AT&T ‘Paid Hacker $300,000’ To Delete Stolen Data

AT&T paid more than $300,000 (£231,000) to a hacker to delete call records stolen from the company in April and to provide proof of its deletion, Wired reported.

The payment of 5.7 Bitcoin, worth about $370,000 at the time, occurred on 17 May with an unnamed security researcher being used as a go-between, the magazine said.

The hacker said they initially demanded $1m from AT&T but settled for about one-third of that.

The amount is relatively small for such a high-profile data breach, involving call metadata for nearly all of AT&T’s customers.

Data deletion

The hacker told Bloomberg that they did not believe the stolen data was valuable or who might be interested in buying it.

Multiple news outlets said they had viewed the roughly seven-minute video the hacker said they provided to AT&T as proof the data was deleted.

The unnamed security researcher, referred to by his online handle Reddington, told Wired he believed the only complete copy of the dataset had been deleted.

But he said the hackers involved had shared excerpts of the data with multiple people and that the AT&T customers included in the excerpts could still be vulnerable to fraud.

AT&T, the FBI and the Department of Justice declined to comment on the payment.

The hacker who received the payment from AT&T said the person responsible for the hack was an American living in Turkey named John Erin Binns.

Binns was arrested in Turkey in May for an unrelated theft of data from T-Mobile in 2021 and was incarcerated at the time that the payment was made, which is why the hacker said they received the payment on Binns’ behalf.

Binns was indicted in 2022 for the T-Mobile breach, but as he has been living in Turkey with his Turkish mother since 2018 he could not be immediately arrested.

Turkish detainment

Last year US authorities learned that Binns did not have Turkish citizenship and as such could be arrested and extradited to the US.

The hacker who received the AT&T payment told Wired that Binns was arrested around 5 May.

Binns, who has a history of erratic interactions with US authorities, in October of last year wrote to the US District Court in Seattle to say that his actions in the T-Mobile hack were influenced by a chip implanted in his brain when he was an infant.

In a certified letter, Binns told the judge in the case that a “wireless brain (basal gangliea) stimulation implant or device implanted” shortly after he was born was responsible for “erratic behavior to include irresistible impulses, artificial neurological problems, and the possible commission of crimes”.

The timing of the letter indicates that Binns was aware that he was under indictment and could be arrested for the T-Mobile hack even as he carried out the hack on AT&T data and arranged to receive payment for it.

Snowflake hacks

AT&T disclosed the massive breach in a securities filing late on Friday, saying the data had been stolen from a poorly secured cloud environment with business cloud company Snowflake.

Snowflake said the hack was part of a larger campaign that the company disclosed last month, where hackers had used stolen login details to access the environments of as many as 165 corporate customers.

Binns is a member of the ShinyHunters hacking group that is understood to be behind the Snowflake breaches.

Ticketmaster, Santander, LendingTree and Advance Auto Parts have all been identified as affected by the Snowflake hacks.