back to article $24m in fun bux stolen from crypto-mogul. Now he fires off huge fraud charge. Like, RICO, say?

The victim of a $24m cryptocurrency heist is suing his assailants in what is believed to be the first ever RICO claim involving digital currency. Plaintiff Michael Terpin claims Nicholas Truglia and 25 other unnamed defendants were part of an organized crew that robbed Terpin and other high-profile cryptocurrency owners by …

  1. gerdesj Silver badge

    All the King's horses ...

    "The miscreants called AT&T, and claimed to be Terpin with a new phone."

    ... and that is where it all unwound rather nastily. Security isn't easy.

    1. TheVogon

      Re: All the King's horses ...

      "The miscreants called AT&T, and claimed to be Terpin with a new phone."

      But a new SIM card would only be mailed to the account addres? And to collect one in a carrier shop requires photo ID.

      1. chuBb. Silver badge

        Re: All the King's horses ...

        more detail on how the sim swap worked here: he did present photo id, and managed to get his name added to the

        In essence though these security compromises work through a mixture of social engineering and bribery, getting your name added to an account, i.e. pose as a PA and say you need access to administrate it for your boss, and if thats not successful just pay off the lowest hanging fruit i.e. the sales chimp on the shop floor to just tick the seen appropriate id carrier arse covering nag screen on the sales terminal.

        Unfortunately convenience always trumps security when it comes to consumer tech, even if it was posted there is no real way to stop the social engineer changing that as well as adding them selves to the account, and commission chasing salesdroids will always be the easiest way past what ever security is in place

        Personally i cant wrap my head around why you would entrust 24m to a MFA system that uses SMS as anything but the cherry on top of at least two other methods [username password, biometric, hardware dongle/keyfob], that and the lack of stand and deliver references in this article, i mean the victim is caller Terpin!

        1. Michael Wojcik Silver badge

          Re: All the King's horses ...

          The Krebs piece is also worth reading for its portrait of another of these psychologically-abnormal IT criminals. Truglia clearly had poor social and life skills, and limited ability to empathize. He treated life like an RPG-style video game: gathering coins, buying buffs, and grinding.

    2. Doctor Syntax Silver badge

      Re: All the King's horses ...

      "Security isn't easy."

      Deciding not to - in effect - carry $24million in your phone is fairly easy.

      1. c1ue

        Re: All the King's horses ...

        $24m wasn't carried on the phone. The phone was 2nd factor in multi-factor authentication. Sim clone then "forget password" and reset.

        Or in other words, the real world of password attack.

        Cell phone based 2nd factor is convenient but cell phones are really, really easy to attack. This "gang" used a particularly high effort one; in reality you just need to find an appropriate cell phone store location with a manager who needs money fast...3 or 4 digit payments to these low paid people goes a long way...

        1. gnarlymarley

          Re: All the King's horses ...

          Cell phone based 2nd factor is convenient but cell phones are really, really easy to attack.

          And there lies the reason why 2FA might not be as awesome as we think it is all that cracked up to be. Most people are authenticating 2FA using cell phones.

    3. tmTM

      Re: All the King's horses ...

      Isn't this the same case where the claimant had heightened security on their account, which AT&T employee's just ignored and allowed the scam to progress.

      1. Michael Wojcik Silver badge

        Re: All the King's horses ...

        I think so. I believe Krebs's latest piece on this case (linked above) mentions that an AT&T employee was complicit, not just duped, in the Turpin case. Presumably that involved ignoring the restrictions Turpin had placed on his account.

  2. Cheshire Cat

    AT&T security fail

    I have some sympathy with him suing AT&T - their incompetence in not properly verifying his identity before making such a big change as porting his number is pretty clear.

    Though, I wouldn't ever advise securing $million assets with nothing but an SMS for 2FA.

  3. Flocke Kroes Silver badge

    And Ken White has a pony ...

    Bet it is not RICO.

    1. Stevie Silver badge

      Re: And Ken White has a pony ...

      Linked source asks himself a question about "suing for RICO".

      You don't sue or prosecute for RICO, you do that under the RICO statutes.

      Yes it is overused. But here the "organized" bit would seem to be justified since the case concerns the activities of a gang acting in concert (or we could say "as an organization") to commit crimes requiring a high degree of coordination and pre-planning.

      I've no sympathy for the gang members. Take 'em down under any and all laws that can be made to apply.

      There does seem to be a lot of victim-blaming going on here. Lots of people saying "he did it wrong" but not offering up the "right" alternative they imply is lurking behind their posts.

      Put yourself in the victim's shoes for a minute. Someone lifted 24 million dollars from your supposedly secure crypocash vault. Are you going to say "Fiddle de dee, tomorrow's another day" or are you going to grab a chainsaw, round up your hockey mask'n'chaps-wearing buddies and fire up the unfeasible dune buggies for a spot of takesie-backsies in a World Gone Mad?

  4. tallenglish

    Isnt this what hardware wallets are for.

    2fa is only as good as the medium it runs on.

    I would use an offline wallet for one for that amount and use either Authenticator or better yet a hardware based 2fa device like trezor. Especially if I had that amount of crypto and so many online wallets have been compromised as well.

    Not got much sympathy for this guy, he was pwned for being naive. Although I can see his issue with ATT for negligence, SIM swaps need to be done in person at a store of some kind so things like signature and other authentication can be checked first, allowing over the phone just asks to be abused.

    1. YourNameHere

      Re: Isnt this what hardware wallets are for.

      Two factor is good for you checking account with a couple grand or less in it. For something worth millions, you better have the hardware key or even something simple like Norton VIP or something that you can steal so easily like this. I want the physical key in my hand and if I loose that I expect to suffer painfully getting everything reset since this is what I deserve for loosing my keys in the first place. Geez, make it at least a little difficult for the jerks...

      1. Tom 38 Silver badge

        Re: Isnt this what hardware wallets are for.

        2FA using SMS has been known and reported to be insecure for some time now - long enough even for NIST to recommend not using it.

        Generic TOTP authenticators are available for every smartphone OS, if you use 2FA SMS for any reason you should stop.

        1. hellwig

          Re: Isnt this what hardware wallets are for.

          This sort of thing isn't even two-factor authentication though. Where was the "known" factor? The user name, phone number, address, etc.. is not privileged information. Sure, forgetting a password is common, but using only half the system (sending a single code to a device, and not requiring a password) defeats the entire purpose.

          Using SMS for 2FA is risky yes, but this was 1FA, even worse.

          If anything, something like this should use an SMS code AND an emailed code AND secret questions. Sure, you can phish for that info, but at least it requires more than just bribing some part-time AT&T employee to swap SIMs.

          Really, shame on the crypto bank here.

    2. chuBb. Silver badge

      Re: Isnt this what hardware wallets are for.

      Amusingly the thief did just that and transferred the funds to a trezor

  5. Gonzo_the_Geek

    $224m in damages?

    Where do these crazy numbers come from? Do the lawyers just pull a number out of $orifice and double it, or is there actual descriptive process for arriving at these numbers?

    1. Anonymous Coward
      Anonymous Coward

      Re: $224m in damages?

      well, AT&T look like they can afford a couple of bucks, so hey, let's start with $224m and see what they say. After all, "emotional damage" is priceless...

    2. d3vy

      Re: $224m in damages?

      My understanding is that in RICO cases damages are multiplied by 3 - so as well as actual loss legal costs and damages for distress etc could add up to 224.

      That said, this is enty based on a 10minute talk from an old defcon talk on YouTube... Please do not consider it to be legal advice :)

    3. Anonymous Coward
      Anonymous Coward

      Re: $224m in damages?

      $24,000,000.01 for the victim

      $199,999,999.99 for Gladstone Brookes/WeAcceptAnyDodgyClaim

  6. Anonymous Coward
    Anonymous Coward

    also suing AT&T for $224m

    start bidding high, 10 years laters you'll actually get a few milion. Claim for actual loss (say $400) and you're fucked before you even start thinking about "justice".

  7. Jon 37

    It's not RICO

    Here's a lawyer explaining how RICO is overused by people who really don't have a case:

    (Disclaimers: IANAL, and I haven't looked at this specific case).

    1. Michael Wojcik Silver badge

      Re: It's not RICO

      Oooh. Charles Stross takes one on the chin in that one.

      Well, he's not a lawyer either, and he does write a good novel. (Plus, if memory serves, back in the day he was entertainingly grumpy on rec.arts.books.sf.)

      I am also not in any way a lawyer, but a quick check of 18 USC 1962 leaves me wondering which RICO provision of unlawful conduct Turpin's lawyers think Truglia et alia engaged in. Maybe they can call the SIM fraud a case of interstate commerce (I have no idea what case law might say about that), and maybe SIM fraud could be construed as "racketeering activity" under 18 USC 1028 (relating to "identification documents") or 1029 ("access devices"), or one of the zillion other sections that can be used to claim racketeering.

      But AIUI, that's just the start of what a plaintiff has to demonstrate to get a judge to even let a RICO civil case proceed.

  8. Steve McGuinness

    AT&T Legally wont have a leg to stand on

    However theres no way they wont have 224 million legs to stand on. Best he can hope for there is a settlement that doesnt admit liability.

    The other guy however, how do you sue a guy in prison who likely has no assets left after the government seized it all?

  9. Ilsa Loving

    SMS MFA is horrible

    SMS-based MFA is only better than no MFA at all, and should not be used for anything as important as finances.

  10. W.S.Gosset Silver badge

    SMS 2FA

    "Interestingly", the Australian government's mandatory all-your-life-online MyGov system, constantly nags you to create a mobilephone/cellphone 2-Factor-Authentication setup every time you log in.

    AKA: we know NOTHING about security, we're just playing along with meme-du-jour. Because we're so PROFESSIONAL! And COOL!

  11. W.S.Gosset Silver badge


    Can wannabes PLEASE stop crying "oh you're a fool for using SMS-based 2FA; you should have a dongle."








    If they require SMS 2FA, you're stuck with it. So far in my life, I've not come across any actual CHOICE, not even in ability to magically swap in another magic platform that lets me magically do what *I* want. By magic. Because I'm special. I'm all techy and stuff. I build stripped unices for Xen instances and create 4way DRBD replications on raw metal -- I'm spessssshhhhhal.

    If the droids in-house decide SMS is the way to go, you're stuck with it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021