Cryptocrime —

Judge allows suit against AT&T after $24 million cryptocurrency theft

It's usually not possible to reverse fraudulent cryptocurrency transactions.

An AT&T store in New Jersey.
Enlarge / An AT&T store in New Jersey.
Michael Brochstein/SOPA Images/LightRocket via Getty Images

When Michael Terpin's smartphone suddenly stopped working in June 2017, he knew it wasn't a good sign. He called his cellular provider, AT&T, and learned that a hacker had gained control of his phone number.

The stakes were high because Terpin is a wealthy and prominent cryptocurrency investor. Terpin says the hackers gained control of his Skype account and tricked a client into sending a cryptocurrency payment to the hackers instead of to Terpin.

After the attack, Terpin asked AT&T to escalate the security protections on his phone number. According to Terpin, AT&T agreed to set up a six-digit passcode that must be entered before anyone could transfer Terpin's phone number.

But the new security measures didn't work. In January 2018, "an AT&T store cooperated with an imposter committing SIM swap fraud," Terpin alleged in his August 2018 lawsuit against AT&T. The thieves "gained control over Mr. Terpin’s accounts and stole nearly $24 million worth of cryptocurrency from him."

Terpin sued AT&T, seeking at least $24 million in actual damage and millions more in punitive damages. Terpin also asked the court to void terms in AT&T's customer agreement that disclaim liability for security problems—even in cases of negligence by AT&T. Terpin argued that these boilerplate terms are unconscionable because customers never have an opportunity to negotiate them.

But AT&T asked the judge to dismiss the case, arguing that Terpin didn't adequately explain how the phone hack led to the loss of his cryptocurrency. Terpin's lawsuit provided no details about how Terpin had stored his cryptocurrency, how the hackers had gained access to it, or if they might have been able to carry out a similar attack without control of Terpin's phone number. In any event, AT&T argued that it shouldn't be held responsible for the misconduct of the hackers who actually carried out the theft of cryptocurrency.

A mixed ruling

On Thursday, Judge Otis Wright—a man we once depicted as a hulking green giant preparing to smash the copyright trolls at Prenda Law—issued a ruling that provided some reason for each side to celebrate.

Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin's claimed $24 million loss.

However, Wright dismissed the claims with "leave to amend," meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible.

At the same time, Wright allowed the case to move forward with Terpin's arguments against AT&T's one-sided customer agreement. Wright hasn't yet voided the terms, but he found Terpin's arguments on the issue plausible enough to let the case continue.

"We are pleased the court dismissed most of the claims," AT&T said in an emailed statement. "The plaintiff will have the opportunity to re-plead but we will continue to vigorously contest his claims."

This kind of phone hacking incident is of particular concern in the cryptocurrency world because of the non-reversibility of most virtual currencies. If a hacker steals funds from a conventional bank account, a fast-acting victim can usually get the transaction reversed and the funds restored. By contrast, if a hacker steals someone's bitcoins, they're likely to be gone permanently, since no one has the authority to cancel transactions once they're committed to the blockchain.

As a result, cryptocurrency is much more of a "user beware" world than the conventional banking system. If you own a significant amount of cryptocurrency—and especially if you're publicly known to have a significant amount of cryptocurrency—then it's wise to store it in a way that doesn't depend on the security of your phone number.

Channel Ars Technica