An American man living in Turkey was arrested earlier this month and is in the process of being extradited to the United States to face charges of hacking into a computer system used by T-Mobile, The Desk has learned.
John Binns, 24, was detained by Turkish authorities after a local court approved an extradition request by federal prosecutors in the U.S., according to two sources familiar with the matter.
In January, The Desk reported Binns was indicted on 12 counts related to unauthorized access to computer systems used by T-Mobile back in 2021. Then, Binns digitally poked around T-Mobile’s servers until he found a hole, and was able to exploit the security issue in order to download records connected to tens of millions of T-Mobile’s current and former wireless subscribers.
Binns acknowledged trespassing into computer networks used by T-Mobile, telling the Wall Street Journal he wanted to draw attention to the telecom’s lackluster security practices involving customer data. But prosecutors say Binns had ulterior motives, and tried to sell the data on so-called “dark web” forums that are frequented by cyber criminals like identity thieves and fellow hackers.
In an interview with 404 Media earlier this year, Binns said he was unfazed by the criminal indictment against him, and was waiting for some red tape to clear in order to be recognized as a Turkish citizen. A grant of approval would make it complicated for Binns to be extradited to the U.S., given the frothy diplomatic relations between the two countries at the time.
Whatever issues were present then have since been settled, with a Turkish court clearing the way for Binns to return to the U.S. to face charges. It was not clear when that would happen. No one from the Justice Department was able to offer information to The Desk with federal offices closed due to the Memorial Day holiday.
Backdoor Access
Prosecutors say the scheme started around December 2020, when Binns began using computer programs to scan through Internet Protocol (IP) addresses associated with various networks used by T-Mobile.
He eventually gained access to computer servers used by T-Mobile that were located in a data center in Bellevue, a suburb of Seattle where T-Mobile’s U.S.-based operation is headquartered, the indictment alleges. (T-Mobile U.S. is a subsidiary of German telecommunications firm Deutsche Telekom.)
Once inside, Binns allegedly installed “backdoors” that would allow him to regain access to T-Mobile’s servers in case the company tried to plug its security holes, the complaint says. He also “used stolen passwords and credentials to traverse T-Mobile’s protected computers and networks and further access, without authorization, additional server groups located throughout the United States and elsewhere,” according to the indictment.
Among the information Binns had access to were “databases and information related to current, former and prospective T-Mobile customers,” which he downloaded from the company’s servers and eventually stored on computer hardware located in another country, the complaint says.
Later, Binns worked with at least four other people to sell T-Mobile’s customer information through a website called RaidForums, which prosecutors described as a “popular marketplace and database-sharing site frequented by cybercriminal [and] used to promote data leaks and hacking activity, including to advertised hacked data for sale.”
During a three-day period in August 2021, Binns accessed T-Mobile’s computer servers and downloaded records relating to millions of customers, prosecutors say. On August 11, he allegedly made a post on RaidForums offering to sell the personal information of more than 124 million Americans in exchange for six Bitcoin. (The price amounts to over $270,000, according to historical exchange rates reviewed by The Desk.)
Days later, Binns revised his RaidForum post, describing the compromised database as containing the personal information of 30 million Americans. The revision coincided with a public relations campaign he allegedly coordinated with an unindicted co-conspirator who went by “und0xxed” on Twitter, the social media platform now known as X, who claimed that the company “got destroyed” and that the scope of the cyberattack was larger than a similar incident involving British telecom TalkTalk in 2015.
Several days later, someone allegedly contacted Binns through RaidForums with an interest in buying the database. Binns “provided [the] buyer access to a portion of the stolen T-Mobile data” after receiving a payment in Bitcoin, the charging document claims. Once he received an additional payment, Binns gave the buyer the entire database, prosecutors said.
All told, Binns has been charged with four counts of violating the Computer Fraud and Abuse Act, three counts of wire fraud, two counts of access device fraud, two counts of identity theft and one count of money laundering.
Shortly after the hack was made public, T-Mobile’s Chief Executive Officer Mike Sievert apologized to customers, saying the company “didn’t live up to the expectations we have for ourselves to protect our customers.”
“Knowing that we failed to prevent this exposure is one of the hardest parts of this event,” Sievert said.