NY Man Pleads Guilty in $20 Million SIM Swap Theft – Krebs on Security


December 16, 202136 Comments
A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent “SIM swaps,” scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identities.



Truglia admitted to a New York federal court that he let a friend use his account at crypto-trading platform Binance in 2018 to launder more than $20 million worth of virtual currency stolen from Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts.

Following the theft, Terpin filed a civil lawsuit against Truglia with the Los Angeles Superior court. In May 2019, the jury awarded Terpin a $75.8 million judgment against Truglia. In January 2020, a New York grand jury criminally indicted Truglia (PDF) for his part in the crypto theft from Terpin.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their mobile device has been damaged or lost, or when they are switching to a different phone that requires a SIM card of another size.


Nicholas Truglia, holding bottle. Image: twitter.com/erupts

But fraudulent SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone controlled by the scammers. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many financial institutions and online services rely on text messages to send users a one-time code for multi-factor authentication.

Compounding the threat, many websites let customers reset their passwords merely by clicking a link sent via SMS to the mobile phone number tied to the account, meaning anyone who controls that phone number can reset the passwords for those accounts.

Reached for comment, Terpin said his assailant got off easy.

“I am outraged that after nearly four years and hundreds of pages of evidence that the best the prosecutors could recommend was a plea bargain for a single, relatively minor count of the unauthorized use of a Binance exchange account, when all the evidence points toward Truglia being one of two masterminds of a wide-ranging criminal conspiracy to steal crypto from me and others,” Terpin told KrebsOnSecurity.

Terpin said public court records already show Truglia bragging about stealing his funds and using it to finance a lavish lifestyle.

“He at the very least withdrew 100 bitcoin (worth $1.6 million at the time and nearly $5 million today) from my theft into his wallet at a separate, US-based exchange, and then moved or spent it,” Terpin said. “The fact is that the intentional theft of $24 million, whether taken at the point of a gun in a bank or through a SIM card swap, is a major felony. Truglia should be prosecuted to the fullest extent of the law.”


Nicholas Truglia, showing off a diamond-studded Piaget watch while aboard a private jet. Image: twitter.com/erupts.

Terpin also is waging an ongoing civil lawsuit against 18-year-old Ellis Pinsky, who’s accused of working with Truglia as part of a SIM swapping crew that has stolen more than $100 million in cryptocurrency. According to Terpin, Pinsky was 15 when he took part in the $24 million 2018 SIM swap, but he returned $2 million worth of cryptocurrency after being confronted by Terpin’s investigators.

“On the surface, Pinsky is an ‘All American Boy,'” Terpin’s civil suit charges. “The son of privilege, he is active in extracurricular activities and lives a suburban life with a doting mother who is a prominent doctor.”

“Despite their wholesome appearances, Pinsky and his other cohorts are in fact evil computer geniuses with sociopathic traits who heartlessly ruin their innocent victims’ lives and gleefully boast of their multi-million-dollar heists,” the lawsuit continues. “Pinsky is reputed to have used his ill-gotten gains to purchase multi-million-dollar watches and is known to go on nightclub sprees at high end clubs in New York City, and Truglia rented private jets and played the part of a dashing playboy with young women pampering him.”

Pinksy could not be immediately reached for comment. But a review of the latest filings in the lawsuit show that Pinsky’s attorneys stopped representing him because he no longer had the funds to pay for their services. The most recent entry in the New York Southern District’s docket asks the court to give Pinsky additional time to seek counsel, and hints that barring that he may end up representing himself.


Ellis Pinsky, in a photo uploaded to his social media profile.

Truglia is still being criminally prosecuted in Santa Clara, Calif., the home of the REACT task force, which pursues SIM-swapping cases nationwide. In November 2018, REACT investigators and New York authorities arrested Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from Robert Ross, a San Francisco father of two who later went on to found the victim advocacy website stopsimcrime.org.

According to published reports, Truglia and his accomplices also perpetrated SIM swaps against the CEO of the blockchain storage service 0Chain; hedge-funder Myles Danielson, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.

Truglia is currently slated to be sentenced in April 2022 for his guilty plea in New York. He faces a maximum sentence of up to 20 years in prison.

Erin West, deputy district attorney for Santa Clara County, told KrebsOnSecurity that SIM swapping remains a major problem. But she said many of the victims they’re now assisting are relatively new cryptocurrency investors for whom a SIM swapping attack can be financially devastating.

“Originally, the SIM swap targets were the early adopters of crypto,” West said. “Now we’re seeing a lot more of what I would call normal people trying their hand at crypto, and that makes a lot more people a target. It makes people who are unfamiliar with their personal security online vulnerable to hackers whose entire job is to figure out how to part people from their money.”

West said REACT continues to train state and local law enforcement officials across the country on how to successfully investigate and prosecute SIM swapping cases.

“The good news is our partners across the nation are learning how to conduct these cases,” she said. “Where this was a relatively new phenomenon three years ago, other smaller jurisdictions around the country are now learning how to prosecute this crime.”

All of the major wireless carriers let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

For some tips on how to minimize your chances of becoming the next SIM swapping victim, check out the “What Can You Do?” section at the conclusion of this story.

This entry was posted on Thursday 16th of December 2021 12:52 PM

NE'ER-DO-WELL NEWS SIM SWAPPINGELLIS PINSKY ERIN WEST MICHAEL TERPIN NICHOLAS TRUGLIA REACT TASK FORCE ROBERT ROSS SIM SWAPPING STOPSIMCRIME.COM
Post navigation← Microsoft Patch Tuesday, December 2021 EditionHappy 12th Birthday, KrebsOnSecurity.com! →
36 thoughts on “NY Man Pleads Guilty in $20 Million SIM Swap Theft”
Jack
December 16, 2021
Stopsimcrime.org not .com

NWBStu
December 16, 2021
Nice to see that officials are FINALLY doing something about this scourge that MK has been reporting on for years now. I personally have two very close friends who have been SIM swapped, and indeed one lost most of his crypto. The first friend spent over 100 hours pursuing his swapping crime–only to find the lack of knowledge, concern and competence with law enforcement was sadly less shocking the the level of incompetence and complicity by the cell carrier.

Good articles, love to see crooks get caught, just wish their punishment corresponded to their crime.

George Haeh
December 16, 2021
The simplest thing is NOT to allow Google to use your phone for password recovery.

A crook might hijack your phone, but if he can’t get into your Google account he can’t do much.

Unfortunately more financial institutions and the Canada Revenue Agency are insisting on texting a security code to your hijackable phone in the delusion that this enhances security.

Canuck
December 16, 2021
They can insist all they like, they cannot force you. And the CRA will still mail you pin codes.

Sterling
December 17, 2021
Same with the IRS. It’s how they verify identity for users of e-services. I gave one of their agents the other day a piece of my mind. It’s because somehow SMS texts became the default 2FA and people have no choice but to make themselves vulnerable in order to access the service. It’s a forced setup is what it is and scammers love it. Any security “expert” recommending SMS texts for user authentication should be fired. I lost everything via a SIM swap over three years ago because of T-Mobile and because of Google pushing/requiring a phone number as backup verification security if one forgets their password. The REACT task force passed me on to other CA and Federal law enforcement officials who told me Dawson Bakies was already tried in NY so they won’t be pursuing criminal charges, the money was spent (worth over $250k at the time; much more now) and I am free to pursue civil prosecution. I have no way to defend myself and can’t afford any attorneys. Dawson Bakies quite literally wrecked my life. And he is getting off easier than any of the guys in this article. So pathetic. If anyone can help, please contact by replying!

Claire Dworsky
January 6, 2022
Pls contact me, writing an article on this.

Hector Miranda
December 25, 2021
Google changed this about 2 weeks ago thst the only way to gain access to your account from a new device is using the phone number that is attached to the device that has your gmail. I had 2 gmails. One with a phone number from 2012 and a new one without a phone number. Both account were updated without my permission to require the new phone number of where the gmails are accessed. So now im obligated to use my new phone number to access my google account. Effectively making sim swapping even more powerful.

Slack
December 16, 2021
Probably need to toughen the law so that the mobile store employees can be charged with conspiracy in connection with these SIM swaps. As we’ve seen that any PIN you attempt to add to your account to prevent SIM swaps can be overridden by an employee.

Mark Lawrence
December 17, 2021
A phone company definitely shouldn’t be held responsible for guarding your financial credentials. I don’t blame phone companies for fighting back against people who choose to protect their finances with a SIM card. There’s a lot an owner can do to protect their finances without depending on the phone company to become a personal financial security guard.

Wannabtech guy
December 20, 2021
Did someone here say that? If so, I missed it.
Phone companies should be held responsible for what their employees do!
And the employees themselves. This is a theft!

Brian
December 16, 2021
What’s the formula for becoming a target here?

1) Crypto accounts securied only by phone 2FA
2) High crypto balance
3) Public advertising of said crypto balance / activity (on twitter, insta, etc)

I’m curious whether only publicly prominent individuals are targeted, or whether there is a broader net that the attackers are casting to find victims?

BrianKrebs Post author
December 16, 2021
You don’t have to tell a soul that you have crypto. Today’s attackers are using phony sign-up attempts to figure out which email addresses they’re looking at are already associated with accounts at Coinbase and elsewhere.

e.g., https://krebsonsecurity.com/2021/10/how-coinbase-phishers-steal-one-time-passwords/

from that story:

“Holden said the phishing group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that victims submitted to the site, and virtually all of the submitted email addresses ended in “.it”.

But the phishers in this case likely weren’t interested in registering any accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail. After doing that several million times, the phishers would then take the email addresses that failed new account signups and target them with Coinbase-themed phishing emails.

Holden’s data shows this phishing gang conducted hundreds of thousands of halfhearted account signup attempts daily. For example, on Oct. 10 the scammers checked more than 216,000 email addresses against Coinbase’s systems. The following day, they attempted to register 174,000 new Coinbase accounts.”

vb
December 16, 2021
By allowing thousands of email address queries, without any effort to calm the traffic, I consider Coinbase complicit in the hack. There is no way that thousands of queries should successfully succeed. Even if proxies are used, that level of volume should raise red flags.

mister krapootnik
January 11, 2022
5 dollar wrench solution.

vb
December 16, 2021
Hoping that Truglia has to pawn the diamond-studded Piaget watch to pay for his lawyers. In Philadelphia it’s worth 50 bucks.

Jonathan
December 17, 2021
This is a fantastic Trading Places reference.

Thank you for adding some levity to an otherwise very depressing article. Sometimes we need that.

Omghowdumbb
December 16, 2021
Stupid guy whts the point if money will be taken after prison start from zero put ur f skills in something legimate and u earn more u sleep well and u live happy wealthy life.
Just so dumb very dumb if u want to steal and cheat do it legally like ws does it work jn ws do the legal ways market manipulation get ur bonuses and all money legit also dont f…risk with prison in usa mostly uneducated street thugs without skills are in usa why the f… skilled guy will want to go prison just so dumb very very dumb if there is a lot ways to make kinda legit money even in crypto and that guy choose the dumbest option ?
Now days all those card forum guys making a 1000$ a week if even this and taking risk to brake the laws and might be going to prison any time.
F stupid so stupid just stupid

Nunio
December 17, 2021
People in their 20s often can’t conceive of being 30 years old, let alone 50, 60, 70,…. Living for the moment, damn the consequences. Yeah, it’s dumb, but not uncommon.

CJ
January 8, 2022
They are sociopaths… They don’t care about people. They care about quantity. They care about playing tricks. They are in it for the novelty. Can do that with anyone, anywhere. It’s a game. Prison is just another playing field. Not a deterrent. They will learn new tricks.

William Marshall
December 16, 2021
Will the move to eSims help or make this worse?

Jeffrey Joseph Hallaran
December 16, 2021
The thieves that commit these crimes should be prosecuted convicted and executed! No mercy no sympathy no I had a bad childhood!!
Then watch and see how many do it moving forward!

R. Cake
December 29, 2021
I can fully feel how you feel, and often I have similar impulses. However, research clearly shows that there is no correlation between the toughness of punishment and future crime. Societies that punish the most do not achieve stronger deterrence, and do not have lower crime rates than societies that punish less.
The example of US imprisonment rates and durations compared to other countries basically says it all.
And yet, when I read articles about criminals and their activities, I feel this fundamental anger, like you do. I guess this world just is weird and inconsequential and often injust, looks like we have to live with it.

MB
January 8, 2022
The difference here is that most of the studies and statistics are looking at violent crimes and physical robberies, often (but obviously not always) committed by people who have little hope of bettering themselves otherwise, or are socio/psychopaths, etc. None of those are excuses. But you come down hard on these hacker dudebros and they spend hard time behind bars and I would suspect the results would be much better against recidivism…

Alexandra
December 17, 2021
The financial institutions that REQUIRE a mobile phone number of MFA are to blame. Bank of America now allows the use of Ubikeys and the like, HOWEVER, they still require a mobile phone as an additional MFA method. So frustrating.

Heath
December 17, 2021
I agree completely. Nobody should be using phone numbers for multi factor these days. We know it’s broken.

The real problem is that it’s way too easy to hide collection of personal data as a “security feature”. They won’t give up the opportunity to harvest verified phone numbers unless there are noticeable consequences for do so.

joshua stein
December 18, 2021
yes, agree, ridiculous that some places force sms 2fa. with log4shell, one might surmise that sim swapping could’ve been unnecessary to gain access/intercept codes. there have been screen shots of people getting responses back from 2fa sms servers running software that used log4j.

Mika
December 19, 2021
Very true. I made sure important services supported Ubikeys before buying them. What I did not research beforehand was which services did not allow removal of phone authentication.

G.Scott H.
December 17, 2021
AT&T’s PIN implementation is a joke. I did not even have to give my PIN for my last new phone. The PIN should not be able to be bypassed, ideally ever. But, if it is able to be bypassed, it should be very limited and not available to frontline store employees or even store managers. If it can be bypassed so easily, then it is if there is no PIN.

On the other hand they have implemented 2FA for online account access unless “remembered” by a persistent token cookie is saved from a previous session on that browser. There is a checkbox to “Trust this browser or device. (Not recommended if public or shared.)” which is checked/enabled by default. They send a code by SMS, but it is “more secure” because they will only send it to a number on the account. Logging in gets interesting when you always use a fresh