Former T-Mobile store owner netted $25 million from 5-year scheme which included tricking employees into resetting passwords

This post was originally published on this site

A former T-Mobile store owner has been found guilty of using stolen credentials to hack into “hundreds of thousands of cellphones” in a multi-year scheme that netted him roughly $25 million which he spent on cars and properties in California. 

Argishti Khudaverdyan, 44, who owned an Eagle Rock retail outlet in Los Angeles, used several dishonest methods to acquire the credentials needed to unlock phones or bypass carrier blocks, enabling customers to change network providers before their contract ended.

He used phishing emails, social engineering, and tricked those working at the T-Mobile IT Help Desk into resetting employee passwords, allowing him access to the internal system. 

The scheme, which he ran from August 2014 to June 2019, also involved unlocking phones that had been reported lost or stolen, allowing them to be sold on the black market.

According to the statement from the Department of Justice, he advertised his service through email, brokers, and various websites, convincing others the process was legal and T-Mobile “official”. 

Khudaverdyan, “enabled T-Mobile customers to stop using T-Mobile’s services and thereby deprive T-Mobile of revenue generated from customers’ service contracts and equipment installment plans,” the DOJ said. 

“Aggravated identity theft”

Having previously accessed information via the open internet, Khudaverdyan’s store was shut down by the company for suspicious activity in 2017.

Instead, he turned to sending convincing phishing emails to employees, including senior staff, tricking them into giving away their login details. He obtained over 50 employee logins in this period, according to court documents.

Khudaverdyan reportedly used the money he made to buy properties in California, a $32,000 Audemars Piguet Royal Oak watch, and a Land Rover, among other expensive items. 

Khudaverdyan faces at least two years in prison for aggravated identity theft, and up to 165 years for the counts related to wire fraud, money laundering, and accessing a computer without authorization.

His sentencing is on October 17. 

Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.