, access confidential data, take over their financial accounts, and effectuate fraudulent transactions.” This can include fraudulent SIM card swapping, where “a hacker convinces a mobile phone carrier to transfer access of a targeted person’s phone number from her registered SIM card…to the hacker’s SIM card. Once the hacker has access to this information, the hacker takes over the user’s cell phone” and gains access to various accounts. Hackers often target people with large quantities of cryptocurrency.

The plaintiffs alleged that in 2017, hackers began to target plaintiff Middleton, “a well-known holder of cryptocurrency and founder and sole owner of Veritaseum, a cryptocurrency company,” through T-Mobile. In July 2017, the hackers allegedly targeted Middleton’s cryptocurrency account via his T-Mobile account, which he used for his personal use and his company. Middleton proffered that the hackers engaged in a SIM card swap; the hackers called and were denied the first three times, but their request was granted on the fourth SIM swap attempt. As a result, Mr. Middleton’s account and number were transferred to a device the hacker controlled. Consequently, the hacker was able to gain control of his phone and access a variety of his or his company’s accounts. This included personal and corporate finance accounts, such as “his corporate and personal cryptocurrency addresses, wallets and online exchange accounts for holding cryptocurrency, using the access provided by T-Mobile to bypass the two-factor authentication (also known as ‘2FA’) security measures.” 

The plaintiffs’ cryptocurrency accounts contained $8.7 million in cryptocurrency, which the hackers transferred to accounts owned and controlled by the hacker. Plaintiff Middleton further claimed that the hackers continued to engage in SIM card swaps against him and his company. Middleton claimed that T-Mobile has repeatedly failed to prevent these SIM swaps and protect his information, while the company has continued to provide hackers with unauthorized access to Middleton’s account and personal information.

The claims against T-Mobile include violating the Federal Communications Act and the New York Consumer Protection Act, negligence, negligent hiring, retention and supervision, negligent infliction of emotional distress, and gross negligence for the aforementioned alleged conduct.

The plaintiffs have sought declaratory judgment in their favor, an award for damages, an award for costs and fees, prejudgment interest, and other relief as determined by the court.

The plaintiffs are represented by Spiro Harrison and Brundidge & Stanger, P.C.