U.S. District Judge Consuelo Marshall has rejected AT&T’s bid to dismiss a lawsuit that alleges the company was negligent for failing to prevent the theft of $1.8 million in crypto from investor Seth Shapiro.

In the judge’s order allowing the suit to continue, Shapiro’s claims of negligence, negligent supervision, claims brought under the Computer Fraud and Abuse Act, and request for punitive damages, were left intact.

SIM-swap attack

Shapiro, an Emmy Award-winning media tech consultant who has previously worked for the likes of Disney and Showtime, filed the suit against AT&T in December 2019, alleging that the firm’s security failures resulted in thefts across multiple attacks.

SIM-swap attacks require the participation of employees from a telecom company. The telecom employee deliberately, or unwittingly, reassigns the victim’s account to a SIM controlled by a malicious actor — who is then able to gain access to information or accounts belonging to the target.

The court order states that Shapiro suffered his first SIM-swap attack during May 2018, to which an AT&T employee “noted the SIM swap activity in [Plaintiff’s] account and assured [Plaintiff] that his SIM card would not be swapped again without his authorization.”

"AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead standing by as its employees used their position at the company to gain unauthorized access to Mr. Shapiro's account in order to rob, extort and threaten him in exchange for money,” Shapiro’s complaint stated.

Shapiro has until May 29 to file an amended complaint in response to the order.

15-year-old hacker steals $24m in SIM-swap attack

AT&T also faces an ongoing lawsuit from pioneering crypto investor Michael Terpin, who is seeking more than $200 million in compensation for a $23.8 million SIM-swap attack that took place during January 2018.

Last month, the case took a surprising twist when Terpin launched a new lawsuit against the alleged perpetrator of the attack — who has recently turned 18 years old. 

At the time of the attack, the defendant, Ellis Pinsky, was just 15 years old and returned $2 million of the funds. Now that he is of legal age, Terpin is suing for the remaining sum plus damages — $71.4 million in total.

Speaking to Cointelegraph, Terpin stated that he was “a bit shocked to find out the alleged mastermind was only 15 at the time,” adding his surprise that “allegedly, this was not his first hacking or theft.”

Terpin asserted that Pinsky is in possession of $100 million, stating: “we believe he was being truthful when he told one of our informants via text that he still had $100 million hidden offshore.”