T-Mobile may have secretly attempted to buy customer data leaked in 2021 hack

Court documents suggest a third-party firm possibly hired by the carrier tried to purchase the information.

A T-Mobile logo is advertised on a building sign in Los Angeles, California, U.S., May 11, 2017. REUTERS/Mike Blake (Mike Blake / reuters)

Last August, T-Mobile confirmed it had fallen victim to a hack that saw the personal data of more than 54 million of its customers compromised. In the aftermath of that incident, the carrier announced a multi-year partnership with cybersecurity firm Mandiant. At the time, T-Mobile CEO Mike Sievert said the firm, alongside accounting agency KPMG, would help the carrier audit its security practices and implement policies that would help it prevent future cybersecurity incidents.

Newly unsealed court documents (PDF link) filed by the Department of Justice suggest the carrier may have also hired a third-party firm to prevent the data leaked in the hack from circulating more widely. First spotted by Motherboard, the documents detail criminal charges against Diogo Santos Coelho, the alleged founder and administrator of RaidForums. Before it was taken down by the Justice Department, the website was a place where hackers came to buy and sell stolen data, including it would seem the personal information of T-Mobile’s customers.

The documents detail an incident involving an individual who went by the alias “SubVirt.” At some point on or around August 11th, 2021, they posted to RaidForums to try and sell a trove of recently hacked data. The Justice Department doesn’t explicitly name a victim, instead referring to them simply as “Company 3,” but notes a later post “confirmed the data belonged to a major telecommunications company and wireless operator provides services in the United States.”

According to the agency, Company 3 “hired a third-party to purchase exclusive access to the database to prevent it being sold to criminals.” An employee posed as a potential buyer and paid approximately $50,000 in Bitcoin to obtain a sample of the data. They then paid an additional $150,000 for the entire database with the understanding that SubVirt would delete their copy. Unfortunately for Company 3, SubVirt and their collaborators did not honor the agreement. The Justice Department notes “it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase.”

Based on information in the court documents and the timeline of the incident, Motherboard, which first reported the news of the data breach in 2021, suggests T-Mobile is the unnamed carrier alluded to by the Justice Department. We’ve reached out to the company and Mandiant for comment.