A California man has filed a federal lawsuit against wireless phone company T-Mobile after he alleged a recent fraudulent scheme caused him to lose $450,000 in digital cash.
In a complaint filed in federal court on Monday, Calvin Cheng said he lost the cryptocurrency after becoming a victim of “SIM swapping,” a technique used by cyber criminals to steal the phone number of an individual in an attempt to gain access to their online accounts.
In this case, Cheng alleges an unknown fraudster targeted the co-founder of an investment firm called Iterative Capital. The co-founder, Brandon Buchanan, became the victim of a “SIM swapping” scheme in which a fraudster tricked T-Mobile into transferring Buchanan’s phone number from a SIM card inserted into his phone to a different SIM card controlled by the alleged criminal. (Despite being the target of the alleged criminal act, Buchanan did not appear to be a plaintiff in Cheng’s case.)
That allowed the suspect to gain access to some digital accounts associated with Buchanan where a phone number is required for authentication. After gaining access to the accounts, the hacker contacted Cheng via Telegram and convinced him to transfer more than a dozen digital tokens known as Bitcoin for a premium price.
Cheng transferred the Bitcoin, believing he would be paid by Buchanan and Iterative Capital. But the payment never came through. As a result of the scheme, Cheng says he permanently lost his Bitcoin valued at over $450,000. A criminal investigation into what happened remains ongoing.
Cheng is suing under a little-known provision of the Computer Fraud and Abuse Act (CFAA), a federal anti-hacking statute that is typically used by prosecutors to go after cyber criminals accused of minor hacking offenses. The CFAA also allows victims of alleged cyber offenses to target individuals and companies through civil litigation in an effort to recoup financial losses.
Here, Cheng alleges T-Mobile’s inability to safeguard Buchanan’s personal information makes them liable under the CFAA, and he’s seeking monetary compensation for the loss of his cryptocurrency.
“Unlike a direct hack of data where a company like T-Mobile plays a more passive role, SIM-swaps are ultimately actualized by the wireless carrier itself,” the complaint said. “It is T-Mobile, in this case, that effectuates the SIM card change. This action remains operative and in force when the victim’s phone activity is used to hack other online accounts, extort the victim, or cause other foreseeable injuries, such as the one suffered by Plaintiff here.”
Cheng used comments by a Federal Trade Commissioner official to bolster his claim that T-Mobile is responsible for his alleged loss. In 2016, the official — who was herself a victim of a SIM swapping incident — said phone companies like T-Mobile “are in a better position than their customers to prevent identity theft through mobile account hijacking and fraudulent new accounts.”
That, in part, is because phone companies themselves must initiate the transfer of a phone number between SIM cards.
Despite this warning nearly five years ago, Cheng said T-Mobile was derelict in their duty to protect Buchanan’s account information and that of other customers. He points to a study conducted by researchers last year that found that phone companies were woefully unprepared to deal with the issue of SIM swapping schemes. T-Mobile was specifically mentioned in that study.
“T-Mobile failed to implement and/or maintain security policies and procedures sufficient to protect the unauthorized access to Buchanan’s [customer data],” Cheng alleged, adding that T-Mobile’s employees were not properly trained to safeguard the data even though they should have known that SIM swapping schemes were a real problem within the industry.
Cheng is asking for a jury trial and for a judge to award him compensatory and punitive damages if the phone company is ultimately found liable for his loss.