T-Mobile Paid Hackers $200K to Get Its Stolen Customer Data Back (and Failed) | Here’s Exactly What Happened

Last summer, T-Mobile fell prey to a massive hacking scheme that resulted in the personal data of more than 54 million customers getting out. It was one of the biggest hacking jobs in history, and those behind it said it was frighteningly easy to pull off.

The intrusion exposed names, social security numbers (SSNs), driver’s license information, and more. Included in the breach was the data of 40 million customers who applied for T-Mobile credit, 13.1 million holders of active T-Mobile postpaid accounts, 850,000 active T-Mobile prepaid customers, and 667,000 accounts of former customers.

Not every account had the same amount of type of data compromised. For instance, the 40 million accounts that applied for T-Mobile credit seemed the hardest hit, with personal identification details included in the breach. Records for 7.8 million active customers included IMEI and IMSI details, which can be used to identify mobile devices and SIM cards (and conduct SIM-swapping attacks). Another 5.3 million records lacked SSN or driver’s license numbers but contained other identifiable information such as home addresses.

Shortly after the attack, a group attempted to sell off some of this information on the dark web, offering up data on around 30 million customers for about $270,000 in Bitcoin.

Naturally, T-Mobile CEO Mike Sievert apologized profusely for failing to protect its customers and immediately began a behind-the-scenes investigation to figure out what went wrong and what the company could do about it.

Now, it turns out that as part of this “investigation,” T-Mobile also tried to buy back the data from the hackers — and failed.

The Deal

According to Motherboard, which has gotten its hands on recently unsealed court documents, T-Mobile hired a third party to pay off the hackers to get “exclusive access to that data and limit it from leaking more widely.”

The court documents stem from the U.S. Justice Department’s recent takedown of “RaidForums” — one of the world’s largest hacker forums — and the arrest and indictment of its administrator Diogo Santos Coelho, who goes by the handle “Omnipotent” (among others).

On or about August 11, 2021, an individual using the moniker ‘SubVirt’ posted on the RaidForums website an offer to sell recently hacked data with the following title: “SELLING-124M-U-S-A-SSN-DOB-DL-database-freshly-breached.” This post provided a small sample of data, which included names and dates of birth, and priced the information at six (6) Bitcoin.Indictment against Diogo Santos Coelho

While the indictment doesn’t specifically name the victim of the data breach, referencing it only as “Company 3,” it’s not hard to read between the lines:

A subsequent post confirmed that the hacked data belonged to a major telecommunications company and wireless network operator that provides services in the United States (“Company 3”).Indictment against Diogo Santos Coelho

The timeline and information in the court records line up so perfectly with last summer’s big T-Mobile data breach that there’s no other company that this could be referring to.

Where this gets intriguing, however, is that the indictment goes on to say that Coelho (“Omnipotent”) “aided and abetted ‘SubVirt’” in selling the data to “a third-party then operating on behalf of Company 3.”

The Payoff

This happened on two separate occasions. The “Company 3” agent first transferred $50,000 worth of Bitcoin on August 17 to obtain a sample of the data and then another $150,000 on August 21 to purchase the complete database.

“On or about August 22, 2021, COELHO, who was using the moniker “Omnipotent,” executed his middleman service and aided “SubVirt” in selling complete database sets containing confidential and sensitive information and other data of value obtained during an unlawful computer instrusion, including, but not limited to, customers names, social security numbers, dates of birth, driver’s license numbers, phone numbers, billing account numbers, customer relationship manager information, MSISDN information, IMSI numbers, and IMEI numbers to a third-party then operating on behalf of Company 3. The third-party used COELHO’s middleman service to transfer a Bitcoin amount that was then equivalent to approximately $150,000 to “SubVirt.”
– Indictment against Diogo Santos Coelho

Coelho doesn’t appear to have been directly involved in the T-Mobile data breach. Instead, he offered an “Official Middleman Service” on the RaidForums website designed to facilitate the sale of “contraband files” such as this. The indictment lists at least three other major companies where Coelho was involved in brokering the sale of confidential data. One is described as “an electronic commerce company,” another as “an online tax filing company,” and the third as “a major broadcasting and cable company.”

An affidavit in support of the Justice Department’s request for Coelho’s extradition from the U.K. to the U.S. provides additional background on what “Company 3” (aka, T-Mobile) was trying to accomplish:

After this post, Company 3 hired a third-party to purchase exclusive access to the database to prevent it from being sold to criminals. A third-party employee then posed as a prospective buyer and used Omnipotent’s middleman service to purchase. Small of the databases for a Bitcoin amount that was then equivalent to approximately $50,000. Subsequently, an employee of the third-party again used Omnipotent’s middleman service to purchase the entire database for a Bitcoin amount that was then equivalent to approximately $150,000. The agreement was for “SubVirt” to then destroy their copy of the database; however, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase.
– Affidavit in Support of Request for Extradition of Diogo Santos Coelho

Had the plan succeeded, T-Mobile would have secured those 30 million customer records against further disclosure. The “third-party” that purchased the data for $200,000 would then be the only one with a copy of the stolen information, which would presumably have either been destroyed or turned back over to T-Mobile for analysis.

The court documents don’t name the third-party agent that bought the data or describe what sort of company it was. However, in an August 2021 statement, T-Mobile CEO Mike Sievert named security company Mandiant as the partner in pursuing its investigation into the incident.

Through our investigation into this incident, which has been supported by world-class security experts Mandiant from the very beginning, we now know how this bad actor illegally gained entry to our servers and we have closed those access points. We are confident that there is no ongoing risk to customer data from this breach.Mike Sievert, T-Mobile CEO

Motherboard reached out to both T-Mobile and Mandiant for comment, but neither responded by press time.

Of course, there’s no honor among thieves, and perhaps T-Mobile and its third-party agent were naive to think that they could actually pull this off, but it’s probably fair to give them a few points for trying.