The 15-Year-Old Who Stole $24 Million

70.23k views2110 WordsCopy TextShare
Newsthink
How Ellis Pinsky pulled off the greatest SIM-swapping hack of all time. Go to my sponsor https://aur...
Video Transcript:
Ellis Pinsky was 15 years old when he pulled off  a 24-million-dollar crypto heist. ($23. 8 million) For him, it felt like playing a video game, his favorite hobby growing up  in the suburbs of New York City.
One day, while trash-talking during a game, another player taunted him with:  “How’s the weather in Irvington? ” Ellis froze. How on earth  did he know where he lived?
He soon discovered that a free program called Wireshark could “sniff out” incoming network  connections and identify their IP addresses. A quick Google search would then  determine the approximate origin. As he told Rolling Stone: “That’s when  it really clicked at the age of 12 or 13: ‘Wow, I’m this little kid, but  I can really wield this power.
’” Over the next few months, a fellow  gamer named Ferno mentored Ellis, teaching him how to track down  information about people online. In exchange, Ellis retrieved addresses and  social security numbers with no questions asked. Through Ferno, Ellis learned a form of  social engineering called ISP doxxing.
This involved impersonating IT support to trick employees into revealing confidential  information linked to an IP address. As Ellis' hacking skills grew, he began to  exploit them for lucrative opportunities… Ferno told Ellis about the OGUsers  forum, where young hackers shared techniques for stealing coveted social  media handles on Twitter and Instagram. ese coveted handles could be  sold for thousands of dollars.
Th Ellis was so skilled that he  could steal a username in minutes. None of his classmates at Irvington High  had a clue he was living a double life. They saw him as this super smart kid who could help recover a forgotten  password but nothing nefarious.
By then, already an experienced hacker, he  taught himself how to program, focusing on techniques like SQL injections, which exploit  vulnerabilities in a website’s input fields, like login forms, by inserting malicious SQL code. This tricks the database into  executing unintended commands, allowing hackers to retrieve unauthorized  data like usernames and emails. This ability when combined with another technique,  would result in one of the greatest hacks ever In 2016, President Obama wrote an op-ed  in the Wall Street Journal emphasizing the importance of two-factor authentication,  such as sending a code to your cell phone.
Hackers were trying to exploit this security  measure by intercepting these codes. This was Ellis’ first encounter  with the concept of “SIM swapping”, which involved convincing employees at wireless  carriers to remotely switch a SIM card from a target’s phone to one controlled by the hacker.  When the two-factor authentication text was sent, it would be the hacker who  received it on their SIM card.
Ellis would comb through social media to identify  users who mentioned they worked at a carrier. He’d reach out to see if they were  willing to be in on the SIM swap, bribing them with hundreds  of dollars’ worth of bitcoin. Eventually, Ellis claimed he had employees  at every major carrier working for him.
By combining his expertise in SQL injections  and SIM swapping, Ellis became unstoppable. Once he had the target’s email  address and phone number, he’d employ SIM swapping so all texts sent to  the target’s phone would now appear on his phone. He’d then attempt to log in to the target’s email  account using the “forgot password” feature.
Because of the SIM swap, the  two-factor authentication code would be redirected to his phone. Using this code, Ellis could successfully reset the password and gain  access to the target’s email account. In 2018, a member of the OGUsers  community going by the username Harry reached out to Ellis, asking  if he could hack into an AT&T phone.
The target was Michael Terpin, one of the  earliest influencers in the crypto world. The PR firm he founded helped launch  the Motley Fool and Match. com.
He also did PR work for various cryptocurrencies  and preferred being paid in crypto. The more he convinced people these coins were going to take off, the more  his own holdings appreciated. On the evening of January 7, 2018, Ellis  telegrammed his rogue contact at AT&T, instructing them to port Terpin’s SIM card  to the phone of an online acquaintance, ensuring the hack couldn’t be traced back to him.
They successfully reset Terpin’s e-mail password and gained access to his account.  Btw, Harry joined Ellis via Skype Then, they ran a script to scan Terpin’s emails for references to keys to digital  wallets where coins were stored. Initially, they found nothing and were  about to give up when Ellis started searching for other email accounts belonging  to Terpin and reset the passwords for those.
An Outlook account caught a file called “Keys”. Ellis recounted to Rolling Stone: “At  that point, it was like, ‘Holy shit. ’ We open that file, and see that there’s  just a bunch of keys to various wallets.
” They had struck gold but had to act quickly before  Terpin noticed he was locked out of his emails. It didn’t take long for him to realize something was wrong when Google notified him that  his Gmail password had been changed. He quickly tried to cancel his cell  phone number with AT&T but alleges they failed to promptly cancel his account.
Ellis noticed a wallet holding Ethereum worth $900 million, but it required an  additional password he couldn’t find. Terpin denied holding anywhere near that amount. Ellis tried another wallet from a company called Counterparty and managed to unlock  it using a 12-word seed phrase.
Inside were around 3 million coins of a currency  called Triggers, worth over $7 per coin! Ellis quickly did the math and  realized he was looking at $24 million. This was the largest SIM-swapping  hack pulled off by an individual.
It would have been the perfect heist were it  not for one of Ellis’ greedy acquaintances. Ellis had no choice but to involve  others in the plan to launder the coins due to the daily transaction  limits placed on crypto exchanges. He needed to quickly convert Triggers into  Bitcoin on the cryptocurrency exchange Binance.
So, he posted on Twitter asking if anyone had a Binance account and rounded  up about half a dozen people. He sent Triggers to their accounts, got  them to exchange the coins for Bitcoin, and then diverted the Bitcoin  into an account he and Harry controlled. He gave them a cut of  $20,000 to $50,000 for their help.
However, one of the acquaintances got greedy. Ellis sent a Twitter user @erupts half a  million dollars, which went off with a hitch. Then, he sent $1 million, which was  also meant to be exchanged for bitcoin.
But @erupts kept the money, admitting in court: “. . .
at some point I revoked  (Ellis’) continued access to the account and kept for myself the  additional money he had deposited. ” After the missing million and  splitting the spoils with Harry, minus the transaction fees and  factoring in the volatility of crypto, Ellis says he was left with 562 bitcoins,  worth around $10 million at the time. He splurged on a $50,000 Patek Philippe watch,  took out $100,000 in cash, which he kept under his bed in a $40 safe from Amazon, and took a private  jet on a trip back from Chicago with his mom.
Other than those purchases, life  was fairly normal; it was back to soccer classes after school and  flipping Yeezy sneakers online. Then, one day, he received a message from @erupts, the acquaintance who stole  $1 million worth of crypto. @erupts’ real name was Nick Truglia,  a 20-year-old living in Manhattan.
Nick wanted to meet Ellis in person. Why would Ellis agree to meet  someone who stole money from him? Ellis couldn’t accuse Nick of the  theft because the complexity of cryptocurrency transactions  made it difficult to prove.
They met at Grand Central Station, and then hung  out at Nick’s luxurious $6,000-a-month apartment, before partying in the VIP section of a club. Ellis actually wasn’t having the time of  his life. He felt unsettled by it all.
And maybe his intuition was right. Because law enforcement was onto Nick…thanks  to the assistance of one of Nick’s friends. Nick had been interested in booking private jets and befriended a private jet  broker named Chris David.
Chris noticed Nick didn’t appear to have a  job yet managed to fund a lavish lifestyle. Nick confessed to Chris that he funded  his lifestyle by stealing crypto. He boasted about his theft publicly, tweeting  six times that he “stole 24 million”.
Chris said “Nick likened himself to Robin Hood who  robs from the rich but did not give to the poor. ” Nick confessed that he stole  millions through SIM swapping, which intrigued and horrified Chris,  who had never heard of such a thing. He saw Nick trying to SIM swap at an AT&T  store in Times Square and secretly snapped this photo which was later used as evidence  in Michael Terpin’s legal case against Nick.
On November 14, 2018, a regional  high-tech task force arrested Nick at his apartment over another SIM-swapping heist. While searching Nick’s iCloud backup file, they also found evidence he’d been involved  in Michael Terpin’s missing $24 million. On the same date Terpin lost his crypto,  Nick had sent this message to a friend: “I’m a millionaire.
I’m not  kidding. I have 100 Bitcoin. ” Michael Terpin sued for $71.
4 million  - three times the stolen amount. Terpin felt the hacking constituted  organized crime under the RICO Act, which allows victims to recover triple the damage. It wasn’t long before the dots were  connected from Nick to Ellis as many online acquaintances knew they were in contact.
On December 3, 2018, Ellis’ mom  received an email from Terpin’s lawyer, accusing her son of being the  mastermind behind the $24 million heist. Ellis’ mom panicked and hired her son a lawyer. Ellis voluntarily returned all of his 562  Bitcoins, the $50,000 Patek Philippe watch, and the $100,000 in cash hidden under his bed.
However, by this time, the $10 million worth of  Bitcoin had depreciated to less than $2 million. Ellis’ final year of high school was marked  by notoriety as his exploits made the news. Weeks before graduation, four masked men tried  to rob his family’s home in search of the money.
Hacking was no longer like one of  the video games he grew up playing. When Ellis watched a video of Terpin recalling  what happened and how calculated the hacking was, he began to feel remorse, telling Rolling Stone: It added a human element to what was, back then, this completely online thing for me. I feel  like shame is not the most useful feeling, but I have accountability.
Certainly, I  don’t feel good about what I’ve done. ” Despite Terpin’s desire for criminal  charges, Ellis was never arrested or charged. Terpin believes this was  because Ellis was underage, and the authorities didn’t know  how to handle the situation.
Ellis ended up going to NYU, where he majored in Computer Science and  Philosophy and graduated in May 2024. As for what he’s up to now? Ellis told me he started a software development company helping entrepreneurs turn their  business ideas into apps and software.
He also told me he’s looking to  work in the cyber protection domain, ironically using his skills to defend  against the very hacks he once perpetrated. If you need to inquire in english, please press 8. And speaking of cybersecurity - don’t you hate  it when you receive spam calls and text messages?
That’s not just annoying - it means that your  personal information is out there being exploited. I recently received an email from Ticketmaster  stating that my information, including my encrypted credit card number and expiration  date, had been potentially hacked. This data is being exploited by  cybercriminals for spam calls, identity theft, taking out loans in  your name or using your credit card.
But there’s an easy web to ensure your information doesn’t end up on the dark web -  and it’s FREE for you to try out. Aura alerts me when my data has been leaked. When you register for Aura, you’ll actually  see how many data brokers—companies that collect and sell your personal  information—have access to your data.
Aura removes your information  from data brokers on your behalf, preventing them from selling it to third parties. You also get features like credit  monitoring, identity theft insurance, a password manager, antivirus protection,  and a VPN—all in one affordable app. Plus, Aura is FREE for you to try out for two weeks by signing up with my custom link  in the description, aura.
com/newsthink. That’s aura. com/newsthink to see whether  your information is out there today.
Thanks for watching. For Newsthink, I’m Cindy Pom.
Copyright © 2024. Made with ♥ in London by YTScribe.com