T-Mobile paid hackers $200,000 to recover stolen customer data (and failed)

Last summer, T-Mobile fell prey to a massive hacking scheme that exposed the personal data of more than 54 million customers. It was one of the greatest hacks in history, and those behind it said it was frighteningly easy to pull off.

The intrusion exposed names, social security numbers (SSN), driver’s license information, and more. The breach included data from 40 million customers who applied for T-Mobile credit, 13.1 million active T-Mobile postpaid account holders, 850,000 active T-Mobile prepaid customers, and 667,000 former customer accounts.

Not all accounts had the same amount of compromised data types. For example, the 40 million accounts that requested T-Mobile credit appeared to be the hardest hit, with personally identifying details included in the breach. Records from 7.8 million active customers included IMEI and IMSI details, which can be used to identify mobile devices and SIM cards (and conduct SIM swapping attacks). Another 5.3 million records lacked SSN or driver’s license numbers but contained other identifiable information such as home addresses.

Shortly after the attack, a group tried to sell some of this information on the dark web, offering data on around 30 million customers for around $270,000 in Bitcoin.

Naturally, T-Mobile CEO Mike Sievert profusely apologized for failing to protect his customers and immediately launched a behind-the-scenes investigation to determine what was wrong and what the company could do about it. topic.

Now it turns out that as part of this “investigation”, T-Mobile also tried to buy the data from the hackers – and failed.

The deal

According to Motherboardwhich got its hands on recently unsealed court documents, T-Mobile hired a third party to pay hackers to gain “exclusive access to this data and prevent it from leaking more widely.”

The court documents stem from the recent dismantling by the US Department of Justice of “RaidForums” – one of the largest hacker forums in the world – and the arrest and indictment of its administrator Diogo Santos Coelho, who passes by the pseudonym “Omnipotent” (among others).

On or about August 11, 2021, a person using the nickname “SubVirt” posted on the RaidForums website an offer to sell recently hacked data with the following title: “SELLING-124M-USA-SSN-DOB- DL-database-freshly- violated. This message provided a small sample of data, which included names and dates of birth, and valued the information at six (6) Bitcoin.Indictment against Diogo Santos Coelho

Although the indictment doesn’t specifically name the data breach victim, referring to it only as “Company 3”, it’s not hard to read between the lines:

A later message confirmed that the hacked data belonged to a major telecommunications company and a wireless network operator that provides services in the United States (“Company 3”).Indictment against Diogo Santos Coelho

The timeline and information in the court records matches T-Mobile’s big data breach last summer so perfectly that there’s no other company it could refer to.

Where it gets intriguing, however, is that the indictment goes on to say that Coelho (“Omnipotent”) “assisted and abetted ‘SubVirt'” in selling the data to “a third party then operating on behalf of of the company 3”.


This happened twice. The “Company 3” agent first transferred $50,000 worth of Bitcoin on August 17 to obtain a sample of the data, then another $150,000 on August 21 to purchase the full database.

“On or around August 22, 2021, COELHO, who used the nickname “Omnipotent”, performed his intermediary service and assisted “SubVirt” in selling complete database sets containing confidential and sensitive information and other valuable data obtained during an illegal computer intrusion. , including but not limited to customer names, social security numbers, dates of birth, driver’s license numbers, phone numbers, billing account numbers, manager information of the customer relationship, MSISDN information, IMSI numbers and IMEI numbers to a third party, then operating on behalf of company 3. The third party used COELHO’s intermediary service to transfer an amount in Bitcoin which was then equivalent around $150,000 to “SubVirt”.
Indictment against Diogo Santos Coelho

Coelho does not appear to have been directly involved in the T-Mobile data breach. Instead, he offered an “official intermediary service” on the RaidForums website designed to facilitate the sale of “contraband files” like this. The indictment lists at least three other major businesses where Coelho was involved in brokering the sale of confidential data. One is described as “an e-commerce company”, another as “an online tax filing company”, and the third as “a large broadcast and cable company”.

An affidavit in support of the Justice Department’s request for Coelho’s extradition from the UK to the US provides further insight into what ‘Company 3’ (aka T-Mobile) was trying to do accomplish :

After this message, Company 3 hired a third party to purchase exclusive access to the database to prevent it from being sold to criminals. A third-party employee then posed as a potential buyer and used Omnipotent’s matchmaking service to purchase. Small databases for an amount in Bitcoin which was then equivalent to approximately $50,000. Subsequently, a third-party employee again used Omnipotent’s middleman service to purchase the entire database for an amount in Bitcoin that then equaled approximately $150,000. The deal was that “SubVirt” then destroy its copy of the database; however, it appears that the co-conspirators continued to attempt to sell the databases after the third-party purchase.
Affidavit in Support of Diogo Santos Coelho’s Extradition Request

Had the plan succeeded, T-Mobile would have secured those 30 million customer records from further disclosure. The “third party” who purchased the data for $200,000 would then be the only one with a copy of the stolen information, which would presumably have been destroyed or returned to T-Mobile for analysis.

The court documents do not name the third-party agent who purchased the data or describe what type of company it was. However, in an August 2021 statement, T-Mobile CEO Mike Sievert named security firm Mandiant as a partner in his continued investigation of the incident.

Thanks to our investigation into this incident, which was supported by world-class security experts Mandiant from the very beginning, we now know how this bad actor illegally entered our servers and we have shut down these access points. We are confident that there is no ongoing risk to customer data from this breach.Mike Sievert, CEO of T-Mobile

Motherboard reached out to T-Mobile and Mandiant for comment, but neither responded before press time.

Of course, there’s no honor among thieves, and maybe T-Mobile and its third-party agent were naive to think they could actually pull this off, but it’s probably fair to give them some points for trying.

Casey J. Nelson