AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records

US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.

The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin. Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, also confirmed using the company’s own tracking tool that a transaction occurred in the amount of about 5.72 bitcon (the equivalent of $373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets, but said there was no indication of who controlled the wallets.

A security researcher who asked to be identified only by his online handle, Reddington, also confirmed that a payment occurred. The hacker enlisted him to serve as the go-between for their negotiation with AT&T, and Reddington received a fee from AT&T for serving in that capacity. Reddington provided WIRED with proof of the fee payment. The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that.

WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer. Reddington says he believes it was the entire AT&T dataset that Binns allegedly stole because the hacker and Binns stored the data in a cloud server that they both could access, and he says the hacker deleted it from that server.

AT&T did not respond to WIRED’s request for comment.

It was indirectly through Reddington that AT&T learned about the data theft three months ago.

Reddington tells WIRED that in mid-April, an American hacker living in Turkey and believed to be John Erin Binns—not the hacker who received payment—contacted him to say that he had obtained Reddington’s AT&T call logs. After Reddington verified that the call logs were real, Binns allegedly told Reddington that he had also obtained call and texting logs of millions of other AT&T customers through a poorly secured cloud storage account hosted by Snowflake. Reddington notified the security firm Mandiant about the breach, and Mandiant then notified AT&T. In a regulatory filing it made to the Securities and Exchange Commission on Friday, AT&T said that it first learned of the breach in April.

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It’s been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date.

Reddington has facilitated a number of negotiations between the hackers and victims of the Snowflake account breaches. He says Binns asked him to contact AT&T “to facilitate a buyback of the data,” and that “given the importance of the data” and the potential for harm, “I felt an obligation to ensure he did not sell the data to anyone else.”

He notes that the sequence of events indicates that Ticketmaster’s Snowflake account was likely the first one breached in the campaign, after which the hackers targeted AT&T and others.

“Analysis of the data samples [the hackers] provided from other victims indicated that the hack of Ticketmaster occurred first,” he tells WIRED. “From there, it seems the actors figured out they could target ‘snowflakecomputing.com’ domains by looking for stolen credentials. It did not take them long to compile a list and write a script to hit all of the Snowflake victims simultaneously.”

The stolen AT&T data included call and text messaging metadata, but not the content of calls or messages or the names of the phone owners, according to AT&T’s SEC filing. Reddington alleges that Binns demonstrated how easily he could identify the owners of the numbers using a reverse-lookup program that identified by name the family members, colleagues, and others attached to the phone numbers who communicated with them.

The stolen data included telephone numbers of “nearly all” of AT&T’s cellular customers and the numbers of customers of other wireless carriers who exchanged calls or messages with those AT&T customers between May 1, 2022, and October 31, 2022, as well as on January 2, 2023, according to the company. It also included the landline phone numbers that communicated with the affected AT&T customers during this period. The data included dates for the communication and the duration of calls. “For a subset of the records, one or more cell site ID numbers associated with the interactions are also included,” the company said in a blog post. Cell site IDs reveal which cell towers a phone pings and can potentially be used to identify a phone user’s general location and movements.

News of the breach became public on Friday only when AT&T disclosed it in its blog post and SEC filing. Although public companies are required to report breaches to the SEC after learning about them, AT&T wrote that the Department of Justice had granted it exemptions in May and June to delay notification due to a potential national security or public safety harm if the breach were revealed. The FBI told CNN that AT&T had contacted the bureau shortly after learning about the hack, but the bureau wanted to review the data to determine what had been taken and assess any potential harm before AT&T disclosed it publicly and to the SEC.

The hacker who received the payment from AT&T alleges that Binns was responsible for the breach and shared samples of the data with him and others after downloading it. He says he believes Binns allegedly stole “several billions” of records from AT&T, though WIRED was unable to confirm this. Reddington understands that the data that was deleted was the only complete dataset taken by the hackers. Reddington says he does not believe the hackers posted the data publicly, though he’s not sure how many people received excerpts of the data Binns allegedly provided or what they did with it.

Despite the payment and deletion, some AT&T customers and those who communicated with them may still be at risk, given that others may have samples of the data that were not deleted.

The hacker who spoke with WIRED obtained payment from AT&T instead of Binns because, he says, in an odd twist to the case, Binns was arrested in Turkey in May for an unrelated breach dating back to 2021. That one involved a massive theft of data from T-Mobile. AT&T said in its SEC filing that it believed “at least one person” associated with the breach had already been apprehended, but didn’t identify him. 404 Media was first to report on Friday that Binns is allegedly that person.

Binns was indicted in 2022 on 12 counts related to the 2021 hack of T-Mobile “and theft and sale of sensitive files and information” that involved data on more than 40 million people. Binns, however, had moved from the US to Turkey in 2018 with his Turkish mother, according to an interview he gave three years ago to The Wall Street Journal. The indictment remained sealed until this year. Last September, the US learned he could possibly be arrested in Turkey and extradited to the US because he didn’t have Turkish citizenship. Prosecutors in Seattle, near where T-Mobile is based, asked a US court in December to unseal parts of the indictment so they could give it and an arrest warrant to Turkish authorities who were making the final decision on whether Binns could be extradited legally under Turkish law. The court granted the request to unseal in January.

The hacker who received payment from AT&T tells WIRED he believes Binns was arrested in Turkey around May 5, since Binns hasn’t responded to any attempts by him and others to contact him. WIRED contacted the Seattle public defender representing Binns in the T-Mobile case but did not receive a reply.

Binns has had contact with US authorities on a number of occasions and has accused the CIA and other agencies of wild conspiracies to harm and entrap him. As part of a 2020 FOIA lawsuit against the FBI, CIA, and US Special Operations Command to obtain records he claimed they held about him, Binns claimed that CIA contractors spied on him, experimented on him, harassed him, and that one of them pointed a “psychotronic weapon” at his head and used a microwave oven to shock him, among other allegations. He later filed a motion to dismiss his FOIA case, claiming he had filed some documents while “experiencing a psychological episode brought on by intoxication.”

Last October, in the T-Mobile case, Binns wrote to the US District Court in Seattle and said he believed his actions were affected by a chip that had been implanted in his brain when he was an infant. In a certified letter sent to the court and viewed by WIRED, Binns told the judge that he believed a “wireless brain (basal gangliea) stimulation implant or device implanted” shortly after he was born was responsible for “erratic behavior to include irresistible impulses, artificial neurological problems, and the possible commission of crimes.”

The timeline suggests that if Binns is responsible for the AT&T breach, he allegedly did it when he was likely already aware that he was under indictment for the T-Mobile hack and could face arrest for it.