One criminal gained access to users’ accounts using information that was available to her because she worked at a phone retailer.
SAN ANTONIO — Two San Antonio residents have pleaded guilty for their role in a stunning scheme to steal cryptocurrency.
Court documents obtained by KENS 5 indicate Andrew Trujillo and Zena Dounson scoured the internet, looking for people who’d gotten rich off cryptocurrency investments.
Once they identified targets, Dounson used her employee credentials at a San Antonio phone retailer to access AT&T’s database. She conducted a SIM swap, effectively assigning the victims’ phone numbers to Trujillo’s phone.
When Trujillo wanted to pick targets’ digital wallets, he only needed to click ‘forgot password’ and send a reset link to the victims’ cell phone numbers. Trujillo’s phone intercepted the messages, allowing him access to victims’ accounts.
The two, along with co-conspirators, stole more than $250,000 in Ethereum.
Trujillo and Dounson each face up to five years in prison. They’re charged with wire fraud, as well as conspiracy to commit computer fraud and abuse.
View the full court filing below.
Though did Dounson worked for a licensed retailer, not AT&T, the carrier said it continues “to work closely with law enforcement, our industry and consumers to help defeat this type of crime” in a statement to KENS 5.
AT&T and T-Mobile are each involved in lawsuits where plaintiffs contend they fell victim to nearly identical schemes.
Cyber security experts say this type of crime is difficult to prevent, mostly because it weaponizes security measures meant to safeguard data.
“This situation, you know, it crosses a barrier,” said Mike Zaroudny, chief information officer for OneIT, Inc.
Still, Zaroudny says phone users should make it as difficult as possible for criminals to obtain personal information by using multiple passwords and backing-up phones to local hard drives.
Crypto investors might also create “dummy” digital wallets, while storing the bulk of their coins in a harder-to-find drive.
Zaroudny also says adding passcodes onto individual apps and accounts can add another layer of protection to personal data.
“A lot of these theft deterrents or notification (programs) that are out there – people just don’t take advantage of,” he said.