A 24-year-old New Yorker who bragged about helping steal more than $ 20 million in cryptocurrency from a tech official has pleaded guilty to conspiring to commit wire fraud. Nicolas truglia was part of a group that allegedly stole more than $ 100 million from cryptocurrency investors using fraudulent “SIM swaps”, scams in which identity thieves hijack a target’s cell phone number and use it to take control of the victim’s online identity.
Truglia admitted in New York federal court that he let a friend use his account on a crypto trading platform Binance in 2018 to launder more than $ 20 million of stolen virtual currency from Michel terpin, a cryptocurrency investor who co-founded the first group of angel investors for bitcoin enthusiasts.
Following the theft, Terpin filed a civil lawsuit against Truglia in Los Angeles Superior Court. In May 2019, the jury awarded Terpin a $ 75.8 million judgment against Truglia. In January 2020, a New York grand jury indicted Truglia (PDF) for his role in Terpin’s crypto theft.
A SIM card is the tiny removable chip on a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their mobile device has been damaged or lost, or when they switch to another phone that requires a different size SIM card.
Nicholas Truglia, holding a bottle. Image: twitter.com/erupts
But fraudulent SIM card exchanges are frequently exploited by crooks who trick mobile phone providers into linking a target’s service to a new SIM card and mobile phone controlled by the crooks. Unauthorized SIM trades are often carried out by fraudsters who have previously stolen or phished a target’s password, as many financial institutions and online services rely on text messages to send users a code for use. single for multi-factor authentication.
To compound the threat, many websites allow customers to reset their passwords simply by clicking on a link sent via SMS to the mobile phone number linked to the account, which means that anyone in control of that phone number can reset them. passwords for these accounts.
Asked for comment, Terpin said his attacker got off easily.
“I am outraged that after nearly four years and hundreds of pages of evidence that the best prosecutors can recommend was a plea bargain on a single, relatively minor count of unauthorized use of an unauthorized account. ‘Binance exchange, as all evidence points to Truglia being one of the two masterminds in a massive criminal conspiracy to steal crypto from me and others, ”Terpin told KrebsOnSecurity.
Terpin said public court records already show Truglia bragging about stealing her funds and using them to fund a lavish lifestyle.
“He at least removed 100 bitcoins (worth $ 1.6 million then and almost $ 5 million today) from my theft in his wallet at a separate US-based exchange , then moved it or spent it, ”Terpin said. “The point is, the intentional theft of $ 24 million, whether committed at a gunpoint in a bank or through a SIM card swap, is a major crime. Truglia should be prosecuted with all the force of the law.
Nicholas Truglia, showing off a Piaget diamond-set watch aboard a private jet. Image: twitter.com/erupts.
Terpin also files an ongoing civil lawsuit against an 18-year-old Ellis Pinsky, who is accused of working with Truglia as part of a SIM card exchange team that stole more than $ 100 million in cryptocurrency. According to Terpin, Pinsky was 15 when he participated in the $ 24 million SIM exchange in 2018, but he returned $ 2 million in cryptocurrency after being confronted by Terpin investigators.
“At first glance, Pinsky is an ‘All American Boy'”, accuses the civil lawsuit of Terpin. “A privileged son, he is active in extracurricular activities and lives a suburban life with a loving mother who is a distinguished physician.”
“Despite their sane appearances, Pinsky and his other cohorts are actually evil computer geniuses with sociopathic traits that mercilessly ruin the lives of their innocent victims and gleefully brag about their multi-million dollar heists,” he continued. trial. “Pinsky is known to have used his ill-gotten gains to buy multi-million dollar watches and is known to take nightclubs to upscale clubs in New York City, and Truglia has chartered private jets and played the role of a dashing playboy. with young women who pamper him.
Pinksy could not immediately be reached for comment. But a review of the latest deposits in the lawsuit shows Pinsky’s attorneys stopped representing him because he no longer had the funds to pay for their services. The most recent entry into the role of the Southern District of New York asks the court to give Pinsky extra time to seek attorney, and suggests that unless he ends up representing himself.
Ellis Pinsky, in a photo uploaded to his social media profile.
Truglia remains the subject of criminal charges in Santa Clara, Calif., Home of the REACT task force, which pursues SIM swap cases nationwide. In November 2018, REACT investigators and New York authorities arrested Truglia suspected of using SIM swaps to steal around $ 1 million worth of cryptocurrency from Robert ross, a father of two in San Francisco who went on to found the victims advocacy website stopimcrime.org.
According to published reports, Truglia and his accomplices also carried out SIM swaps against the CEO of blockchain storage service 0Chain; hedge-funder Myles Danielson, vice-chairman of Hall Capital Partners; and Gabrielle Katsnelson, co-founder of the SMBX startup.
Truglia is currently set to be sentenced in April 2022 for his guilty plea in New York. He faces a maximum sentence of up to 20 years in prison.
Erin West, Santa Clara County Assistant District Attorney, told KrebsOnSecurity that SIM card swapping remains a major issue. But she said many of the victims they are helping now are relatively new cryptocurrency investors for whom a SIM swap attack can be financially devastating.
“Originally, SIM exchange targets were the early adopters of crypto,” West said. “Now we’re seeing a lot more of what I would call normal people trying their hand at crypto, and that makes a lot more people a target. This makes people who are unaware of their personal online security vulnerable to hackers whose job it is all to figure out how to separate people from their money.
West said REACT continues to train state and local law enforcement officials across the country on how to successfully investigate and prosecute SIM card swap cases.
“The good news is that our partners across the country are learning how to do this business,” she said. “Where this was a relatively new phenomenon three years ago, other smaller jurisdictions across the country are now learning how to prosecute this crime.”
All major mobile carriers allow customers to strengthen security against SIM card swaps and associated schemes by setting a PIN code that must be provided over the phone or in person at a store before account changes are made . But these security features can be bypassed by incompetent or corrupt mobile store workers.
For tips on how to minimize your chances of becoming the next victim of a SIM swap, see “What can you do?” Section at the end of this story.
