​T-Mobile has been ordered to pay $33 million in damages following an arbitration case linked to a SIM swapping scam that resulted in the theft of $38 million in cryptocurrency from a customer’s account.

The incident occurred in February 2020, targeting tech entrepreneur Joseph “Josh” Jones. Attackers hijacked Jones’ T-Mobile account by porting his phone number to a SIM card they controlled, enabling them to access and drain his cryptocurrency holdings—over 1,500 Bitcoin and approximately 60,000 Bitcoin Cash. At that time, these assets were valued at $38 million.

Despite Jones implementing enhanced security measures on his T-Mobile account, including an eight-digit PIN, the attackers reportedly exploited internal vulnerabilities or a backdoor within T-Mobile’s systems. The law firm Greenberg Glusker, representing Jones, alleged that multiple security failures at the wireless provider facilitated the breach, arguing that the company’s internal safeguards were inadequate.

The arbitration award was finalized in late 2023 but remained confidential until recently. T-Mobile attempted to seal details of its security lapses; however, a recent petition to confirm the award brought these details into public view.

Greenberg Glusker attorney Paul Blechner emphasized the severity of the issue, stating,

“SIM swapping has been an unchecked security flaw for years. Carriers like T-Mobile have known about it and failed to take basic precautions. This award makes it clear: they must do better.”

SIM swapping, also known as SIM hijacking, is a cybercrime tactic where attackers convince a carrier’s employees to transfer a victim’s number to a new SIM card. This grants them control over two-factor authentication codes and access to sensitive accounts, allowing them to reset passwords, bypass authentication protections, and gain entry into email, banking, or cryptocurrency platforms.

Law enforcement later identified the individual behind the attack on Jones as a 17-year-old with links to hackers involved in the 2020 Twitter hack that compromised numerous high-profile accounts, including those of Elon Musk, Joe Biden, and Bill Gates.

This case is not an isolated incident for T-Mobile. In 2023, advisory firm Kroll suffered a SIM swapping attack involving T-Mobile that exposed data from several bankrupt crypto firms, including FTX, BlockFi, and Genesis. A year earlier, a U.S. man was sentenced for stealing $20 million in crypto via SIM swapping.

The substantial arbitration award underscores the critical need for wireless carriers to bolster their security measures against SIM swapping attacks to protect their customers’ assets and personal information.