A criminal gained access to user accounts using information that was available to her because she worked at a phone store.
SAN ANTONIO — Two San Antonio residents have pleaded guilty for their role in a surprising scheme to steal cryptocurrency.
Court documents obtained by KENS 5 indicate that Andrew Trujillo and Zena Dounson scoured the internet looking for people who had gotten rich from cryptocurrency investments.
Once the targets were identified, Dounson used his employee credentials at a San Antonio phone retailer to access the AT&T database. He performed a SIM swap, effectively mapping the victims’ phone numbers to Trujillo’s phone.
When Trujillo wanted to pick the targets’ digital wallets, he just needed to click “I forgot my password” and send a reset link to the victims’ cell phone numbers. Trujillo’s phone intercepted the messages, allowing him to access the victims’ accounts.
The two, along with co-conspirators, stole more than $250,000 worth of Ethereum.
Trujillo and Dounson each face up to five years in prison. They are charged with wire fraud as well as conspiracy to commit computer fraud and abuse.
See the full court filing below.
Although Dounson worked for a licensed retailer, not AT&T, the carrier said it continues to “work closely with law enforcement, our industry and consumers to help defeat this type of crime” in a statement to KENS 5.
AT&T and T-Mobile are involved in lawsuits in which plaintiffs claim they were victims of nearly identical schemes.
Cybersecurity experts say this type of crime is difficult to prevent, mainly because it weaponizes security measures intended to safeguard data.
“This situation, you know, crosses a barrier,” said Mike Zaroudny, chief information officer for OneIT, Inc.
Still, Zaroudny says phone users should make it as difficult as possible for criminals to obtain personal information by using multiple passwords and backing up phones to local hard drives.
Crypto investors can also create “dummy” digital wallets, while storing most of their coins in a harder-to-find unit.
Zaroudny also says that adding passcodes to individual apps and accounts can add another layer of protection to personal data.
“A lot of these theft deterrents or notification (programs) that are out there, people just don’t take advantage of them,” he said.