Hacker lifts $1 million in cryptocurrency using San Francisco man's phone number, prosecutors say
- Nicholas Truglia, 21, hacked into the phones of multiple Silicon Valley executives, according to officials.
- In one case, he was able to get away with $1 million from cryptocurrency accounts the victim says he had been saving to pay for his daughters’ college tuition.
- The crime is known as "SIM swapping," where a hacker takes over a phone number by duping wireless carriers, then uses that information to access and drain cryptocurrency accounts.
- “It’s a whole new wave of crime,” says Erin West, deputy district attorney for Santa Clara County.
Losing cellphone service is inconvenient. But in some cases, it also might mean you're getting hacked.
San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn't quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.
Nicholas Truglia, 21, lifted the $1 million from Ross' two cryptocurrency accounts, according to a felony complaint filed this month in California state court. Prosecutors say Truglia also hacked the phones of multiple Silicon Valley executives but was not able to rob their accounts.
"It's a whole new wave of crime," said Erin West, the deputy district attorney of Santa Clara County. "It's a new way of stealing of money: They target people that they believe to have cryptocurrency," she told CNBC.
Truglia has been charged with 21 counts, which include identity theft, fraud, embezzlement, crimes that "involve a pattern of related felony conduct," and attempted grand theft in Ross' case, according to court documents.
West said Ross had been saving that money for his daughters' college funds, and stored it in U.S. dollars on the crypto exchanges. Truglia later converted that money to cryptocurrency and moved it to his own accounts before Ross was able to regain control of his phone number.
Officials obtained a warrant and searched Truglia's 42nd Street high-rise in Manhattan last week, they told CNBC. They were able to recover $300,000 from a computer hard drive. But the rest of the missing money may be tough to track down.
Cryptocurrency fans have said it is more trustworthy because transactions are recorded on a public ledger, known as blockchain. Transactions can be seen by anyone, but the identity of the sender and receiver are anonymous.
"In some ways, it's helpful because we can see where the money is going — that's the beauty of the blockchain," West told CNBC. "It's public, but what we still can't see is who holds those accounts."
Cryptocurrency trading became especially popular last year, attracting floods of retail investors as bitcoin rose to nearly $20,000. But with that popularity came hacks. The total in cryptocurrency lost by individuals hit $1.6 billion at the end of June, according to CoinDesk's 2018 State of Blockchain Report. Bitcoin itself is now down more than 75 percent since those December highs, and was trading near $4,400 Wednesday.
Other victims that were hacked and named in the court papers include Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.
Truglia has agreed to extradition, and Santa Clara officials expect to pick him up in December. After that, a court date will be set, officials said.
"SIM-swapping" schemes
It would hardly be the first instance of phone hacking. Criminals are exploiting a tactic known as "SIM swapping" to take over phone number accounts by duping wireless carriers.
Wireless store employees can assign your phone number to any device with the right authorization. To confirm a phone swap, they ask for pieces of private information like a birthday or a Social Security number. This data can be bought on the dark web and later used to answer security questions from a wireless store employee.
Once the criminal hacks into a person's email or cryptocurrency account from their own devices, what's known as "two-factor identification" will send a text code to the phone number to prevent any sort of unauthorized login. But because the hacker now controls that phone number, there's no way for the rightful owner to quickly regain control or stop the hack.
This summer, a California man sued AT&T for $224 million after hackers used his number to steal $24 million worth of cryptocurrency stored on an online exchange. Michael Terpin accused AT&T of negligence in that case, likening it to "a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner."
In order to stop that trend, cybersecurity and industry experts say investors should guard their cellphone numbers with the same paranoia with which they guard their Social Security numbers. Experts also recommend that investors keep their funds in what's known as "cold storage." The method allows you to store digital currency offline, away from any internet access. That makes it harder to hack.
WATCH: How the dark web became the platform for all things illegal