A man made millions unlocking T-Mobile phones with stolen passwords Leave a comment

A jury has found Argishti Khudaverdyan, a former owner of a T-Mobile store, guilty of using stolen credentials to unlock “hundreds of thousands of cellphones” from August 2014 to June 2019 (via PCMag). According to a press release from the Department of Justice and an indictment filed earlier this year, Khudaverdyan made around $25 million from the scheme, which also involved bypassing carrier blocks put on lost or stolen cell phones.

For years, he reportedly used several tactics to acquire the T-Mobile employee credentials needed to unlock phones, including phishing, social engineering, and even getting the carrier’s IT department to reset higher-ups’ passwords, giving him access. The DOJ says he accessed over 50 employees’ credentials, and used them to unlock phones from “Sprint, AT&T and other carriers.”

According to the indictment, Khudaverdyan was able to access T-Mobile’s unlocking tools over the open internet until 2017. After the carrier moved them onto its internal network, Khudaverdyan would allegedly use stolen credentials to access that network via Wi-Fi at T-Mobile stores.

The DOJ says that Khudaverdyan co-owned a T-Mobile store called Top Tier Solutions Inc for a few months in 2017, though the carrier ended up terminating the store’s contract because of suspicious behavior. (The other co-owner, Alen Gharehbagloo, was also accused of fraud and illegally accessing computer systems and has plead guilty.) Throughout the years, the DOJ says that Khudaverdyan marketed his unlocking services via email, brokers, and various websites, telling customers that they were official T-Mobile unlocks.

Khudaverdyan’s indictment describes a few of the purchases he and Gharehbagloo made with the money they got from unlocking phones; properties in California, a $32,000 Audemars Piguet Royal Oak watch, and a Land Rover. Gharehbagloo and Khudaverdyan are accused of leasing a Mercedes-Benz S 63 AMG and aFerrari 458, respectively. A Rolex Sky-Dweller was also seized from one of the properties.

Khudaverdyan isn’t the only person who’s gotten in trouble with the law for unlocking devices, or otherwise skirting around manufacturer-imposed limits. Last year, a man named Muhammad Fahd was sentenced to 12 years in prison for unlocking around 2 million AT&T phones, and a man named Gary Bowser was recently sent to prison (and charged a $10 million fine) for his role in a company that sold mods for the Nintendo Switch.

In some ways, these types of crimes are sympathetic — it’s hard to feel bad for companies losing out on revenue that they would’ve earned by restricting what customers can do with their devices. I’m not going to be shedding tears because the DOJ says that Khudaverdyan’s unlocks “enabled T-Mobile customers to stop using T-Mobile’s services and thereby deprive T-Mobile of revenue generated from customers’ service contracts and equipment installment plans.”

Of course, the fact that such unlocks are illegal means that it’s difficult to run an unlock scheme without getting your hands dirty. Defrauding T-Mobile employees for their credentials isn’t great, nor is potentially unlocking phones phones for thieves who want to sell them on the black market. But it’d be hard for people like Khudaverdyan or Fahd to build lucrative and shady businesses doing this kind of thing if carriers made it far easier for customers to do it themselves.

Khudaverdyan is facing at least two years in prison for aggravated identity theft, and up to 165 years for the counts related to wire fraud, money laundering, and accessing a computer without authorization. A sentencing hearing is scheduled for October 17th.