Cyber Incident Victim: AT&T
Date:
Apr 2012
Location:
United States of America
Summary
AT&T employees accepted over $1 million in bribes from foreign conspirators to facilitate a multi-phase scheme involving unauthorized phone unlocking and malware deployment on the company's network. Initially, bribed workers unlocked expensive devices like iPhones for use outside the carrier's network, followed by the installation of keylogging malware that harvested critical infrastructure data to automate unlocking operations. This malware enabled further network access through rogue wireless access points, resulting in the illicit unlocking of over two million devices and causing annual losses exceeding $5 million. The primary orchestrator was arrested and extradited to face criminal charges, while the company confirmed no customer data was compromised during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 7 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The incident centered on a bribery and malware scheme orchestrated by Muhammad Fahd, a Pakistani national, and his associate Ghulam Jiwani, who targeted AT&T's Mobility Customer Care call center in Bothell, Washington. Between approximately 2012 and 2014, Fahd's operation paid over $1 million in bribes to multiple AT&T employees to facilitate two distinct phases of criminal activity. The initial phase involved bribing call center staff to manually unlock expensive iPhones from AT&T's network, enabling the devices to be used on other carriers. This activity persisted for approximately one year until April 2013, when participating employees either resigned or were terminated by AT&T. Following this disruption, Fahd shifted tactics to a more sophisticated malware-based approach between April and October 2013, bribing remaining insiders to install malicious software on AT&T's internal systems. The first malware strain functioned as a keylogger designed to harvest critical infrastructure data about AT&T's network operations and security protocols.
This harvested information subsequently enabled the deployment of a second malware variant that automated the device-unlocking process, eliminating the need for constant employee involvement. The scheme expanded further in 2014 when conspirators installed rogue wireless access points within AT&T facilities through additional bribes, maintaining persistent network access to sustain unauthorized unlocking operations. The Department of Justice estimated the conspiracy resulted in the unlawful unlocking of over two million devices, primarily high-value iPhones, with one employee alone receiving $428,500 in bribes across five years. Fahd operated through front entities including Endless Trading FZE and the website SwiftUnlocks to monetize the scheme. AT&T reported annual losses exceeding $5 million due to the fraud. Law enforcement arrested Fahd in Hong Kong during February 2018, followed by his extradition to the United States where he faced criminal charges carrying a maximum 20-year prison sentence. AT&T confirmed the compromise did not involve unauthorized access to customer information or personal data.