T-Mobile has incurred $33 million in fines following a significant SIM swapping attack that resulted in a customer losing millions in cryptocurrency. The Los Angeles law firm Greenberg Glusker has revealed that it successfully secured a substantial arbitration award against T-Mobile due to the telecom company’s failures in handling the security breach. The incident traces back to February 2020 when the attack targeted entrepreneur Joseph “Josh” Jones.

Greenberg Glusker has indicated that the attackers managed to steal over 1,500 Bitcoin (BTC) and nearly 60,000 Bitcoin Cash (BCH), valued at approximately $38 million at that time. Following this security breach, various failures within T-Mobile’s systems became the focal point of a legal dispute. Although the court ruling regarding the lawsuit had been kept confidential since late 2023, a recent petition to validate the arbitration award has made some details public, despite T-Mobile’s attempts to keep security flaws from being disclosed.

The attackers were able to hijack Jones’s T-Mobile account, even with the deployment of enhanced PIN protection measures. An insider at T-Mobile apparently facilitated the breach by agreeing to transfer Jones’s mobile number to a SIM card belonging to the attackers. The PIN protection was expected to safeguard against such unauthorized changes, leading Jones to suspect that a backdoor into the carrier’s systems was exploited for the attack.

Paul Blechner from Greenberg Glusker emphasized that “SIM swapping has been an unchecked security flaw for years,” calling for carriers like T-Mobile to implement necessary precautions. Investigations into the incident revealed that a 17-year-old was behind the SIM swapping attack, with ties to a larger group of cybercriminals who executed multiple high-profile hacks in 2020, affecting accounts of figures such as Joe Biden and Elon Musk. T-Mobile has faced similar attacks in the past, including notable cases involving the theft of $20 million in cryptocurrency and breaches impacting several bankruptcy proceedings within the crypto industry.