A 34-year-old Pakistani man has been accused of hacking into AT&T computer systems and bribing AT&T employees to unlock more than 2 million smartphones over the course of five years, according to an indictment unsealed Monday.
Muhammad Fahd, who has been extradited to the U.S. from Hong Kong, allegedly paid as much as $420,000 to individual AT&T call center staff to unlock devices tied to the carrier’s network. Fahd apparently ran the scheme from 2012 to 2017.
The U.S. Department of Justice said that people would pay Fahd to have their devices unlocked and transferred off AT&T’s network.
For a period, the hacker would simply get a device’s IMEI number and ask his contacts at AT&T to unlock those devices.
But Fahd went a lot further than that. According to prosecutors, he asked AT&T employees to install malware on company computers so he could study how the carrier’s internal processes functioned. The indictment also claims he used malware to get AT&T employee passwords so he could unlock devices using the company’s computers himself.
AT&T discovered the malware back in 2013. Most of Fahd’s insiders were either fired or left the company. But the Justice Department notes that the hacker would simply recruit others. All in all, he and a co-conspirator paid out more than $1 million in bribes.
Fahd also allegedly paid AT&T employees to install malicious routers, rogue Wi-Fi access points and other spying hardware at an AT&T call center in Boswell, Washington.
As far as how he’d recruit AT&T employees, prosecutors say that he contacted them through Facebook or phone call and convince them to open their own shell businesses to receive the bribes. He used a number of front companies to make the payments.
The Justice Department estimates that AT&T lost millions of dollars in revenue as smartphones were transferred off of its network. Conservative estimates suggest that the carrier lost as much as $5 million a year for five years.
Fahd was arrested in Hong Kong last February but was only recently extradited to the U.S.
If found guilty, he faces up to 20 years in prison for a slew of charges — including several counts of wire fraud and conspiracy to violate the Computer Fraud and Abuse Act.