T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed.

Last year, T-Mobile confirmed it was breached after hackers offered to sell the personal data of 30 million of its customers for 6 bitcoin, worth around $270,000 at the time. According to court documents unsealed today and reviewed by Motherboard, a third-party hired by T-Mobile tried to pay the hackers for exclusive access to that data and limit it from leaking more widely.

The plan ultimately failed, and the criminals continued to sell the data despite the third party giving them a total of $200,000. But the news unearths some of the controversial tactics that might be used by companies as they respond to data breaches, either to mitigate the leak of stolen information or in an attempt to identify who has breached their networks.

T-Mobile did not respond to a request for comment on whether it was aware the third party it hired had paid cybercriminals hundreds of thousands of dollars to stop leaking their data.

On Tuesday, the Department of Justice unsealed an indictment against Diogo Santos Coelho, who it alleges is the administrator of a popular hacking site called RaidForums. Law enforcement also uploaded a banner to the RaidForums site announcing they had taken over its domain.

Coelho was arrested in the United Kingdom in March. Included in the affidavit in support of request for his extradition to the United States is a section describing a particular set of data that was advertised on RaidForums in August. 

“On or about August 11, 2021, an individual using the moniker ‘SubVirt’ posted on the RaidForums website an offer to sell recently hacked data with the following title: ‘SELLING-124M-U-S-A-SSN-DOB-DL-database-freshly-breached.’” Later, Subvirt changed the thread title to “SELLING 30M SSN + DL + DOB database,” the document continues. The document does not name the victim company, instead referring to it as Company 3, but says another post confirmed that the data belonging to “a major telecommunications company and wireless network operator that provides services in the United States.

The document goes on to say that this company “hired a third-party to purchase exclusive access to the database to prevent it being sold to criminals.” An employee of this third party posed as a potential buyer and used the RaidForums’ administrator’s middleman service to buy a sample of the data for $50,000 in Bitcoin, the document reads. That employee then purchased the entire database for around $150,000, with the caveat that SubVirt would delete their copy of the data, it adds. The purpose of the deletion would be that this undercover customer would be the only one with a copy of the stolen information, greatly limiting the chance of it leaking out further.

That’s not what happened. The document says that “it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase.”

Company 3, the unnamed telecommunications firm that hired this third-party, was T-Mobile, according to Motherboard’s review of the timeline and information included in the court records. Motherboard first revealed news of the breach mentioned in the court document several days after the specific RaidForums threads mentioned. At the time Motherboard spoke to the person selling the data including SSNs and obtained samples of the data which confirmed the hacker had accurate information on T-Mobile customers. T-Mobile provided a statement at the time saying it was investigating the hack against its company. A day later, T-Mobile confirmed it had been breached.

The court documents do not name the third-party that bought the data, nor do they describe what sort of company it was. But in a previous statement published in August, Mike Sievert, CEO of T-Mobile, said “Through our investigation into this incident, which has been supported by world-class security experts Mandiant from the very beginning, we now know how this bad actor illegally gained entry to our servers and we have closed those access points. We are confident that there is no ongoing risk to customer data from this breach.”

Mandiant did not immediately respond to a request for comment on whether it was the third-party that paid cybercriminals $200,000. In March Mandiant announced it was being acquired by Google.

Victim companies often hire incident response or threat intelligence firms after they have been hacked to discover how exactly they were breached and to take mitigation steps against any further exposure. 

These companies can sometimes deploy controversial tactics, such as “hacking back,” where the firm will offensively strike back at the criminal hackers, perhaps by breaching their command and control or other servers to see what data was stolen, interfere with the hackers’ infrastructure, or try to glean information on who the hackers might be. After hacking group LAPSUS$ targeted Nvidia, the group claimed in a post on its Telegram channel that someone had hacked into a machine the group was using to store the stolen Nvidia data and then deployed ransomware. The group alleged, without concrete evidence, this was done on behalf of Nvidia.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.