15-year-old Ellis Pinsky’s crypto heist

American Ellis Pinsky was just 15 years old in 2018 when he stole almost $24 million in crypto with a crypto hack. His victim? Multi-millionaire and entrepreneur Michael Terpin, who is deep in crypto space with several large investments and is actually well versed in cybersecurity.

But the way Pinsky got hold of the entrepreneur’s crypto millions back then is relatively simple. This was made possible by a so-called “SIM swapping”. He recently revealed exactly how the 20-year-old used this form of attack to steal millions from Terpin in an interview with Rolling Stone Magazine.

Crypto Hack: The Details

In 2018, the then 15-year-old, whose hacking career at the time was mainly limited to trolling Call of Duty players, received an order via a forum that would bring him millions: he should hack a specific victim’s cell phone chop. The target of the attack is Michael Terpin, 60, who is considered a heavyweight in the crypto scene at the time.

With an accomplice, Pinsky manages to hack several of Michael Terpin’s e-mail accounts by using his mobile phone number to sabotage his 2-factor authentication (2FA) and reset passwords and access – the so-called SIM swapping. In the victim’s email accounts, they find clues for crypto passwords, seed phrases, and crypto wallets.

Things are going better than expected for the hackers. In fact, there is a folder in the unfortunate person’s e-mail inbox that is called “Passwords”. Inside: Passwords to various crypto wallets. Among other things, Pinsky claims to have seen an Ethereum wallet with cryptos worth 900 million US dollars, which are said to have been secured with a multi-signature – so the search continues.

Finally, he comes across a wallet with 3 million tokens of the cryptocurrency Trigger. Looking at CoinMarketCap, it quickly became clear: At around $7 a piece, Pinsky had found a total value of more than $20 million.

However, after the successful transfer to his wallet, the then-teenager was unable to fully convert the tokens into hard cash. In 2018 there were no decentralized exchanges like Uniswap and Co. Also, because of the KYC regulations, it was not possible to sell or exchange the tokens undetected on a centralized exchange. In addition, the obscure tokens lacked liquidity, which is why every sale caused the price of these to fall further.

Pinsky was forced to sell the tokens through several middlemen. However, they often kept the coins for themselves. In the end, Pinsky was still able to walk out of his raid with around 562 Bitcoin, around $10 million at the time. If he had hoarded and evaded investigators, the bitcoin would be worth almost $113 million today.

But he did not hodl, but bought, which is why the investigators quickly found him. After his arrest, Pinsky returned the remaining Bitcoin. Due to his willingness to cooperate and his young age, mercy was even shown in court. So today the young man is free and is about to complete his studies – computer science, of course.

SIM swapping

Michael Terpin was more than negligent in storing important passwords and private keys in e-mail accounts. He also paid a corresponding fee for this. Above all, SIM swapping made it possible to control the victim’s digital identity for a short period of time.

SIM swapping, also known as a “port-out scam,” involves hiring or getting paid employees of phone companies to port a victim’s phone number to an attacker’s cell phone. These then receive the victim’s SMS notifications and bypass numerous security mechanisms.

For certain crypto exchanges, but also other platforms for email or bank accounts, receiving codes via SMS is part of 2-factor authentication (2FA). For example, if you want to restore access to your accounts, you verify yourself with the respective provider using these SMS codes.

This is how Ellis Pinsky got access to Terpin’s e-mail accounts, where he found the key to his victim’s assets. So, aside from storing sensitive data and crypto keys offline, the most important thing users should do is reconsider their 2FA method. Because some crypto exchanges also allow the accounts to be restored and access to the account.

Anyone using this type of 2FA could be vulnerable to such an attack. The use of special 2FA apps, such as the “Google Authenticator”, is recommended here. These work with encrypted codes over the Internet, instead of SMS, and pose a much lower risk.