BEWARE IMPERSONATION SCAMS! Be sure that you are interacting with us. We e-mail exclusively from the domain @dilendorf.com

Terpin v. AT&T: A SIM-Swap Case That Put FCA in the Spotlight

September 2, 2025  |   By: Max Dilendorf, Esq.
Max Dilendorf, Esq.
Max Dilendorf, Esq.

212.457.9797  |  md@dilendorf.com

After a January 2018 SIM-swap, crypto investor Michael Terpin alleged roughly $24 million in losses and sued AT&T, arguing the carrier violated the Federal Communications Act (FCA) by permitting access to his protected customer information—customer proprietary network information (CPNI)—without proper authentication.

In 2024, the Ninth Circuit revived that FCA theory and sent the case back to the Central District of California.

On July 16, 2025, the district court partly denied AT&T’s summary-judgment motion on the FCA claim and set the case on a path toward trial, making this one of the most watched SIM-swap matters in the country.

What happened: the SIM-swap and theft

According to the record, teenager Ellis Pinsky paid Jahmil Smith, an employee at an AT&T authorized retailer, to bypass safeguards and swap Terpin’s number to a device the attackers controlled.

They then sent password-reset codes to the hijacked number, accessed Terpin’s Microsoft OneDrive, and found a .txt file in the OneDrive trash containing wallet credentials—leading to the alleged $24M loss.

As Terpin’s filing puts it, “Pinsky … bribed [Jahmil] Smith … to bypass security measures and swap Terpin’s SIM,” then used SMS resets to enter his accounts.

AT&T’s appellate brief emphasizes user-side practices: Terpin copied credentials into a separate document that synced to OneDrive; he admitted that if he hadn’t done so “he wouldn’t have suffered any crypto loss.”

Claims and legal theories

  • Claims pleaded. Terpin’s operative complaint asserted fraud, negligence, contract claims, and unauthorized disclosure under the FCA (47 U.S.C. §§ 206, 222). He sought ~$24M plus punitive damages.
  • Appellant’s framing. Wireless carriers control SIM swaps and must protect CPNI; a swap without proper authentication permits access to protected information and foreseeably enables downstream account takeovers.
  • Defense & industry perspective. AT&T (and CTIA as amicus) argue a SIM-swap by itself does not disclose § 222-protected information and that the loss stemmed from intervening steps across third-party platforms (email, Microsoft, wallet providers). CTIA also warns that expanding § 222 could risk turning carriers into de facto insurers for cross-platform cybercrime.

Procedural history & timeline

August 15, 2018 — Filing (C.D. Cal., Los Angeles; No. 2:18-cv-06975-ODW-KS).
Terpin sues AT&T after a January 2018 SIM-swap. He alleges approximately $24 million in losses and brings fraud, negligence, contract, and FCA § 222 (CPNI) claims.

2017–2018 factual backdrop. Attackers allegedly bribed an AT&T authorized-retailer employee to perform an unauthorized SIM-swap, then used SMS password resets to access Terpin’s Microsoft OneDrive, where a .txt file in the trash contained wallet credentials—enabling the crypto theft.

September 8, 2020 Pleadings trimmed (district court). Fraud claims and punitive-damages requests dismissed with prejudice.

March 30, 2023 — Summary judgment (district court). The court grants summary judgment to AT&T on the remaining claims, including the FCA theory. Terpin appeals.

September 30, 2024 — Ninth Circuit (No. 23-55375). Affirmed in part, reversed in part, and remanded. The panel revives only the FCA § 222 claim and instructs the district court to address proximate cause on remand.

July 16, 2025 — Order on remand (district court). On a renewed summary-judgment motion, the court grants in part / denies in part:

  • A jury could find AT&T failed to take reasonable measures and properly authenticate before allowing access to CPNI during the fraudulent SIM-swap (citing 47 C.F.R. § 64.2010(a) and Global Crossing).
  • AT&T prevails to the extent Terpin’s § 222 theory rests solely on the authorized-retailer employee’s (Smith’s) unauthorized acts.

What Section 222/CPNI means here

Section 222 and the FCC’s CPNI rules require carriers to safeguard customer proprietary network information and authenticate before disclosure.

On remand, the district court tied Terpin’s revived claim to these authentication and “reasonable measures” duties.

Terpin’s briefing also argues the ubiquity of SMS-based resets makes SIM-swap disclosures foreseeably harmful when a carrier permits access to a number without proper checks.

What’s next

Only one claim remains: FCA § 222 based on AT&T’s own conduct during the January 2018 swap. The court has referred the parties to a settlement conference on December 8, 2025 and set a jury trial for March 3, 2026, with pretrial on February 23, 2026.

Why this case matters beyond the parties

  • SIM-swap accountability: The ruling signals that failing to authenticate before a SIM change can expose carriers to FCA liability when it “permits access” to protected information.
  • Causation in cyber-heists: The Ninth Circuit’s partial revival leaves proximate cause to be hashed out on a trial record—important for future cases where telecom events trigger multi-platform compromises.
  • Industry lens: CTIA warns that expansive § 222 theories could make carriers de facto insurers against downstream fraud across other services.

Contact Us

At Dilendorf Law Firm, we represent clients who have been targeted by SIM-swap attacks and other forms of cyber fraud.

With over six years of experience and a record of handling more than 100 consumer arbitration cases, we have successfully pursued claims against both major cryptocurrency exchanges—including Coinbase, Gemini—and leading phone carriers such as Verizon, T-Mobile, and AT&T.

Our attorneys are skilled in navigating proceedings before all major arbitration forums, including AAA, JAMS, and NAM.

We also represent victims whose digital assets were stolen not only from regulated exchanges but also from self-custody wallets like MetaMask and other decentralized platforms.

In high-stakes cases, we advise and coordinate with U.S. law enforcement and investigative agencies—including the FBI, Department of Homeland Security (DHS), and the Secret Service—as part of broader recovery strategies and criminal investigations into cybercrime.

If you have suffered losses due to a SIM swapping incident or other cyber fraud, contact us to discuss your case and options for recovery.

Email: info@dilendorf.com | Phone: 212.457.9797

 

Disclaimer: This is a public-record summary, not legal advice. We are not counsel of record and this case is not affiliated with Dilendorf Law Firm in any way.

This article is provided for your convenience and does not constitute legal advice. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

Other Blog Posts

ALL ARTICLES
Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.