T-Mobile Bought its Customer Data from Hackers to Prevent Leak

The American mobile operator T-Mobile suffered a data breach last year, in which hackers had compromised 30 million of its customer's data including personal information. The stolen data was put on sale for 6 BTC. 

On Tuesday, the Federal Bureau of Investigation (FBI), the United States Secret Service, and the Department of Justice seized RaidForums domains and arrested the site’s founder and chief administrator, Diogo Santos Coelho, 21, of Portugal. Coelho was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending the resolution of his extradition proceedings.

DOJ also made an announcement of the seizure of the RaidForums, and Assistant Attorney General Kenneth A. Polite Jr., said “The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information.”

After the seizure notice went up, Motherboard reviewed the court documents unsealed today and reported that a third-party hired by T-Mobile tried to pay the hackers for exclusive access to that data and limit it from leaking more widely. The claim was made according to Motherboard’s review of the timeline and information included in the court records. But the plan of T-Mobile gets failed when the criminals continued to sell the data despite Company 3 giving them a total of $200,000. 

The Motherboard noted -

“Motherboard first revealed news of the breach mentioned in the court document several days after the specific RaidForums threads were mentioned. At the time Motherboard spoke to the person selling the data including SSNs and obtained samples of the data which confirmed the hacker had accurate information on T-Mobile customers.”

According to the court document (points 32 &33), which reads- 

“On or about August 11, 2021, an individual using the moniker ‘SubVirt’ posted on the RaidForums website an offer to sell recently hacked data with the following title: ‘SELLING-124M-U-S-A-SSN-DOB-DL-database-freshly-breached.’”. 

Later, "SubVirt" created a revised post on the RaidForums website offering to sell recently hacked data with the following title: "SELLING 30M SSN + DL + DOB database.". The document didn't disclose the victim's company name, rather calling it company 3 but the further document confirms that the hacked data belonged to a major telecommunications company and wireless network operator that provides services in the United States. 

The document goes on to say that this company “hired a third-party to purchase exclusive access to the database to prevent it from being sold to criminals.” An employee of this third-party posed as a potential buyer and used the RaidForums’ administrator’s middleman service to buy a sample of the data for $50,000 in Bitcoin, the document reads. That employee then purchased the entire database for around $150,000, with the caveat that SubVirt would delete their copy of the data, it adds. 

The court documents do not name the third party that bought the data, nor do they describe what sort of company it was. The Motherboard says -Mandiant did not immediately respond to a request for comment on whether it was the third-party that paid cybercriminals $200,000.