A man who lost $24 million in cryptocurrency in an elaborate SIM swapping scam has won a multi-million-dollar judgment against the thief, who was 15 at the time of the hustle.
According to court documents [PDF] filed Friday in federal New York City court, Ellis Pinsky agreed to pay Michael Terpin $22 million for his starring role in the SIM swap and crypto heist. Pinsky was a New York high school student at the time of the theft in 2018, and it’s said he paid back $2 million about a year later to his victim.
Pinsky, now 20, has also agreed to testify against AT&T, according to Terpin. In a LinkedIn post earlier today, the blockchain investor told his followers of his civil lawsuit win:
Pinsky has not, to the very best of our knowledge, been charged with any crime, and it’s presumed this is because he was a minor at the time of the theft, and because he cooperated immediately with the Feds a couple of years ago when investigators homed in on him. In a Rolling Stone interview over the summer, Pinsky – dubbed Baby Al Capone by the media – admitted he swiped millions in crypto-coins from Terpin via a SIM swap.
According to that article, Pinsky said he wrote a Python script that would search social media for people who appeared to work for cellular networks, and would privately message them. Pinsky would, we’re told, offer those employees a small amount of Bitcoin to perform SIM swaps, aka port outs.
This basically reassigns a victim’s phone number to the SIM in the scammer’s phone so that the scammer receives that number’s calls and texts. Once that happens, the crook can request a password reset for the target’s webmail account, with the one-time verification code texted to the thief. Now in control of the email account and phone number, the thief can start going through all of the victim’s online accounts and apps, resetting passwords with the links and texts going to the webmail or hijacked phone number, logging in, and stealing any (say) cryptocurrencies found.
Which, according to Pinsky, is what he did to Terpin: after an AT&T worker did the SIM swap, he and an accomplice found a file in an Outlook account loaded with crypto wallet information, which was then used to siphon off the money. Specifically, it’s claimed, Pinksy and his co-conspirator stole 3 million TRIG coins, each worth more than $7 at the time, and laundered them into Bitcoins. TRIG has since crashed to less than 20 cents a coin.
The other side
Terpin sued AT&T for $240 million in 2018 for repeatedly failing to protect his cellphone from the teenage scammer. It’s been a long, drawn-out case, full of legal maneuvering on both sides, but here’s the gist of what Terpin said happened to his phone — and in court rooms since then.
According to Terpin’s first lawsuit [PDF], in June 2017 a fraudster posing as Terpin convinced an AT&T employee at a store in Connecticut to transfer Terpin’s phone number to another SIM card — after 11 earlier attempts at the scam in other stores had failed.
The miscreant then used his access to Terpin’s phone number to gain access to his cryptocurrency holdings, and transferred millions of dollars to a different account.
Terpin complained to AT&T, and the carrier agreed to put additional security policies in place where any future changes would require someone to not only provide ID but also supply a special six-digit code that only he and his wife knew.
Despite this, in January 2018, fraudsters again hijacked his phone number and, again, broke into his cryptocurrency accounts, ultimately stealing $24 million worth of digital coins. “The purloined telephone number was accessed to hack Mr Terpin’s accounts, resulting in the loss of nearly $24 million of cryptocurrency coins,” the lawsuit stated.
In February 2020, a judge dismissed AT&T’s effort to dismiss the case, noting that Terpin had provided sufficient proof that the US telco giant should defend its position in front of a jury.
Later that year, a judge threw out a $200 million damages claim Terpin had filed against AT&T, but allowed the rest of the case to move forward. It is slated for a federal court in Los Angeles in May.
Interestingly enough, Pinsky told Rolling Stone he returned all he could from the Terpin heist – 562 Bitcoins, his share of the spoils with his co-conspirator – a couple of years ago when he realized the jig was up. In 2020, that BTC would be worth $2 million, which Terpin alluded to in his statement above. At their peak in November last year, those Bitcoins would be worth about $40 million, and today: about $11 million. In any case, Pinksy’s now agreed to pay Terpin, one way or another, $22 million. ®