Jared Goetz was at dinner when someone used his American Express card to buy a $39,000 web domain. Goetz wasn’t too concerned, he told Motherboard in a phone call: He told the American Express fraud department the transaction wasn’t his, but things rapidly got much worse.
Goetz’s cellphone suddenly lost all service, meaning he couldn’t receive or make any calls or texts, or use any online services. Maybe the e-commerce entrepreneur and business coach had forgotten to pay his T-Mobile bill, he thought. After getting back to the hotel, he found someone had changed his T-Mobile password. Then, he discovered he also couldn’t log into his email, the epicentre of his digital life.
“That’s when I was like, uh-oh,” Goetz said. “Because I tried to log into my email, and they’re like, your password’s been changed one hour ago.”
Goetz paced around the room, trying to figure out what was going on. After a few minutes, his phone rang; it had apparently been switched back on temporarily. The caller was an unknown number.
“I want 3 bitcoin,” a voice on the other end said, according to a recording of the conversation Goetz shared with Motherboard. “And I’m gonna leave you alone.” Goetz was the hacker’s third victim that day, the hacker added. But in an hour and a half long conversation, Goetz tried to get to the root of why this hacker does what he does, and somehow talked the hacker into giving back his stolen accounts.
This is just one episode in a rising trend of hacking-enabled extortion, in which hackers take over valuable accounts and hold them for ransom. Hackers have targeted email and Instagram accounts belonging to high profile social media users, a group of people who rely on these services for staying in touch with friends, but often for their entire livelihood. Goetz’s hack is another example of so-called SIM hijackers, hackers who are able to take control of a victim’s phone number due to gaping holes in how telecom companies protect (or rather, don’t protect) their users.
The hacker, who eventually identified themselves in the recording as Sebastian, a 17-year-old from Germany, was aggressive. He targeted Goetz because he appeared in the cryptocurrency press, suggesting he may have access to a large amount of currency to steal.
“This is what I do buddy,” Sebastian said in the phone call. “I don’t feel anything buddy; that’s all I’m gonna tell you.”
Sebastian had hijacked Goetz’s SIM card, and directed any password reset messages to his own phone. This also let Sebastian bypass any SMS-based, two-factor authentication on Goetz’s accounts; those text messages companies send to check it’s really you. With Goetz’s phone number, Sebastian was Goetz, for all that the internet cared.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
In the recording shared with Motherboard, Sebastian doesn’t go into detail on how he took control of the phone number, but Motherboard’s previous investigations have shown how relatively easy it can be for hackers to pull off. Either the hacker will call up the telecom company, provide some basic personal information about the target, and simply ask to port the phone number over to their own SIM card. Or they sometimes bribe telecom employees.
A woman who works for a Verizon retailer was recently approached by a criminal who tried to bribe her, according to the employee and text messages she provided to Motherboard. The source asked to remain anonymous because they were worried about being fired. The criminal offered her money in exchange for passwords and PIN numbers of business accounts. He even showed her a pile of cash. The employee says she declined the offer and stopped answering.
“I was honestly appalled at first because some rando from Instagram wants me to give him the keys to a few palaces so that he could ruin the lives of those business owners,” the woman told Motherboard in an email. “Unfortunately for him my conscience and moral compass wouldn’t physically allow me to do it.”
T-Mobile, which, again, Goetz is a customer of, has a particular issue with malicious insiders providing information and access to hackers, according to multiple sources that previously spoke to Motherboard. A T-Mobile spokesperson told Motherboard in an email “we’re always working to improve security so we can stay ahead of fraud schemes and protect our customers. We’re aware of these ongoing and ever-changing attempts to take advantage of consumers across the wireless industry and we’ll keep fighting to ensure our customer’s safety.”
Many of these hackers are after prestigious, “OG” Instagram handles, ones that are only a few characters long or encompass a single, unspoiled word. In one case, hackers previously targeted the owner of the handle “rainbow.”
Throughout the conversation, Goetz tried to negotiate with the hacker, saying that he was not going to send any bitcoin, and that he didn’t really have any; he then offered to send a small amount of Ripple, another cryptocurrency, instead; he also said he could send some PayPal funds. Goetz asked why does Sebastian want this money anyway. Sebastian appeared to let his guard down.
“Because I did some things, that I truly regret, about a year ago, and I’ve been stuck in it for longer than a few months now,” Sebastian replied. “Let’s just say I maybe screwed the wrong guy over.”
Goetz told Sebastian about his own mistakes; how he robbed a house when he was younger, and about a time he was sued for $250,000. Goetz even offered Sebastian a loan; maybe he can pay it back once he gets his life on track. Sebastian was a little bit touched, he said. Clearly, this is not the normal reaction the hacker receives when trying to extort someone.
“You’re a human being, you’re not just a scammer,” Goetz told Sebastian around 45 minutes into their conversation.
When hackers held high profile Instagram accounts hostage, some victims did decide to pay the ransom. Even then, in some cases the hackers still deleted the held account or, at the time of writing, kept it under their control. In those cases, Instagram was largely unresponsive to the victims, or at least did not communicate in any meaningful way. After Motherboard contacted the company flagging one hacked account in particular, Instagram restored it, but others were not so lucky.
Goetz told Motherboard at first was just trying to get his own accounts back; one tactic was to act confused as to why the hacker would do this at all.
“I just then started playing the nice guy, the potential mentor,” Goetz said. “But then the human being side of me kinda turned on, and I actually did want to help him.”
In a rather extraordinary moment, once Goetz has convinced Sebastian to give back access to the email account, on the condition they’ll chat the following day, Goetz asks a question.
“Can you give me an apology?” Goetz says.
“Yeah, I’m not really good at those but, I mean, I’m sincerely sorry for the trouble I caused you, and I wish it wouldn’t have ended this way,” the hacker replies.
“Well, I respect that,” Goetz adds.
At one point during the conversation, Sebastian provided his Google Voice number. Although when Motherboard called the number it rang, efforts to reach Sebastian for comment were unsuccessful.
Both men were exhausted by this point. It was 1 AM for Goetz, and apparently 7 AM for Sebastian. The two agreed to chat later. Goetz said they did, in which Sebastian explained more about how they took over the accounts (Goetz shared a copy of some of these text messages with Motherboard).
“Goodnight buddy,” Sebastian says before hanging up, sincerity creeping through in his voice.
Lorenzo Franceschi-Bicchierai provided additional reporting.