Quick Read
• A federal grand jury indicted a 23-year-old American man who admitted to hacking a computer network used by T-Mobile.
• The superseding indictment was handed down in 2022 and sealed by a federal court while investigators worked to have the man extradited from Turkey.
• Federal prosecutors filed a request earlier this month to have the indictment unsealed; The Desk is the first to publish the charging document in full.
A 23-year-old American citizen currently living in Turkey was quietly charged two years ago with carrying out a large-scale cyberattack against a data center in T-Mobile and subsequently selling the personal information of tens of millions of customers.
In March 2022, a federal grand jury assembled in Washington state issued a multi-count indictment against John Binns, who gave an interview to the Wall Street Journal months before the indictment in which he affirmed his role in the attack against T-Mobile.
The grand jury indictment was sealed at the request of federal prosecutors, according to a source familiar with the matter, who provided a copy of the document to The Desk through an encrypted messaging application this week.
The original indictment contained seven charges against Binns, though prosecutors successfully obtained a superseding indictment several weeks later that increased the number of criminal counts to 12, the source said.
Earlier this month, prosecutors in Washington state filed a motion to have the grand jury indictment unsealed while they continue working with international authorities to have Binns extradited, the source said. A magistrate judge assigned to the case has yet to approve the request, the source said, adding that most federal court proceedings have been delayed because of the winter holiday break.
Efforts to have Binns extradited have been complicated by a years-long diplomatic standoff between the United States and Turkey. In 2018, Turkey threatened to refuse extradition requests unless the United States agreed to hand over a Muslim scholar accused of plotting a coup against the Turkish government. Since then, relations have been frosty, with both countries largely refusing to extradite criminal suspects.
Charges against Binns were first reported by the startup tech publication 404 Media. In an interview, Binns reportedly said he was unfazed by the indictment, and was waiting for some administrative red tape to clear in order to be fully recognized as a Turkish citizen, which 404 Media said would make it even more difficult to have him extradited from the country.
A story published by 404 Media explained in detail how Binns and four unnamed co-conspirators allegedly compromised T-Mobile’s computer servers three years ago. The bulk of the article was based on the grand jury indictment, which 404 Media did not publish. The Desk is publishing the full document for the first time.
Document: Read the 12-count indictment against John Binns (PDF file)
The indictment largely affirms what Binns told the Wall Street Journal in August 2021: That he digitally poked around T-Mobile’s servers until he found a hole, and from there, he was able to extract personal informaton connected to tens of millions of customers, including their names, birthdates, addresses and Social Security numbers.
But while Binns said his motive was to draw attention to T-Mobile’s abysmal security — at the time, it was the third security incident involving the wireless phone carrier in less than two years — federal prosecutors claim Binns and his alleged co-conspirators stole the information to raise their own profiles within the cybersecurity community and to sell the information of T-Mobile customers through online forums frequented by hackers and thieves.
Prosecutors say the scheme started around December 2020, when Binns began using computer programs to scan through Internet Protocol (IP) addresses associated with various networks used by T-Mobile.
He eventually gained access to computer servers used by T-Mobile that were located in a data center in Bellevue, a suburb of Seattle where T-Mobile’s U.S.-based operation is headquartered, the indictment alleges. (T-Mobile U.S. is a subsidiary of German telecommunications firm Deutsche Telekom.)
Once inside, Binns allegedly installed “backdoors” that would allow him to regain access to T-Mobile’s servers in case the company tried to plug its security holes, the complaint says. He also “used stolen passwords and credentials to traverse T-Mobile’s protected computers and networks and further access, without authorization, additional server groups located throughout the United States and elsewhere,” according to the indictment.
Among the information Binns had access to were “databases and information related to current, former and prospective T-Mobile customers,” which he downloaded from the company’s servers and eventually stored on computer hardware located in another country, the complaint says.
Later, Binns worked with at least four other people to sell T-Mobile’s customer information through a website called RaidForums, which prosecutors described as a “popular marketplace and database-sharing site frequented by cybercriminal [and] used to promote data leaks and hacking activity, including to advertised hacked data for sale.”
During a three-day period in August 2021, Binns accessed T-Mobile’s computer servers and downloaded records relating to millions of customers, prosecutors say. On August 11, he allegedly made a post on RaidForums offering to sell the personal information of more than 124 million Americans in exchange for six Bitcoin. (The price amounts to over $270,000, according to historical exchange rates reviewed by The Desk.)
Days later, Binns revised his RaidForum post, describing the compromised database as containing the personal information of 30 million Americans. The revision coincided with a public relations campaign he allegedly coordinated with an unindicted co-conspirator who went by “und0xxed” on Twitter, the social media platform now known as X, who claimed that the company “got destroyed” and that the scope of the cyberattack was larger than a similar incident involving British telecom TalkTalk in 2015.
Several days later, someone allegedly contacted Binns through RaidForums with an interest in buying the database. Binns “provided [the] buyer access to a portion of the stolen T-Mobile data” after receiving a payment in Bitcoin, the charging document claims. Once he received an additional payment, Binns gave the buyer the entire database, prosecutors said.
All told, Binns has been charged with four counts of violating the Computer Fraud and Abuse Act, three counts of wire fraud, two counts of access device fraud, two counts of identity theft and one count of money laundering.
Shortly after the hack was made public, T-Mobile’s Chief Executive Officer Mike Sievert apologized to customers, saying the company “didn’t live up to the expectations we have for ourselves to protect our customers.”
“Knowing that we failed to prevent this exposure is one of the hardest parts of this event,” Sievert said.
In 2022, several current and former customers filed a class action lawsuit against T-Mobile, accusing the wireless provider of failing to protect their private information. T-Mobile quickly settled the lawsuit, agreeing to pay more than $350 million and offering current and former customers complementary access to an identity theft protection service.