Communications Litigation Today was a Warren News publication.
SIM Card Cloned

AT&T Allegedly Aided Hackers in Stealing $300K From Customer's Account

AT&T aided hackers in stealing over $300,000 from a customer’s cryptocurrency account by helping them clone his mobile phone “at least three times,” alleged a complaint Thursday (docket 1:24-cv-00802) in U.S. District Court for Colorado in Denver.

Timothy Nichols of Larimer County, Colorado, alleges AT&T failed to protect his financial information during a SIM swap in fall 2022 by “intentionally, wantonly, or negligently” helping hackers steal over $303,000 in Ethereum and bitcoin from his cryptocurrency account and then transfer it to an unknown third-party digital wallet. Nichols wasn’t able to recover the stolen cryptocurrency, but he and other “consultants” were able to determine that hackers accessed his account by swapping his phone’s SIM card “with AT&T’s help," it alleged.

In September 2022, Nichols traded in his Samsung Galaxy S10 smartphone for a Galaxy Z Flip 4 at an AT&T store in Fort Collins, Colorado, the complaint said. When he left the store, he tried to call his spouse several times, but the call wouldn’t go through, it said. He went back to the store, where an agent took the new phone to a back room, returned saying there had been an error with the phone’s SIM card and told Nichols the phone had been fixed, the complaint said.

Over the next eight weeks, Nichols used the new phone “without significant incident and timely paid AT&T for the corresponding services,” the complaint said. On Nov. 9, Nichols used the new phone to access his cryptocurrency trading account, the first time he used it “or any other device” to access the account since he activated the new phone in September, it said. Nichols requested a transfer of about $10,000 from the cryptocurrency account to his bank account, it said. A week later, Nichols learned that the $10,000 transaction didn’t go through, prompting him to access the account to review the transfer, it said.

Nichols was unable to access his cryptocurrency account because “someone unknown to him and without his knowledge or consent had changed his username and password,” the complaint alleged. When a cryptocurrency exchange staff member helped him access his digital wallet, he learned that the unauthorized third party transferred Ethereum and bitcoin out of his account.

On Nov. 9, Nichols returned to the store where he bought the phone, and an agent showed him a database revealing that eight hours before he used the phone to access his digital wallet for the first time, the digital SIM card AT&T had assigned to the new phone “was activated on an iPhone 8 that did not belong to Plaintiff or anyone known to him,” it said. The records also showed that four minutes later, the same SIM card showed up on a second iPhone 8 that didn’t belong to him or anyone known to him, it said.

Four days later, the same SIM card registered on Nichols’ new phone for the first time, despite having purportedly been assigned to it Sept. 20, the complaint said. “Thus, it was apparent” that between Sept. 20, 2022, when Nichols bought the new phone, and Nov. 13, 2022, “someone with access to AT&T’s database withheld the SIM card and orchestrated the SIM swapping scheme,” it said.

This month, nearly a year and a half after the incident, AT&T “finally notified” Nichols, saying it had determined that his customer proprietary network information “was accessed without authorization” and that AT&T had “taken appropriate action with regard to the individual whose credentials were used to access the account.”

Nichols claims violation of the Communications Act, negligence, negligent supervision and training, and negligent hiring. He seeks general damages relief of no less than $303,000, or the present value of “76.46 Ethereum and .16858739 Bitcoin, whichever is greater,” it said. He also seeks exemplary and punitive damages against the defendants and pre- and post-judgment interest. AT&T didn't comment Friday.