Menu
Browse

Cyber Threat Actor: Muhammad Fahd

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Pakistan
1 incident
Profile

Muhammad Fahd, alsoknown by the alias Muhammad Fahd, is a threat actor originating from Pakistan who gained public attention through a criminal scheme targeting a major U.S. telecommunications provider. He operated under his own name and was linked to front companies such as Endless Trading FZE and the unlocking service SwiftUnlocks. Fahd’s activities came to light after a Department of Justice investigation revealed his role in bribing AT&T employees to facilitate unauthorized device unlocking and malware deployment. The actor’s known location is Pakistan, and he was apprehended in Hong Kong in February 2018 before being extradited to the United States to face charges.

The primary sector targeted by Fahd was the telecommunications industry, specifically AT&T’s Mobility Customer Care call center in Bothell, Washington. His strategic objective, as evidenced by the bribes paid and the subsequent unlocking of devices for profit, was financial gain rather than espionage or disruption. The scheme involved direct monetary payments to insiders to achieve illicit unlocking of mobile phones, which generated revenue through resale or unauthorized use. No publicly available information indicates that Fahd pursued state‑sponsored goals or sought to gather intelligence beyond the financial proceeds derived from the operation.

Fahd’s tactics included the use of bribery as an initial access vector to compromise employee credentials and gain internal network footholds. Once inside, he commissioned the installation of a keylogging malware strain to harvest AT&T infrastructure data, followed by a second malware variant that automated the phone‑unlocking process using the collected information. To maintain persistent access, rogue wireless access points were deployed via further bribes in 2014, allowing continued interaction with the target environment. These actions illustrate a reliance on insider threat recruitment, custom malware for data collection and automation, and wireless hardware for sustained presence.

Attribution to Fahd is based on publicly available court documents and DOJ statements that identify him as the principal orchestrator of the AT&T bribery and malware campaign; no state affiliation or larger criminal consortium has been established in the reporting. The most notable operation attributed to him is the multi‑phase AT&T scheme spanning roughly 2012 to 2014, which resulted in the unlocking of over two million devices, annual losses exceeding five million dollars for the carrier, and the payment of more than one million dollars in bribes to employees. This case remains the primary publicly cited example of Fahd’s activity.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source