Telecoms provider T-Mobile has become the latest corporate name to come under fire for its alleged negligence and failure to protect customer information, which indirectly enabled a "SIM swap attack" that led to the successful theft of $450,000, or 15 Bitcoin (BTC).

A SIM swap attack — also referred to as a port-out scam — has proved to be a popular tactic with criminals in recent years. Such an attack involves the theft of a victim’s cell phone number, which can then be used to hijack the victim's online financial and social media accounts by intercepting automated messages or phone calls that are used for two-factor authentication security measures. 

The lawsuit filed against T-Mobile on Feb. 8 in the Southern District of New York by plaintiff Calvin Cheng — the victim who alleges he lost $450,000 in Bitcoin following such an attack — explains exactly how it is that telecoms firms come to play such a crucial role in this particular kind of fraud: 

"A criminal third-party convinces a wireless carrier like T-Mobile to transfer access to one of its legitimate customers' cellular phone number from the legitimate customer's registered SIM-card [...] to a SIM-card controlled by the criminal third party [...] This sort of account takeover is not an isolated criminal act, per se, as it requires the wireless carrier's active involvement to swap the SIM to an unauthorized person's phone."

The incident at issue in the lawsuit occurred, according to Cheng, after a SIM-swap was successfully carried out in May 2020 against a T-Mobile customer and co-founder of crypto-focused investment fund Iterative Capital, Brandon Buchanan.

Cheng had conducted several successful transactions with Iterative to purchase Bitcoin in the months prior to the incident, communicating with Buchanan and others in Iterative via Telegram and using a crypto exchange administered by the fund.

After the SIM-swap, the perpetrators allegedly impersonated Buchanan on a Telegram chat with Cheng, reaching out to him asking him whether or not he wanted to sell Bitcoin for an Iterative client at an attractive premium. Having been lulled into thinking the communications were from Buchanan, Cheng agreed to the deal and transferred the Bitcoin to a digital wallet he believed to be controlled by Buchanan and/or Iterative — a mistaken belief, as it soon turned out.

A couple of days later, Buchanan reached out to Iterative's exchange clients to inform them that several of his accounts had been compromised by SIM-swappers, who had falsely assumed his identity and used it to initiate trades on Iterative's supposed behalf. The rest of the complaint details Cheng's appeal to the FBI, which is investigating the incident and attempting to identify the perpetrators. Buchanan has also attempted to intercede directly with T-Mobile on behalf of Cheng, but has failed to secure a refund on his behalf.  

As the lawsuit underscores, SIM-swapping is hardly a new phenomenon and has been actively discussed by federal agencies since 2016 at the latest. Nor is this the first time T-Mobile has been embroiled in SIM swap-related lawsuits involving cryptocurrency investors.

The lawsuit accuses T-Mobile of failing implement to adequate security policies to prevent unauthorized access to its customers' accounts, failing to train or supervise its employees to prevent successful fraud, and of wrongful conduct in its "reckless disregard" for various obligations and duties under federal and state law. The carrier is thus accused of knowingly violating the Federal Communications Act the Computer Fraud and Abuse Act, the New York Protection Act, as well as two counts of negligence.