T-Mobile secretly bought its customer data from hackers to stop the leak. It failed


Image: SOPA Images/Contributor

Last year, T-Mobile confirmed it had been hacked after hackers offered to sell the personal data of 30 million of its customers for 6 bitcoins worth around $270,000 at the time. . According to court documents unsealed today and reviewed by Motherboard, a third party hired by T-Mobile attempted to pay the hackers for exclusive access to this data and prevent its wider leak.

The plan ultimately failed and the criminals continued to sell the data despite the third party giving them a total of $200,000. But the news exposes some of the controversial tactics that could be used by companies when responding to data breaches, either to mitigate the leak of stolen information or to try to identify who breached their networks.

T-Mobile did not respond to a request for comment on whether it knew the third party it hired had paid cybercriminals hundreds of thousands of dollars to stop their data leak.

Do you work in incident response? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected]or email [email protected].

Tuesday, the The Department of Justice unveiled an indictment against Diogo Santos Coelho, who is said to be the administrator of a popular hacking site called RaidForums. Law enforcement also uploaded a banner to the RaidForums site announcing that they had taken over his domain.

Coelho was arrested in the UK in March. The affidavit in support of the extradition request to the United States includes a section describing a particular set of data that was announced on RaidForums in August.

“On or about August 11, 2021, a person using the nickname ‘SubVirt’ posted on the RaidForums website an offer to sell recently hacked data with the following title: ‘SELLING-124M-USA-SSN-DOB -DL-database-freshly -breached.’” Later, Subvirt changed the title of the thread to “SELL 30M SSN + DL + DOB database,” the document continues. The document does not name the victim company, but rather calls it Company 3, but states that another message confirmed that the data belonged to “a large telecommunications company and wireless network operator which provides services to United States”.

The document goes on to say that this company “engaged a third party to purchase exclusive access to the database to prevent it from being sold to criminals.” An employee of this third party posed as a potential buyer and used the RaidForums admin intermediary service to purchase a sample of the data for $50,000 in Bitcoin, the document reads. This employee then purchased the entire database for around $150,000, with the caveat that SubVirt would delete his copy of the data, he adds. The purpose of the deletion would be for this infiltrated client to be the only one with a copy of the stolen information, which would considerably limit the risk of leakage.

That’s not what happened. The document states that “it appears that the co-conspirators continued to attempt to sell the databases after the third-party purchase”.


A screenshot of the court document. Picture: motherboard.

Company 3, the unnamed telecommunications company that hired this third party, was T-Mobile, according to Motherboard’s review of the timeline and information included in court filings. Motherboard revealed news of the breach for the first time mentioned in the court document several days after the specific RaidForums threads mentioned. At the time, Motherboard spoke to the person selling the data, including the SSNs, and obtained sample data that confirmed the hacker had accurate information about T-Mobile customers. T-Mobile provided a statement at the time saying it was investigating the hack against its company. One day later, T-Mobile confirmed it was hacked.

The court documents do not name the third party that purchased the data, or describe what type of company it was. But in a previous statement released in August, T-Mobile CEO Mike Sievert said, “Through our investigation into this incident, which was supported by world-class security experts Mandiant from the very beginning, we know now how did this bad actor illegally enter our servers and we shut down these access points. We are confident that there is no ongoing risk to customer data from this breach.

Mandiant did not immediately respond to a request for comment on whether it was the third party that paid the cybercriminals $200,000. In March, Mandiant announced its acquisition by Google.

Victimized businesses often turn to incident response or threat intelligence companies after they’ve been hacked to find out exactly how they were hacked and to take mitigating action against any further exposure.

These companies can sometimes deploy controversial tactics, like “hack back”, where the company will retaliate offensively against criminal hackers, perhaps breaching their command and control or other servers to see what data has been stolen, interfere with the hackers’ infrastructure, or try to glean information about who could be the pirates. After hacking the LAPSUS$ group that targeted Nvidia, the group claimed in a post on its Telegram channel that someone had hacked into a machine the group was using to store stolen Nvidia data and then deployed ransomware. The group alleged, without concrete evidence, that it was done on behalf of Nvidia.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

Casey J. Nelson