In one of the most brazen cryptocurrency theft cases of 2018, millionaire investor Michael Terpin filed a staggering $224 million lawsuit against telecommunications giant AT&T, alleging that the company’s negligence enabled hackers to steal nearly $24 million in digital assets through a sophisticated SIM swap attack. The case, filed on August 15, 2018, in U.S. District Court in Los Angeles, exposed critical vulnerabilities in how mobile carriers protect customer accounts — and sent shockwaves through the crypto community.
TL;DR
- Michael Terpin filed a $224 million lawsuit against AT&T over stolen cryptocurrency
- Hackers stole approximately $24 million in crypto through a SIM swap attack
- An AT&T insider allegedly helped the hacker bypass security protocols
- Terpin was hit twice within seven months through the same vulnerability
- The case highlighted systemic weaknesses in mobile carrier account security
The Attack: How $24 Million Vanished
Michael Terpin was no crypto newcomer. He had co-founded BitAngels, an angel investment group for Bitcoin investors, back in 2013, and managed a digital currency fund called BitAngels/Dapps Fund. But despite his deep experience in the space, he became the victim of a devastating attack that exploited not a blockchain vulnerability, but a weakness in traditional telecommunications infrastructure.
The hack worked through what the cryptocurrency community calls a SIM swap — a technique where an attacker convinces a mobile carrier to transfer a victim’s phone number to a SIM card controlled by the attacker. Once in possession of the phone number, the hacker can bypass two-factor authentication on email accounts, cryptocurrency exchanges, and digital wallets. In Terpin’s case, the consequences were catastrophic: nearly $24 million in cryptocurrency was drained from his accounts.
What made the attack particularly alarming was the allegation that it involved an AT&T insider. According to the 69-page complaint, an impostor was able to obtain Terpin’s phone number through an employee “cooperating with the hacker” — without being required to show valid identification or provide a required password at an AT&T store. The stolen phone number was then used to access Terpin’s cryptocurrency accounts and siphon his digital assets.
Not Once, But Twice
Perhaps the most damning aspect of the lawsuit was the revelation that this was not a one-time failure. Terpin was the victim of two separate hacks within a seven-month period, both exploiting the same AT&T account vulnerability. The fact that the attack succeeded a second time — after Terpin had presumably taken steps to secure his account following the first incident — suggested a fundamental breakdown in AT&T’s security protocols.
The complaint pulled no punches in its characterization of AT&T’s role. “What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner,” the lawsuit stated. Terpin sought $200 million in punitive damages and $24 million in compensatory damages, reflecting both the magnitude of his losses and his determination to hold the carrier accountable.
AT&T Responds
AT&T pushed back against the allegations. In an emailed statement, the company said it “disputed these allegations” and looked “forward to presenting our case in court.” The telecommunications giant’s lawyers appeared confident in their position, but the case nonetheless raised uncomfortable questions about the security practices of major mobile carriers — questions that the growing cryptocurrency community was increasingly desperate to have answered.
A Growing Threat
The Terpin case was not an isolated incident. SIM swapping attacks had been on the rise throughout 2018, targeting high-profile cryptocurrency holders with increasing frequency. The technique was deceptively simple but devastatingly effective, exploiting the fact that many online services — including cryptocurrency exchanges — relied on SMS-based two-factor authentication. The attacks highlighted a fundamental tension in the crypto ecosystem: while blockchain technology itself was secure, the human and institutional infrastructure surrounding it remained vulnerable.
The timing was particularly painful for the broader cryptocurrency market, which was already reeling from a prolonged bear market. Bitcoin, trading at approximately $6,580 on August 17, had lost roughly 65% of its value since its December 2017 peak near $20,000. News of high-profile hacks and thefts only added to negative sentiment, even as the market staged a modest recovery from its mid-August lows.
Industry Implications
Beyond the immediate legal battle, the Terpin case catalyzed a broader conversation about security practices in the cryptocurrency industry. The incident reinforced the urgency of moving away from SMS-based two-factor authentication toward more secure alternatives like hardware security keys and authenticator apps. It also raised questions about the legal obligations of telecommunications companies to protect their customers from social engineering attacks — a question that would continue to percolate through the courts in the months and years ahead.
Meanwhile, other corners of the crypto world were dealing with their own challenges. Cloud mining platform Genesis Mining informed customers that it would be forcing low-paying users to upgrade to premium subscriptions, a consequence of Bitcoin’s poor price performance in 2018 making mining less profitable. In Norway, crypto mining company Kryptovault received a bomb threat from someone who accused the facility of making too much noise — a bizarre but telling sign of the growing tensions around cryptocurrency mining operations worldwide.
Why This Matters
The Terpin v. AT&T case became a landmark moment in the intersection of cryptocurrency security and traditional telecommunications. It demonstrated that the weakest link in the cryptocurrency security chain was often not the blockchain itself, but the legacy systems that surrounded it. The $224 million lawsuit forced both the telecom and crypto industries to confront uncomfortable truths about account security, and it accelerated the adoption of hardware-based two-factor authentication across major cryptocurrency exchanges. The case also served as a cautionary tale for individual investors: no matter how sophisticated your understanding of blockchain technology, your security is only as strong as the weakest point in your authentication chain.
Disclaimer: This article was written for BitcoinsNews.com as part of our historical archive coverage. Price data sourced from CoinMarketCap historical snapshots. This is not financial advice. Past performance does not guarantee future results.