Verizon, Coinbase Negligent in $300K Crypto Hack, Says SIM Swap Victim
A hacker, with the help of a Verizon store assistant manager, gained access to a customer’s financial accounts through a SIM card swap, stealing $300,000 from his cryptocurrency account, alleged a fraud complaint Tuesday (docket 1:23-cv-09556) in U.S. District Court for Southern New York in Manhattan. The breach of contract suit names Verizon and Coinbase as co-defendants.
Plaintiff Raymond Krumdieck, a New York resident, began receiving “phishing” texts on his Verizon phone in December 2021 and contacted Verizon, which indicated it was trying to block the phishing numbers, alleged the complaint. On Dec. 5, Darryl Jenkins, assistant manager at a Minnetonka, Minnesota, Verizon store, used Krumdieck’s private credentials held with his Verizon account and overrode authenticity factors to hack his cellphone and “transfer all access and control of Plaintiff's account and mobile phone number to the hacker,” alleged the complaint. Jenkins used the access to steal about $300,000 from Krumdieck’s Coinbase address, wallet and online exchange account and transferred the crypto assets to an unknown foreign wallet, the plaintiff alleged.
On Dec. 6, 2021, Krumdieck went to a Verizon store and was told that a Verizon corporate employee gave Krumdieck’s SIM card number to the hacker, who had gained “total control” over his phone, said the complaint. The carrier confirmed that an unknown third party was trying to access Krumdieck’s account the week before but was unable to due to “improper verifications,” the complaint said. The individual tried “several times” to access Krumdieck’s account, which “was successfully swapped on Dec. 5,” it said.
Krumdieck provided the Minnetonka Police Department with information showing that his cryptocurrency assets were removed on Dec. 6, 2021, and were transferred to an unknown wallet, the complaint said. The information correlated with information Verizon had obtained “detailing many fraudulent SIM swaps” made possible by Jenkins, it said. Jenkins acknowledged that he was approached by an individual known to him as “Shawn” or “Teshawn” to conduct SIM swaps for money, said the complaint, referencing an email Minnetonka police received Jan. 11 from Verizon involving an internal investigation of Jenkins. Jenkins stated he was given an email with phone numbers and SIM card numbers that he was instructed to “hack with the intent to convert those Verizon customers' financial assets," it said.
As a result of the hack, Krumdieck’s “life was frozen,” said the complaint. He had no access to his mobile phone, contact numbers, emails, bank accounts, personal files or Coinbase account, and he spent “countless hours and days thereafter in a state of panic, anxiety and fear.” Krumdieck learned from “hours” on the phone with Verizon that his account had a lot of activity, “was a mess” and that three prior attempts to access his account had been unsuccessful, said the complaint.
Verizon “failed to provide reasonable and appropriate security to prevent unauthorized access” to Krumdieck’s wireless account, allowing the unknown person to access his confidential and private wireless account data and financial information, said the complaint. The carrier failed to maintain reasonable procedures to comply with federal and state regulations governing the creation and authentication of his user credentials and created “unreasonable risk of unauthorized access.” Verizon also failed to ensure that “only authorized persons have such access and that customer accounts are secure.”
Though Krumdieck contacted Verizon immediately, received confirmation of the hack and assurance the company would take steps to avoid future SIM swaps, he was the victim of another SIM swap attack in April 2022, alleged the complaint. Verizon failed in its duty to protect Krumdieck's personal and financial information by “repeatedly providing hackers with unauthorized access” to his account, it said. “Such conduct warrants punitive damages to prevent such egregious conduct and injury to the public at large,” it said.
Regarding Coinbase, the cryptocurrency company’s “negligence and grossly deceptive business practices” resulted in a “catastrophic financial loss” to Krumdieck, said the complaint. Coinbase has a contractual and legal duty, “including those anti-money laundering statutes, to monitor such unknown accounts or ‘wallets,’ and to take necessary measures to protect customers' accounts,” the complaint said. Because it failed to put customary and necessary security systems in place to prevent the crime it knew was occurring, Krumdieck's assets were stolen and “fraudulently transferred from his account by a hacker who used a foreign device and a foreign IP address, from a location never before used by Plaintiff,” it said.
Coinbase notified Krumdieck of the fraudulent transfer of his assets after it had been processed, sending him a transaction acknowledgment “for, in essence, losing his money to a hacker,” said the complaint. The company failed to “remedy, reverse or restore” his losses, “despite claiming that customers' assets will be safeguarded with the same security, vigilance and diligence commonly afforded to members of the virtual currency industry,” the complaint said.
Coinbase failed to perform “adequate anti-money laundering and ‘know your client’ procedures" under Financial Crimes Enforcement Network and Department of Financial Services guidelines and enforcement rules, alleged Krumdieck. It failed to properly monitor his account and “ignored its duty to investigate suspicious activities under federal and state anti-money laundering rules,” the complaint said. The complaint referenced “countless similar SIM card attacks against Coinbase customers dating to 2013, causing the loss of “tens of millions of dollars in lifesavings."
In addition to breach of contract claims, Krumdieck asserts violations of the Federal Communications, Bank Secrecy, New York Consumer Protection and Computer Fraud and Abuse acts; negligence and gross negligence; negligent hiring, retention and supervision; negligent infliction of emotional distress; and deceptive business practices in violation of general business law. He seeks minimum compensatory damages of $1 million; special damages for emotional distress of $5 million; punitive damages of $10 million; statutory damages for FCA violations; legal costs and attorneys’ fees; and pre- and post-judgment interest. Verizon and Coinbase didn't comment Wednesday.