https://krebsonsecurity.com/2021/12/ny-man-pleads-guilty-in-20-million-sim-swap-theft/ Advertisement [142] Advertisement [10] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking NY Man Pleads Guilty in $20 Million SIM Swap Theft December 16, 2021 10 Comments A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent "SIM swaps," scams in which identity thieves hijack a target's mobile phone number and use that to wrest control over the victim's online identities. [phonefraudsmaller] Truglia admitted to a New York federal court that he let a friend use his account at crypto-trading platform Binance in 2018 to launder more than $20 million worth of virtual currency stolen from Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts. Following the theft, Terpin filed a civil lawsuit against Truglia with the Los Angeles Superior court. In May 2019, the jury awarded Terpin a $75.8 million judgment against Truglia. In January 2020, a New York grand jury criminally indicted Truglia (PDF) for his part in the crypto theft from Terpin. A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider's network. Customers can legitimately request a SIM swap when their mobile device has been damaged or lost, or when they are switching to a different phone that requires a SIM card of another size. [truglia] Nicholas Truglia, holding bottle. Image: twitter.com/erupts But fraudulent SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target's service to a new SIM card and mobile phone controlled by the scammers. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target's password, as many financial institutions and online services rely on text messages to send users a one-time code for multi-factor authentication. Compounding the threat, many websites let customers reset their passwords merely by clicking a link sent via SMS to the mobile phone number tied to the account, meaning anyone who controls that phone number can reset the passwords for those accounts. Reached for comment, Terpin said his assailant got off easy. "I am outraged that after nearly four years and hundreds of pages of evidence that the best the prosecutors could recommend was a plea bargain for a single, relatively minor count of the unauthorized use of a Binance exchange account, when all the evidence points toward Truglia being one of two masterminds of a wide-ranging criminal conspiracy to steal crypto from me and others," Terpin told KrebsOnSecurity. Terpin said public court records already show Truglia bragging about stealing his funds and using it to finance a lavish lifestyle. "He at the very least withdrew 100 bitcoin (worth $1.6 million at the time and nearly $5 million today) from my theft into his wallet at a separate, US-based exchange, and then moved or spent it," Terpin said. "The fact is that the intentional theft of $24 million, whether taken at the point of a gun in a bank or through a SIM card swap, is a major felony. Truglia should be prosecuted to the fullest extent of the law." [trugliaplane] Nicholas Truglia, showing off a diamond-studded Piaget watch while aboard a private jet. Image: twitter.com/erupts. Terpin also is waging an ongoing civil lawsuit against 18-year-old Ellis Pinsky, who's accused of working with Truglia as part of a SIM swapping crew that has stolen more than $100 million in cryptocurrency. According to Terpin, Pinsky was 15 when he took part in the $24 million 2018 SIM swap, but he returned $2 million worth of cryptocurrency after being confronted by Terpin's investigators. "On the surface, Pinsky is an 'All American Boy,'" Terpin's civil suit charges. "The son of privilege, he is active in extracurricular activities and lives a suburban life with a doting mother who is a prominent doctor." "Despite their wholesome appearances, Pinsky and his other cohorts are in fact evil computer geniuses with sociopathic traits who heartlessly ruin their innocent victims' lives and gleefully boast of their multi-million-dollar heists," the lawsuit continues. "Pinsky is reputed to have used his ill-gotten gains to purchase multi-million-dollar watches and is known to go on nightclub sprees at high end clubs in New York City, and Truglia rented private jets and played the part of a dashing playboy with young women pampering him." Pinksy could not be immediately reached for comment. But a review of the latest filings in the lawsuit show that Pinsky's attorneys stopped representing him because he no longer had the funds to pay for their services. The most recent entry in the New York Southern District's docket asks the court to give Pinsky additional time to seek counsel, and hints that barring that he may end up representing himself. [pinsky] Ellis Pinsky, in a photo uploaded to his social media profile. Truglia is still being criminally prosecuted in Santa Clara, Calif., the home of the REACT task force, which pursues SIM-swapping cases nationwide. In November 2018, REACT investigators and New York authorities arrested Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from Robert Ross, a San Francisco father of two who later went on to found the victim advocacy website stopsimcrime.org. According to published reports, Truglia and his accomplices also perpetrated SIM swaps against the CEO of the blockchain storage service 0Chain; hedge-funder Myles Danielson, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX. Truglia is currently slated to be sentenced in April 2022 for his guilty plea in New York. He faces a maximum sentence of up to 20 years in prison. Erin West, deputy district attorney for Santa Clara County, told KrebsOnSecurity that SIM swapping remains a major problem. But she said many of the victims they're now assisting are relatively new cryptocurrency investors for whom a SIM swapping attack can be financially devastating. "Originally, the SIM swap targets were the early adopters of crypto," West said. "Now we're seeing a lot more of what I would call normal people trying their hand at crypto, and that makes a lot more people a target. It makes people who are unfamiliar with their personal security online vulnerable to hackers whose entire job is to figure out how to part people from their money." West said REACT continues to train state and local law enforcement officials across the country on how to successfully investigate and prosecute SIM swapping cases. "The good news is our partners across the nation are learning how to conduct these cases," she said. "Where this was a relatively new phenomenon three years ago, other smaller jurisdictions around the country are now learning how to prosecute this crime." All of the major wireless carriers let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees. For some tips on how to minimize your chances of becoming the next SIM swapping victim, check out the "What Can You Do?" section at the conclusion of this story. This entry was posted on Thursday 16th of December 2021 12:52 PM Ne'er-Do-Well News SIM Swapping Ellis Pinsky Erin West Michael Terpin Nicholas Truglia REACT Task Force Robert Ross SIM swapping stopsimcrime.com [141] Post navigation - Microsoft Patch Tuesday, December 2021 Edition 10 thoughts on "NY Man Pleads Guilty in $20 Million SIM Swap Theft" 1. Jack December 16, 2021 Stopsimcrime.org not .com Reply - 2. NWBStu December 16, 2021 Nice to see that officials are FINALLY doing something about this scourge that MK has been reporting on for years now. I personally have two very close friends who have been SIM swapped, and indeed one lost most of his crypto. The first friend spent over 100 hours pursuing his swapping crime-only to find the lack of knowledge, concern and competence with law enforcement was sadly less shocking the the level of incompetence and complicity by the cell carrier. Good articles, love to see crooks get caught, just wish their punishment corresponded to their crime. Reply - 3. George Haeh December 16, 2021 The simplest thing is NOT to allow Google to use your phone for password recovery. A crook might hijack your phone, but if he can't get into your Google account he can't do much. Unfortunately more financial institutions and the Canada Revenue Agency are insisting on texting a security code to your hijackable phone in the delusion that this enhances security. Reply - 4. Slack December 16, 2021 Probably need to toughen the law so that the mobile store employees can be charged with conspiracy in connection with these SIM swaps. As we've seen that any PIN you attempt to add to your account to prevent SIM swaps can be overridden by an employee. Reply - 5. Brian December 16, 2021 What's the formula for becoming a target here? 1) Crypto accounts securied only by phone 2FA 2) High crypto balance 3) Public advertising of said crypto balance / activity (on twitter, insta, etc) I'm curious whether only publicly prominent individuals are targeted, or whether there is a broader net that the attackers are casting to find victims? Reply - 1. BrianKrebs Post authorDecember 16, 2021 You don't have to tell a soul that you have crypto. Today's attackers are using phony sign-up attempts to figure out which email addresses they're looking at are already associated with accounts at Coinbase and elsewhere. e.g., https://krebsonsecurity.com/2021/10/ how-coinbase-phishers-steal-one-time-passwords/ from that story: "Holden said the phishing group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that victims submitted to the site, and virtually all of the submitted email addresses ended in ".it". But the phishers in this case likely weren't interested in registering any accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail. After doing that several million times, the phishers would then take the email addresses that failed new account signups and target them with Coinbase-themed phishing emails. Holden's data shows this phishing gang conducted hundreds of thousands of halfhearted account signup attempts daily. For example, on Oct. 10 the scammers checked more than 216,000 email addresses against Coinbase's systems. The following day, they attempted to register 174,000 new Coinbase accounts." Reply - 1. vb December 16, 2021 By allowing thousands of email address queries, without any effort to calm the traffic, I consider Coinbase complicit in the hack. There is no way that thousands of queries should successfully succeed. Even if proxies are used, that level of volume should raise red flags. Reply - 6. vb December 16, 2021 Hoping that Truglia has to pawn the diamond-studded Piaget watch to pay for his lawyers. In Philadelphia it's worth 50 bucks. Reply - 7. Omghowdumbb December 16, 2021 Stupid guy whts the point if money will be taken after prison start from zero put ur f skills in something legimate and u earn more u sleep well and u live happy wealthy life. Just so dumb very dumb if u want to steal and cheat do it legally like ws does it work jn ws do the legal ways market manipulation get ur bonuses and all money legit also dont f...risk with prison in usa mostly uneducated street thugs without skills are in usa why the f... skilled guy will want to go prison just so dumb very very dumb if there is a lot ways to make kinda legit money even in crypto and that guy choose the dumbest option ? Now days all those card forum guys making a 1000$ a week if even this and taking risk to brake the laws and might be going to prison any time. F stupid so stupid just stupid Reply - 8. William Marshall December 16, 2021 Will the move to eSims help or make this worse? Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [7] Advertisement [138] Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * NY Man Pleads Guilty in $20 Million SIM Swap Theft * Microsoft Patch Tuesday, December 2021 Edition * Inside Ireland's Public Healthcare Ransomware Scare * Canada Charges Its "Most Prolific Cybercriminal" * Who Is the Network Access Broker 'Babam'? Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security