Court Records Reveal T-Mobile Paid RaidForums Hackers In A Failed Attempt To Stop Data Leaks

t mobile paid hackers stop data leak news
Yesterday, we reported on Operation TOURNIQUET, a year-long coordinated effort by law enforcement agencies from seven different countries that culminated in the seizure of the hacking site RaidForums and the arrest of its founder and administrator, Diogo Santos Coelho. RaidForums functioned as the hub for the trade of databases containing over 10 billion stolen records. Now that the authorities involved have revealed the results of Operation TOURNIQUET, a number of documents related to the investigation are available for public viewing.

Among these documents is an affidavit in support of Coelho’s arrest and extradition to the United States for prosecution. The affidavit recounts events that appear to align with a T-Mobile data breach that occurred in August of last year. According to the document, a RaidForums user by the name of “SubVirt” posted a small sample of a data set from a recent hack. The user offered to sell the whole data set for six Bitcoin, which was worth roughly $270,000 at the time. This post, titled “SELLING-124M-U-S-A-SSN-DOB-DL-database-freshly-breached,” went up on August 11, 2021, but SubVirt later reposted the offer on August 14 with the title “SELLING 30M SSN + DL + DOB database.”

t mobile paid hackers stop data leak post news
RaidForums post selling the T-Mobile breach data

We reported on this same RaidForums post back in August, capturing the above image. The affidavit simply states that the data “belonged to a major telecommunications company … that provides service in the United States.” Nonetheless, while the affidavit doesn’t explicitly identify T-Mobile as the telecommunications company in question, SubVirt told Vice at the time that the database consisted of full info for US T-Mobile customers. T-Mobile then acknowledged the data breach of 47 million records a short time later.

However, what we didn’t know back then was that T-Mobile apparently tried to purchase the stolen data. According to the affidavit, the wireless communications provider hired a third-party that, acting on behalf of the company, posed as a prospective buyer and purchased a sample of the data set for $50,000 in Bitcoin. That same third party later purchased the rest of the database for a Bitcoin sum worth $150,000.

This third party purchased the full data set on the condition that SubVirt would destroy their copy of the data, giving only this third party exclusive rights to the data set. However, this agreement apparently did not work out as planned. The affidavit (PDF) states that, “it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase.” Thus, it seems that T-Mobile unsuccessfully attempted to prevent its stolen customer data from being shared on the web by buying it back for the princely sum of $200K, but it backfired. This saga goes to show you that, indeed, there is no honor among thieves.