December 19, 2022

Argishti Khudaverdyan, a 44-year-old Los Angeles former T-Mobile retail store owner, was sentenced to ten years in federal prison for stealing $25 million from wireless carriers between 2014 and 2019 by illegally unlocking and unblocking phones by hacking into T-Mobile’s internal systems.

The scheme involved stealing T-Mobile employee credentials and illegally accessing the company’s internal computer systems to illicitly “unlock” and “unblock” cellphones, according to the US Department of Justice (DOJ).

According to authorities, unlocking phones allowed them to be switched to another carrier or sold on the black market. This was what Khudaverdyan did while also removing blocks placed by carriers in the case of lost or stolen phones.

Khudaverdyan used phishing emails and other methods to trick T-Mobile employees into providing their information in order to unlock the phones.

Authorities said he and others stole credentials from more than 50 employees across the country. The stolen credentials were used to gain access to T-internal Mobile’s computer systems and, in many cases, to reset passwords, locking account holders out of the system.

Khudaverdyan unlocked plenty of Android and iOS devices using T-Mobile’s dedicated Mobile Device Unlock (MDU) and MCare Unlock (MCare) tools, using stolen credentials and IMEI numbers sent by customers through websites they controlled.

MCare did not require authentication because it was based on IP address blocks assigned to T-Mobile/Metro locations, whereas the MDU tool could only be used by authorized T-Mobile employees.

According to a statement from the U.S. Attorney’s Office, Khudaverdyan was also ordered to pay nearly $28.5 million in restitution.

The sources for this piece include an article in BleepingComputer.