SIM Swapping: A Multimillion Dollar Scam

(MUSIC INTRO)

[00:00:01] Bob: This week on The Perfect Scam.

[00:00:02] They call it flexing. Whenever they steal something, they want to buy something flashy, like a diamond-encrusted Rolex, or go out to clubs, and you know, buy champagne service and just pour out the champagne on their watches. Very obnoxious videos.

[00:00:18] He wrote a python script that basically went into social media and found everybody who was like listed as having a, a job at AT&T in their Twitter or in their LinkedIn or whatever. He would then go and send an email out to them saying, "I understand you work at AT&T. I have a task for you."

(MUSIC SEGUE)

[00:00:40] Bob: Welcome back to The Perfect Scam. I’m your host, Bob Sullivan. Your smartphone is the password to your whole digital life, maybe your whole real life too. Think about it. Almost everything you have to log into today and heck, almost every sporting event or concert you walk into requires that you pull out your smartphone. That's why today's story is so important. It involves a technique that lets criminals steal your smartphone, even though it never leaves your pocket. Think about what kinds of things someone could do to you if they had control of your smartphone. For starters, they could try to steal money from your bank accounts. In a moment you're going to meet someone who was robbed this way and had $24 million stolen from him in an instant. But first, you're going to meet an investigator who spent years chasing down various crime gangs of criminals who essentially invented this kind of theft. And the crazy things they did like pouring expensive champagne onto Rolex watches. And while some of his stories are wild, and about people living the lifestyles of the rich and famous, well it's important everyone understands that these criminals, they might come after your smartphone too. So we'll talk about ways you can protect yourself. But first, meet Samy Tarazi, a criminal investigator for the Santa Clara County District Attorney's Office in San Jose, California.

[00:02:11] Samy Tarazi: So back in early 2018, a victim called us, said, "Hey, my cell service went away, like it just died, I had to go back to the AT&T store to get it back up and running and while it was down a bunch of my accounts got logged into."

[00:02:27] Bob: The victim said his phone just died. But that's not all. He said he was an early investor in cryptocurrency and at the same time his phone died, about $10,000 worth of cryptocurrency was stolen from him.

[00:02:44] Samy Tarazi: So this was weird to us. We weren't sure if it was a coincidence that his phone just happened to lose service prior to all of his accounts being compromised, we just started researching it and we sort of just learned on the fly here.

[00:02:57] Bob: Samy had to learn fast because his office was soon consumed by what felt like an avalanche of the same kind of complaints. A dead phone, a bunch of hacked accounts, and then, stolen cryptocurrency. And soon millions of dollars would be at stake.

[00:03:16] Samy Tarazi: Yeah, I think as we progress--, I don't know if I was thinking that globally yet in the beginning. Well like, oh my God, the entire world's like security infrastructure has this gigantic flaw. That came later as like a plethora of victims started coming forward and we started linking with other agencies across, across the world dealing with the same thing.

[00:03:37] Bob: The entire world's security infrastructure has this gigantic flaw? This flaw is known as SIM swapping. SIM stands for Subscriber Identity Module. Every smartphone has one. With some phones you can take a physical sim card out of one handset and place it into a new one and voila, you've transferred everything to your new phone. In other cases, SIMs are updated, swapped virtually. Most of the time we want this. It's the easiest way to update your phone. But when criminals do it, disaster can strike.

[00:04:17] Samy Tarazi: Yeah, SIM swapping is the act of a bad guy taking over the victim's cellular service. So what they do is either through ruse or bribe or some other way they get a telephone employee either at AT&T or T-Mobile or Verizon to switch the service from the victim's phone to the suspect's or the bad guy's phone, which then what happens is the cellular service will go to no service on the victim's phone and then any incoming text message or phone call will now go to the suspect's phone.

[00:04:53] Bob: Why is it such a bad thing if a criminal can SIM swap your phone?

[00:04:56] Samy Tarazi: So in back maybe now early 2010s, 2011 maybe, the in--, like the industry on the internet is you know, be it social media, be it email, be it financial institutions, started instituting better security for their systems. So they started instituting two-factor authentication, which in essence is a, you need your password plus something else. And the easiest way to do that was to send a text message to a trusted phone number that the user or the subscriber had preregistered. So when you, you know, if you create a Google account, you tell Google what your phone number is, Google sends you a text message to that phone, and you type in the, the numbers that they, that pop up in your text message. And now you're authenticated. But the problem is that a lot of these services also allow you to reset passwords with only the two-factor authentication text message. So what happened is you or the victim gets SIM swapped, and they've al--, the bad guys have already done their research on you. They know your email address. Say it's, you know, @Google. They go, they type in your email address on Google, and then instead of typing in a password, they just click, "I forgot password." After getting prompted a couple times by Google, they'll send a text message to reset the password to the phone that's now in the suspect's hands. Once they receive that code, they type it in, they've reset your Google password, and now they can start searching through your emails for whatever accounts they're looking for be it crypto accounts, other financial accounts, social media accounts, whatever. But they sort of have the key to the kingdom now that they're in your email.

[00:06:39] Bob: They have the key to the kingdom.

[00:06:40] Samy Tarazi: Yeah.

[00:06:40] Bob: So we've made our cellphones basically the, the one big barrier to logging into almost anything, so if someone can pretend to be your cellphone, they can log into almost anything, right?

[00:06:50] Samy Tarazi: Correct, yeah.

[00:06:52] Bob: SIM swapping criminals didn't initially set out to steal cryptocurrency. At first it was more of a game, well a vanity. Original SIM swappers were just trying to steal hard to get Instagram and Twitter handles.

[00:07:08] Samy Tarazi: Originally, it was to steal these unique usernames on Instagram and stuff which was almost a victimless crime, and if wanted it for whatever reason, like say I'm an influencer, or I'm starting a business, or I'm just, you know I just like it, I, I could buy it.

[00:07:25] Bob: Criminals would hack accounts with popular names, often lightly used accounts by hijacking the account holder's cellphones and changing their passwords. Then they'd see the valuable handles on sites like OGUsers. It was a little like the domain name land rush of the internet's early days.

[00:07:45] Samy Tarazi: So they started SIM swapping for that purpose. This started in, you know, 2016, maybe 2015. And then it sort of morphed, I imagine it was something where, you know they'd SIM swapped, they'd go into the email account, and they see crypto just sitting there, and it's sort of a light bulb moment. They steal it, they're rich. They sort of share it, the rumors start spreading, and other people start doing it for themselves once they realize that hey, we could steal millions pretty easy.

[00:08:14] Bob: Steal millions pretty easy. Groups of criminals, most of them teenage boys, have suddenly stumbled on maybe the easiest way in history to steal millions of dollars. They gather in anonymous chatrooms around the internet and swap techniques for SIM swapping, for laundering the proceeds stolen from crypto wallets, and for hosting outrageous parties. But they need targets, and the obvious targets are early investors in cryptocurrency. And while Samy begins chasing after these teenagers through cyberspace, a group of these criminals decides to go after the smartphone that belongs to one of the earliest crypto investors.

[00:08:56] Michael Terpin: My name is Michael Terpin and I live in San Juan, Puerto Rico.

[00:08:59] Bob: And what do you do?

[00:09:01] Michael Terpin: I am a technology investor and advisor. I've been involved in the cryptocurrency markets since early 2013.

[00:09:10] Bob: So in 20--, 2013 is, it's not the beginning of crypto time, but almost, right. I mean you were there at the very beginning.

[00:09:17] Michael Terpin: The first bitcoin was mined in 2009. Super early would be somebody who was like 2010 when it was like under a penny. A year later it was under a dollar. A year after that, it was under $10. When I got in, it was about $100. It's $35,000 right now.

[00:09:35] Bob: Michael bought bitcoin when one coin was worth $100. It's priced at about $35,000 a bitcoin now. He has made millions of dollars as an early investor and not just in bitcoin, but in other cryptocurrencies too. And remember, he is a high-profile tech advisor. So SIM swapping criminals find him an attractive target. But Michael doesn't know what to think that day in 2017 when suddenly his phone simply goes dead. No signal.

[00:10:07] Michael Terpin: I had just moved into a, a, a new home in Puerto Rico. My wife and I were developing a property in Guaynabo. And my phone went dead and we thought it might have been just being out in the country, because the Guaynabo area is pretty rural. It was a Sunday afternoon. It takes a while for you to get a hold of anybody.

[00:10:26] Bob: Was your first thought, you know, this, this is weird, but this, this doesn't seem like it's a big hack or anything.

[00:10:33] Michael Terpin: I first thought that it was just, you know us being here at home and that, and the, you know phone service not working 'cause we're out in the country, but then my wife's phone worked fine.

[00:10:43] Bob: When you realized your phone wasn't working and your wife's phone was working, you went to your laptop to look at your email, right?

[00:10:48] Michael Terpin: I was already on my email.

[00:10:49] Bob: Oh you were. Okay, so this all happened within a few moments then.

[00:10:51] Michael Terpin: Yes, yes.

[00:10:52] Bob: Now...

[00:10:53] Michael Terpin: And that's when all of a sudden, I saw 5, 6, 7 email addresses being reset.

[00:10:57] Bob: Oh God.

[00:10:57] Michael Terpin: And that's when I realized that I'd been hacked.

[00:11:01] Bob: He'd been hacked. Criminals had reset the password on his email, and they seemed to be working their way through his other accounts. But why? What are the criminals after? Michael uses his wife's phone to call his cellphone providers and tries to wrest back control of his phone, but it's too late.

[00:11:20] Michael Terpin: They had already taken over some email accounts, and taken over, you know, the one, the small account that I had half a bitcoin in.

[00:11:29] Bob: A half a bitcoin, which at the time isn't worth that much money, about $1000. Within a few hours, Michael is able to get his phone service restored. It takes weeks to clean up the rest of the digital mess, but the amount of the theft is so small that police aren't very interested in pursuing the case. Michael doesn't just let it go however. He's worried thieves might strike again. So he calls both his cellphone providers.

[00:11:57] Michael Terpin: I had actually gone to both T-Mobile and to AT&T and said, how did this happen, and how can I prevent it from happening in the future. And that's when they told me about the celebrity plan. Every phone company has one, it's the higher level of authentication. And I asked point blank, you know, if I do this, will this protect me? And they, they both said yes.

[00:12:19] Bob: You know I think one of the important parts of the story at this point is, if anyone was prepared for and protected from a SIM swapping attack, it would be you at this point.

[00:12:29] Michael Terpin: I would say so.

[00:12:30] Bob: Yeah.

[00:12:30] Michael Terpin: I thought so.

[00:12:32] Bob: Meanwhile, at about the same time Samy has begun hunting for a suspect in that very first case of a dead phone and stolen crypto that he'd heard about.

[00:12:41] Samy Tarazi: So the first thing we did is we contacted AT&T through their law enforcement liaisons, and sort of asked, "Hey, we have this victim saying his number got compromised. We're seeking the records for that account." So we got the records a couple weeks later and we're looking at it, and we can see it's basically a big spreadsheet in Excel, and it has a lot of rows of data, but one of the rows is called an IMEI, which is like a specific number, like a, think of a serial number for a phone. It's unique to all phones. No matter where they're manufactured, an IMEI will be unique to a specific phone. So around the time where the victim says he lost service, we can see on the records that the IMEI's switched. So we knew that the phone that was now in control of the account was different than what our victim's phone was. So now we knew, hey, this, this absolutely happened. Someone took over this guy's account. The next thing that we saw and on these records from AT&T is whenever a text message or a phone call is placed to the account, so with your phone, if you make a call or you receive a call, your records from AT&T will tell us which cell towers were used to, to make that call or send that text message. Why is that important? That tells us generally speaking where the phone was at that date and time. So our victim is in the San Jose area, so we map, we map everything that happens before the SIM swap, and then right when the SIM swap happens the phone, the cell tower used for that new phone is now in Boston, and there's no way that the phone, you know, could have traveled from California to Massachusetts in, you know, in two seconds. So now we know our suspect or whoever is in control of the victim's cell phone account on the AT&T now lives in Boston, and that's, that's sort of where we began our investigation into our specific bad guy in this case.

[00:14:47] Bob: Was this a complete shock to you when you were, when you saw, wait, this phone is in Boston now? How can that be?

[00:14:52] Samy Tarazi: I wasn't shocked that it was in Boston, but the, the idea of the SIM swap was completely foreign to me and every like, every investigative step we took made sense to us at the time. We just have never done; we've never taken those investigative steps. So we're sort of taking like a bunch of investigative strategies from other types of crimes and applying it to this as we went.

[00:15:12] Bob: But they are getting very close to the criminal, and in the end, it's his own cellphone that turns him in.

[00:15:20] Samy Tarazi: In this particular case, this first Boston phone was an older, you know, a couple years old Android phone, so we sent the IMEI number to Google and said, "Hey, please tell us which email accounts, like which Google accounts logged in from this phone previously." So we wait... you know, maybe a month, and Google sends us this gigantic file with our suspect's name as the email address. And we start combing through the content of this email address and we find a selfie of our suspect holding up his Massachusetts ID card.

[00:15:57] Bob: The suspect is literally caught with his own selfie. But police don't want to arrest him just yet, because there are now many other reports of dead phones and cryptocurrency thefts and Samy has a pretty good sense that this suspect can help them get leads on a whole network of criminals.

[00:16:16] Samy Tarazi: Then we basically start stumbling on his social media accounts. Instagram, he had the Instagram 0, just, uh just the number 0. And I thought that was strange, like how does he have a one-digit Instagram account? And then we also learned that he had a Instagram account, just the letter T, T as in Tom, and the number 8. So he had three one-digit Instagram accounts. So it started delving us down another avenue of vanity handles on social media. It turns out like license plates, there's a sort of a black market for vanity Instagram accounts, and vanity Twitter accounts.

[00:16:59] Bob: There’s those stolen vanity accounts we talked about earlier, and as police peruse all these vanity Instagram accounts, they get a lead on a much more important suspect.

[00:17:10] Samy Tarazi: So now we're sending search warrants to Instagram for these vanity usernames that we're associating to our suspects and looking through that data to see what we can find. And as we're doing all of this research on full, we're talking to other law enforcement about their SIM swap victims. And in the midst of this, we get in contact with another victim around the same time in 2018 who's lost $5 million in crypto in the exact same way as our original victim who lost $10,000.

[00:17:41] Bob: $5 million.

[00:17:43] Samy Tarazi: $5 million. Gone in a flash.

[00:17:45] Bob: Wow.

[00:17:47] Bob: And Samy also gets an unfiltered look into the world of SIM swapping criminals.

[00:17:54] Samy Tarazi: We're still following him on Instagram. He's posting about his life and you know posting pictures and stuff, and they like to show off as they, they call it flexing. Whenever they steal something, they want to buy something flashy like a, like a diamond-encrusted Rolex, or go out to clubs, and you know, buy champagne service and just pour out the champagne on their watches. Very obnoxious videos. So right...

[00:18:19] Bob: Wait, I'm sorry. This is not a world I'm familiar with. So to show how much money they've just stolen, they go to a club, buy really expensive champagne and pour it out of the bottle onto the watch, onto the floor.

[00:18:31] Samy Tarazi: Yes, while taking videos of it so they can post it on social media to show everyone how rich they are.

[00:18:37] Bob: Samy and the rest of the investigative team are still lurking, still trying to gather as much intel and evidence as they can.

[00:18:45] Bob: While you're watching him, he doesn't know that you're watching him.

[00:18:49] Samy Tarazi: Correct, exactly.

[00:18:50] Bob: And just one, one thing that might be surprising to people, so you basically know who this person is, um, but you don't bust down the door and arrest this person five minutes after discovering it. Um, why not? What, what's happening now?

[00:19:01] Samy Tarazi: So we have, you know, especially on when a suspect's in another state, there's a lot of jurisdictional issues of like hey, how do we arrest this guy? Do we extradite him? Get him on a plane back to California? We still need all of our evidence, like we've identified who he is, but we don't really have all of the evidence yet to, you know, secure a conviction in, in court. So this is just like we have the suspect, I don't even think we've really developed probable cause to affect that arrest yet. We're still in the evidence collection process at this time. Granted, there's some rush now that we've learned that there's a, you know, a $5 million victim, we're trying to rush as quickly as possible not only to, you know secure their arrest, but to prevent further victims, 'cause we know this guy is going to keep doing it until he gets caught.

[00:19:49] Bob: And it's at one of these crazy parties that the criminals force Samy's hand, and investigators realize they have to move in on a suspect in that $5 million theft who they've identified as a teenaged UMass Boston student named Joel Ortiz.

[00:20:06] Samy Tarazi: So now this $5 million theft happens, and @0 basically is posting now that he's in Hollywood, California, like in a mansion somewhere and they're posting, you know, going to clubs in, in Hollywood and buying bottle service and you know, showing off the flashy watches. And not only is it Joel Ortiz, it's some other people with him that we don't know who they are. Joel is now in California where I have jurisdiction, but San Jose is, you know, a 5- or 6-hour drive from Hollywood. So, you know, Northern California/Southern California from our perspective, it might as well be two states from the distance. So now we're in early July, end of June 2018, and it's summer vacation, and these kids are, I call them kids, but they're 18, 19 years old; they're partying it up like they just stole $5 million. They're dropping 50-, 60-, $70,000 a night at a night club. And they're buying, you know, $100,000 watches without even thinking about it.

[00:21:11] Bob: Remember, they nabbed the first suspect because he had saved a selfie with his ID in his email. This time, the suspect calls police himself.

[00:21:22] Samy Tarazi: Joel Ortiz must have been flashing you know his money off in the wrong area because after they left the club, they went back to their Airbnb where they continued to party, but real street bad guys from Los Angeles followed him back to the house and robbed them at gunpoint. Basically duct-taped Joel Ortiz to a chair and went through the house and stole all the watches, stole all the phones, stole all the computers, and left. And Joel Ortiz, not being a sophisticated criminal, calls the police. He calls 911 and tells the Hollywood Robbery Division basically, that we were robbed at gunpoint, and the police show up at the Airbnb mansion and take a report. I know this because Joel Ortiz that night posts to his Instagram account that he was robbed. It's basically a live, like a live story, a video of him holding the camera up in bed just recounting sort of how scared he was, and how disrespectful these criminals were for stealing from him. And it didn't really matter too much because it's just money.

[00:22:28] Bob: And something else happens as Samy is watching this essentially live broadcast of a suspect unfold.

[00:22:36] Samy Tarazi: At the end of the video he says, "I think I'm going to go back to Boston," and we had some evidence that he wanted to go to a music festival in Europe. So that sort of freaked me out as an investigator a little bit because now he's sort of desperate. He's just been victimized of a robbery. He's saying he's leaving to Boston and then he's leaving the country, which would be terrible, because once, once an American citizen leaves the country, it's really, really hard to get them back in any reasonable amount of time unless they come back themselves. So we coordinated pretty quickly. I called the Hollywood division of LAPD and talked to the detective who had interviewed him. She had sent me the report basically with the real identity of everyone that was at that house, you know, names, date of birth, addresses, phone numbers, so now we know who Joel Ortiz's friends are and we assumed everyone there with him was probably involved in some capacity with the SIM swapping. So now we have a list of other suspects that will, will become important later. But now we're sort of in a rush to get Joel in custody before he leaves. So we were able to work with the Los Angeles Airport Police which is a separate entity than Los Angeles Police Department. We were able to identify which flight Joel is going to be taking from Los Angeles back to Boston, and me and my partners, some other law enforcement people are waiting for him at the metal detector to get to his gate, uh back to Boston. So once he passes through the metal detector, you know, he puts all his carryon stuff through the x-ray and takes off his belt and shoes, we intercept him there and tell him that he's under arrest.

[00:24:16] Bob: What did you think when you first saw him?

[00:24:18] Samy Tarazi: I sort of already knew what he looked like. He was showing off a lot on social media, but he was kind of outlandish on social media, but in person he was very quiet, very shy, and he seemed pretty scared at that moment.

[00:24:32] Bob: He didn't resist or, or did, did he talk to you?

[00:24:34] Samy Tarazi: He did not resist. But given that the fact that we surprised him at the airport and he didn't really have anything, there wasn't anywhere he could go. We were more worried that if we didn't catch him by surprise, he's be able to like lock his phone where we wouldn't be able to get into it, or like destroy some sort of evidence. That's why we waited for him to voluntarily remove it from his person. But yeah, he didn't resist. He just sort of, he didn't even really seem surprised, he just seemed scared and walked with us.

[00:25:01] Bob: At first, he tries to minimize his role in the $5 million theft.

[00:25:07] Samy Tarazi: He sort of describes SIM swapping as not that big of a deal, that all he did was hold the phone and read off text messages. He was in a chat room with other hackers that were, you know, the other hackers were the people really responsible. They just told him, "Hey, get this phone, put in the SIM card, read us some numbers, and we'll give you money." And that's what he did, and he doesn't really know who the victims are, he doesn't know how many victims there are, how much money he's stolen, but he's gotten some of the proceeds from that money. So we say, "Hey, where's, where is the money now?" And in his backpack, he had a, a cryptocurrency hardware wallet. It looks like a USB stick basically with some, like with a little LCD screen, and some buttons. So he tells us the code to unlock it. We unlock it, we plug it in, and there's about $100,000 in cryptocurrency on this, on this device. Now we tell him, "Hey, you stole $5 million, you know, 5 million from one victim and 10,000 from another. Where's the rest of the money?" He says, "Well, you know, a lot of that money was split amongst everyone involved, but that $100,000 is all I have left. I have, like from my share that I have gotten, I've spent everything minus that $100,000." So now we're, you know we're missing $4.9 million from our theft and we have, but we have one of the actors in custody.

[00:26:31] Bob: As Samy and his team feared, the criminal network figures out pretty quickly that Joel Ortiz has been arrested. So Samy begins a race to find and stop other gangs of SIM swappers that are pulling off multimillion-dollar cryptocurrency thefts. And meanwhile, at roughly the same time, Michael Terpin suddenly finds his phone has stopped working ... again.

[00:26:55] Bob: Is it a Sunday again?

[00:26:56] Michael Terpin: Sunday again.

[00:26:57] Bob: Middle of the afternoon?

[00:26:58] Michael Terpin: Middle of the afternoon.

[00:26:59] Bob: Where were you?

[00:27:00] Michael Terpin: I was in Las Vegas. My wife and I have a home in Las Vegas, you know we were actually out in Las Vegas for the Consumer Electronics Show. And I also had a conference of my own that started later that day leading into the Consumer Electronics Show. And I don't know if they knew that and knew that would be a perfect time to hit me, or if they just simply, you know, just thought, hey, it's a Sunday, you know this guy probably has some bitcoin. But all of a sudden, no signal right? So I, I basically noticed that something was wrong by the password resets. You know I had a number of password resets that happened again.

[00:27:33] Bob: So in this case, I'm guessing you roll your eyes and say, not again. Oh my God!

[00:27:38] Michael Terpin: Yeah, exactly. I was like, again? And so I figure, well, I'm on top of it now, you know let me, let's call in and get it disconnected.

[00:27:45] Bob: Michael knows he's in a race against the criminals now. He assumes they're after his cryptocurrency. So he calls his cellphone companies and after some delay is able to regain control of his phone but...

[00:27:59] Michael Terpin: Well I have, I have numerous wallets. I went in and checked all of my, you know, exchange accounts, and they were all protected by Google 2FA. I saw that they had hammered, tried to get in and they failed because they didn't have the Google authenticator device. That's something you can't hack without having the physical device. I thought, great, I dodged the bullet until, and again, I had my own, I had my own conference, it was a Sunday. I had my own conference on Monday. I think it was like Wednesday or Thursday that I finally went in to move some cryptocurrency because I was in the process of selling this particular crypto, and it was star--, starting to hit some, some higher numbers, and I went in and it was gone. And I was like, what? And that's when I realized that I had lost, you know, $24 million.

[00:28:42] Bob: $24 million dollars, stolen in an instant.

[00:28:48] Michael Terpin: And so that started my long journey with, you know, lawyers and, and law enforcement.

[00:28:56] Bob: Samy figures that Michael is only one of dozens of high value targets that SIM swapping gangs have managed to victimize. But his case is important.

[00:29:05] Samy Tarazi: His name was out there sort of like as the biggest thefts that was, you know, around at the time.

[00:29:12] Bob: He was the poster child for SIM swapping at the moment, right?

[00:29:14] Samy Tarazi: Correct. Yeah to, you know, he, he was the poster child, basically anyone who was working SIM swapping, we were in communication with them, because it wasn't that, there wasn't that many people working in SIM swapping yet. And although there's probably, you know, thousands of victims at this point, not all of them had a significant financial loss. The significant financial loss victims, you know, were probably less than 50 at this point that we were aware of anyway.

[00:29:40] Bob: But Michael has advantages that other victims do not. He's well known in the tech space, so he has friends in high places who can help him conduct his own investigation into finding out who stole his crypto. And he's owned public relations companies in the past, so he decides to go public with his story and makes an even bigger splash when he announces that he's decided to sue AT&T claiming the firm mishandled his security. After he goes public, tips start rolling in.

[00:30:11] Michael Terpin: Basically, I started hearing from informants once I started, you know, once I publicized the fact that I was suing AT&T, informants came out of the woodwork. My joke was like every Saturday morning I would get a um, a, a call from, you know, some random you know hacker using uh AudioTune to disguise their voice on my burner phone.

[00:30:31] Bob: (chuckles)

[00:30:33] Michael Terpin: And that wasn't far from the truth. One of the, you know, random guys on the burner phone, he basically told me who the ringleader was and gave me some evidence, and didn't want to take credit, just wanted to like see these guys you know go down, 'cause they were competitors. No honor among thieves, and so I was just like constantly getting all these people calling with the information. I'd feed it to the FBI, I'd feed it to my lawyers, you know, once we found pretty reliable evidence that the ringleader was a 15-year-old, we tried to figure out how to track him down.

[00:31:06] Bob: And that 15-year-old is... a high school student from Irvington, New York, named Ellis Pinsky, who Rolling Stone and New York newspapers start calling Baby Al Capone. Pinsky has never been charged for the crime, but he settles a civil case filed by Michael Terpin and agrees to pay back the stolen funds, and to testify for Michael in his lawsuit against AT&T. Pinsky also reveals a lot about how SIM swapping gangs work.

[00:31:34] Michael Terpin: Pinsky himself has admitted that he was one of the peoples, a 15-year-old who pioneered you know kind of the, the way of finding these guys. And then from like a, you know, anonymous account, and the ones that would, would respond and say, "What do you want?" Uh, he would then you know say, "Okay, you know, I, I want you to go and I will pay you know $500 to go and uh switch someone's phone to my number." And you know 80% of them will say, well no, I'll get fired, or that's illegal or whatever, but about 1 in 5 would say, sure.

[00:32:05] Bob: 1 in 5. Wow.

[00:32:07] Michael Terpin: 1 in 5, yeah. He said he had no problem finding people willing to do it.

[00:32:12] Bob: But as Michael continues his investigation, Samy is having a lot of trouble finding stolen cryptocurrency in the cases he's pursuing, even if he's found some of the SIM swapping gang.

[00:32:24] Samy Tarazi: So we're still continuing. All of this stuff is being worked on in the background as we sort of push forward trying to arrest as many SIM swappers as we can before they destroy evidence. So now we, we get a target in New York, who's done more SIM swapping and we know he's stolen millions of dollars and he's living in a, in basically downtown Manhattan in a like super expensive, I think it was like something like $15,000 a month, like one-bedroom condo, like on the 60th floor with a view in Manhattan. So we do a search warrant there with the Manhattan District Attorney's Office in this skyrise building, and we arrest him there. And we're interviewing him, we're seizing his crypto, we're seizing his stuff, he's also being defiant and minimizing and, you know, hiding his crypto. But we're able to find some of his crypto, he had a couple hundred thousand dollars in his crypto that he's stolen. He gets booked into the jail in New York, and eventually he gets extradited back to California.

[00:33:26] Bob: He is Nicholas Truglia who will eventually plead guilty to playing a role in laundering the $24 million stolen from Michael Terpin. Truglia is currently in prison serving an 18-month term. But at the time, he's just another crime gang member Samy is interrogating trying to track down as many SIM swappers as he can.

[00:33:48] Samy Tarazi: We're not investigating him there for Terpin, but evidence that we collect from him is shared with investigators investigating the Terpin case. But we're there for a different victim, or different victims, and trying to figure out who he works with.

[00:34:03] Bob: And arresting Truglia turns out to be a breakthrough.

[00:34:08] Samy Tarazi: We've arrested Nick. He's, evidence we've collected from there has led us to another, another suspect in Connecticut. So me and my partner drive from Manhattan to Connecticut, a couple hour drive, we work with the Secret Service out there and the local police, and we get another search warrant for this, this guy's house, he's a juvenile at the time, so I can't get too much into him just on how the laws work out in California, but he knew we were coming based, 'cause he knew Nick was offline now, so he assumed Nick was arrested and we were coming, you know, he knew Nick knew enough about him that would lead cops to him. So he had hidden his crypto and we were interviewing him, but he was pretty defiant. But his parents were shocked, you know, he's a juvenile living with his parents. I'm telling the parents, "Hey, your son stole millions of dollars, and this is how he's doing it, this is who he's working with. You are probably unaware," which they were, "and we need your help, 'cause we can't let your son keep these millions of dollars." So they, you know, sort of insist on the son that he cooperate. And eventually after, you know, a couple of hours of interviews, he finally sort of gives it up. And he tells us, "Hey I gave my real-life friend my crypto wallet. He lives a couple blocks away." So we sent investigators to that house and talked to the parents there, and we got, you know, we pulled the kids in the middle of the night, we wake up the kid, and he says, "Yeah, yeah, yeah, I hid it in the attic," like in a hidden compartment in the attic. So he goes and gets it, we bring it back to the house. Our guy in Connecticut unlocks it for us, and sitting on it is $1 million in bitcoin, sitting there.

[00:35:49] Bob: Wow.

[00:35:50] Bob: They find $1 million in bitcoin, stolen bitcoin, sitting in an attic in Connecticut.

[00:35:57] Samy Tarazi: This was a victim out of San Francisco who lost a million dollars. It wasn't laundered yet, and basically went from the victim's wallet to this wallet in Connecticut. So now we, hey, there's a million dollars. We finally found a complete seizure. He hasn't spent it yet, he hasn't wasted it on champagne and watches and whatever, or on, you know like we talked about earlier, vanity usernames that have no value. So...

[00:36:20] Bob: So you might be able to give this money back to the victim, right?

[00:36:24] Samy Tarazi: Yeah, no, we gave, almost immediately, a couple days later we sent it back. We were very, very excited for that win, and it was a call I looked forward to. I think I actually called the victim in San Francisco, 'cause we were East Coast at the time, and it was pretty at night, but I, I called the victim anyway. I figured they'd want to hear the news.

[00:36:42] Bob: If you ever have a, a million dollars to return to me, you can call me at 2 in the morning, I promise.

[00:36:47] Samy Tarazi: And see, yeah, exactly. So we were, what we were just sort of very happy, 'cause this has been months and months of nonstop work leading to frustration of not being able to get all of this money back. And we are able to finally catch someone in time before they wasted it.

[00:37:04] Bob: Eventually a set of crypto criminals are prosecuted and justice is swift and firm.

[00:37:11] Samy Tarazi: Erin West in, in Santa Clara County, basically all of those California guys I had mentioned, secured 10-year sentences in California State Prison, which is just simply unheard of for property crime in California. At the end of the day, we're talking about theft, you know it's not, it's not violent, you know rob--, it's not violent at gunpoint robberies, it's not murder, it's not a sexual crime, it's theft, and theft is not usually considered for something that was as hefty as a 10-year sentence. But our prosecutor was able to convince the judicial system that these guys are very serious criminals, they're stealing millions of dollars from behind a keyboard, and they're a significant threat to society which I think anyone listening to this would agree that if you could steal $5 million by, by clicking a few things on a keyboard, you're a threat to society.

[00:38:02] Bob: SIM swappers are a threat to society and to you. At the beginning of this episode, I told you we'd be talking about some high value, high priced crimes. But make no mistake, you don't need cryptocurrency to be a victim. A SIM swap incident can cause distress to victims in plenty of ways.

[00:38:22] Samy Tarazi: Everyone in the world is a potential target for SIM swapping if that text message can unlock your email and can unlock your financial accounts.

[00:38:33] Bob: There's just a lot of havoc a criminal can wreak if they get into your email account, right?

[00:38:36] Samy Tarazi: Yeah, they can absolutely destroy your lives in half an hour. Understand a lot of, a lot of your listeners are going to have iPhones with you know their, their photos are all backed up to the iCloud or to Google Drive or whatever, and they don't have an alternative backup. So even outside the financial side, I've had victims just lose you know a decade's worth of their family photos, and they can't get access to it because once the suspect's in control, the first thing they do is change your password and they change the recovery email address, and they change the recovery phone number. And it's nearly impossible for the companies, Apple and Google and stuff to change it back for you after the fact. And that's, like outside the financial loss, that's some of the saddest stories we hear is now like, hey, I had 30,000 photos of my kids over the years, and now I don’t have access to it anymore.

[00:39:28] Bob: Oh my God, that's so, so heartbreaking.

[00:39:30] Samy Tarazi: Completely, and it's like it's one of those things we just, I, after the fact, I have no control to help them in that, in that, in that state. That's up to the company and some people have luck dealing with their customer service, and some people don't.

[00:39:44] Bob: Samy thinks it's important for people to understand why text message style authentication isn't really safe for people any longer.

[00:39:53] Samy Tarazi: The important take away here is like when we think two-factor authentication and you go to like security 101, the two-factor authentication's either something that you have, something that you are, or something that you know. And this one here is something that you have, theoretically is the phone. That's why they set it up, that you have your phone, that's your phone, but in reality, we don’t really, we have a physical phone, but we don’t control the cell service. That's a third-party company that we're entrusting and that we're paying a monthly subscription to to keep up and running. And that's how these hackers are sort of circumventing the thing that you have because it's not really something that you have.

[00:40:35] Bob: And while these high-profile cryptocurrency SIM swapping hacks aren't in the news anymore, the crypto firms have adjusted to some degree. That doesn't mean SIM swapping has gone away.

[00:40:47] Bob: So where are we at now? Have, have things calmed down in the SIM swapping world?

[00:40:51] Samy Tarazi: I wouldn't say it's, like it's still there, it's still prevalent. Uh, but I think generally speaking cryp--, the crypto industry is more secure and people are, like if you're, if you have millions of dollars in cryptocurrency like sitting there, people have become more aware. It's still absolutely happening, it's just from my perspective, it's not, we're not seeing these 24- and $25 million dollar thefts from unsophisticated, you know, teenagers, young adults anymore. But it still happens, just not to that, that crazy extent where people are keeping their seed phrases in their email that unlock $20 million.

[00:41:31] Bob: You know, and to some extent that means it's more important than ever for my audience to know about it. Because now that the, the big-ticket thefts are, are over, those criminals are, are looking towards regular people and so my, my audience needs to know this is happening and needs to know how to protect themselves.

[00:41:49] Samy Tarazi: The good news is that our victims can absolutely protect themselves from damage of SIM swapping, but there's nothing they really can do to prevent the SIM swap from actually happening, because like we talked about earlier, the lowest level employee at these companies is empowered to conduct them. And if they're bribed or whatever, they can do it. It doesn't mean they won't get in trouble; it doesn't mean they won't get fired, but that doesn't help you in the moment if you're going to be SIM swapped.

[00:42:16] Bob: But you just said such a mouthful which is, anyone in the world who uses these text messages as part of their authentication process, is a target.

[00:42:26] Samy Tarazi: Yes.

[00:42:27] Bob: Okay, so how do people protect themselves?

[00:42:30] Samy Tarazi: So the, the first thing you need to do is check what, where am I vulnerable? Most people, the first step is their email. You know a lot, I would say the biggest, most common email provider we have is Google. So if you have @gmail, a lot of people, you know who started using the internet and before Google still have their you know, Yahoo, Yahoo.com, AOL.com, whatever, whatever, it doesn't matter whatever your email address is, but usually you log in through a web, you know you go to Google.com, or you go to Yahoo.com. You click log in. If you can log in and click reset password and it sends you a text message to reset it, then you need to go into your settings, your security settings and remove the ability to do that. A lot of times these services offer some alternative two-factor authentication method be it like with Google, for example, you can print out security codes that you can leave physically in a safe in your house, so if you forget your password, you can go type in one of those codes. You can use an application like Microsoft Authenticator, or Authy, it's just an app, a program you download from the app store that will give you a one-time code like every 30 seconds that you can type in. There's a multitude of other two-factor authentication methods that you can use that are part of that thing we talked about earlier, the fundamentals of security; something you have, something you are, or something you know. These, if it's one of those things and you totally have control over it, and you're confident that it's something you have or something you know as your second authentication method, then you are completely safe from SIM swapping. You just have to make sure everything that's sensitive to you, that you don't want to be compromised is protected by a second method, something you have or something you know. The main message is please remove any ability to access your accounts online via a text message. And every, I can almost guarantee, the majority of the listeners will have some account where they receive a two-factor authentication code to their phone. That's fine. Like if that's what happens, that's fine. For the most part you're not going to be SIM swapped, but make sure at the very least your email, your main email account that you associate to all of your you know financial accounts, cannot be reset without knowing something, right. Your email account can be reset simply by being SIM swapped. Because if they can do that, then they can pretty much get into anything because most financial institutions assume your email account is secure.

[00:45:20] Bob: Michael Terpin meanwhile has kept up the fight. He still wants AT&T to pay for the cryptocurrency that was stolen from him. Earlier this year a judge dismissed his lawsuit against the firm, but he's appealing that decision. AT&T in a statement to the New York Post in 2022 before the court's most recent ruling said, "Fraudulent SIM swaps are a form of theft committed by sophisticated criminals. We have security measures in place to help defeat them, and we work closely with law enforcement, our industry, and consumers to help prevent this type of crime." But Terpin, who says he spent at least $6 million of his own money fighting this legal battle, still wants regulators to force companies to make sure their systems protect consumers.

[00:46:07] Michael Terpin: Well, I mean I have three goals from what I'm doing here. Number one, I want my money back. I already have some of it back, but I'd like more. I may end up getting, you know, my money back from the criminals vs. AT&T. I get my money back, I'm happy. So that's number one. Number two, I want the laws to change. People should not have to go through this.

[00:46:26] Bob: Michael is advocating for regulations that would require cellphone companies to change the way they protect consumers from SIM swappers.

[00:46:35] Michael Terpin: And number three, you know I'd like, and again, maybe number two takes care of number three, you know I'd like uh you know, AT&T in particular to you know have some form of a, you know justice here, and so we'll see what the courts say.

[00:46:50] Bob: For The Perfect Scam, I'm Bob Sullivan.

(MUSIC SEGUE)

[00:46:57] Bob: If you have been targeted by a scam or fraud, you are not alone. Call the AARP Fraud Watch Network Helpline at 877-908-3360. Their trained fraud specialists can provide you with free support and guidance on what to do next. Our email address at The Perfect Scam is: theperfectscampodcast@aarp.org, and we want to hear from you. If you've been the victim of a scam or you know someone who has, and you'd like us to tell their story, write to us or just send us some feedback. That address again is: theperfectscampodcast@aarp.org. Thank you to our team of scambusters; Associate Producer, Annalea Embree; Researcher, Sarah Binney; Executive Producer, Julie Getz; and our Audio Engineer and Sound Designer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob Sullivan.

(MUSIC OUTRO)

END OF TRANSCRIPT