Teenage Mutant Crypto Hackers
Posted July 09, 2024
Chris Campbell
With only 13 candles on his cake, Ellis Pinsky - now known as the "Baby Al Capone" - discovered the dark side of the internet.
Like most other walking hormone factories, his natural habitats included dimly lit rooms and virtual battlefields. His résumé was a collage of button mashing and creative insult generation.
Until, that is, a rival gamer sent him a chilling message after a heated match:
"How's the weather in Irvington?"
Ellis retreated, shutting down the game.
Yet…
As the screen darkened, and he got over the initial dread of a nemesis figuring out his physical location…
Ellis got excited.
A paradigm shift rattled open his young mind, unveiling a game with real-world consequences: hacking.
Suddenly, Call of Duty seemed like child's play. Thus began one of the biggest crypto heists in history.
Today, we’re going to talk about this wild story.
We’ll talk about how it happened… why this attack is such a big problem… and, finally, the simple device you can use to protect yourself.
Let’s begin at the utmost arc of every hero’s (or, in this case, antihero’s) journey: the mentor.
The Mentor
With a little digging, Ellis soon found a mentor in a hacker named "Ferno.”
Under Ferno's guidance, he learned how to uncover hidden information about people online, trading passwords, emails, and Social Security numbers.
It wasn't long before Ferno introduced Ellis to OGUsers, a forum where young hackers shared techniques.
Determined to learn everything, Ellis quickly surpassed his mentor, gaining a reputation as a hardcore player.
And, get this…
By 14, Ellis had insiders at major wireless carriers working for him. Through this network, he could hack anyone’s phone and access virtually any account he wanted.
Bank accounts. Social media profiles. Crypto accounts. The works.
The world was now his virtual oyster.
In January 2018, Ellis's abilities were put to the ultimate test when he was approached by a user named Harry.
The Big Heist
Harry had a high-profile target in mind: Michael Terpin, founder of Match.com.
Harry discovered that Terpin, a prominent figure in crypto at the time, owned millions of dollars worth of crypto. And he wanted Ellis's help to steal it.
On January 7, 2018, while Terpin was at a conference in Vegas, Ellis and Harry executed their plan.
An AT&T employee facilitated the SIM swap, giving Ellis and Harry access to Terpin's email. They ran a script to scan his emails for references to crypto passwords (private keys), eventually finding a file named "keys."
Inside, they discovered keys to a few crypto wallets. When they unlocked the wallets, they discovered a gold mine: in all, the crypto was worth about $24 million.
Ellis enlisted the help of friends from OGUsers to exchange the stolen funds for Bitcoin, paying them around $20,000 per batch.
One of these friends was Nicholas Truglia, a fellow SIM swapper.
BUT… there was a problem brewing in teenage millionaire paradise.
Nicholas, known for his reckless behavior, continued to carry out hacks even after the Terpin heist.
Unbeknownst to him, one user posing as a friend had been compiling evidence against him and sharing it with Terpin's lawyers.
Law enforcement was closing in on Nicholas's paper trail, tracing hacked funds back to wallets on Coinbase.
On November 13, 2018, Nicholas's apartment was raided.
Investigators found incriminating messages in his iCloud backup from the day of the Terpin hack, revealing his newfound wealth and extravagant spending on escorts and Super Bowl tickets.
In 2019, Terpin's lawyers filed a civil lawsuit under the RICO Act, demanding $72 million in restitution - three times the amount stolen.
Nicholas was cooked.
The Christmas Surprise
Shortly after Christmas in 2018, Terpin's lawyers contacted Ellis's mother. They accused Ellis of being the mastermind behind the $24 million hack.
Ellis's mother hired a lawyer, and he returned what he had: 562 BTC, a Patek Philippe watch, and $100,000 in cash.
However, the value of the returned Bitcoin had fallen to $2 million.
On his 18th birthday, Ellis received another lawsuit from Terpin, demanding the USD value at the time of the hack (over $10 million) plus $72 million in restitution.
Two weeks after the news went public, four masked men broke into Ellis's house, likely expecting to find the money.
But Ellis anticipated the attack, buying a shotgun months prior. His family barricaded themselves upstairs until the police arrived.
The Aftermath
After a drawn-out legal process, Nicholas pled guilty to several counts of wire fraud and was sentenced to 18 months in prison, ordered to pay $20 million in restitution to Terpin.
He finished his sentence in 2023 but was arrested again for civil contempt after claiming he could not access the funds to pay restitution.
He could be held indefinitely until the debt is paid off.
Ellis, too young to serve time, was ordered to pay an additional $22 million in restitution on top of what he had already returned.
He is currently enrolled at NYU, studying computer science and philosophy.
The Rub
Some frame this as a cautionary tale about the allure of easy money and the dark side of the internet.
Sure, there’s that…
But there’s an even bigger story: 14 year olds are coming not just for your crypto - but for your entire online life.
Fortunately, there are easy ways to protect yourself.
Simple Steps:
- Never click on a link in an email: Always type the URL directly into your browser to ensure you're not falling for phishing scams.
- Never call a number from an email: Scammers often use fake phone numbers. Verify numbers from official websites.
- Back up your app-based authenticators: Store your authenticator codes on a separate, cheap phone that you can connect to WiFi if needed.
- Don’t store your passwords or crypto keys on your device: Especially not in your email. Always write them down and put them in a safe place.
Pro Tips:
- Use a password manager: Tools like LastPass or 1Password can generate and store complex passwords, reducing the risk of password-related breaches.
- Enable multi-factor authentication (MFA): This adds an extra layer of security. Even if someone steals your password, they can't access your account without the second factor.
- Regularly update your passwords: Change your passwords periodically, especially for financial accounts.
But even these pro tips can fail if your master password, SMS codes, or authentication app codes are compromised, as they can still be phished or intercepted.
There’s one device that adds an unphishable, hardware-based layer of security that software solutions alone cannot match.
The Yubikey
The Yubikey is the BEST and EASIEST way to protect yourself.
- What is it? A Yubikey is a physical security key that you plug into your device. It provides a hardware-based second factor of authentication.
- Why use it? It’s virtually immune to phishing. Even if hackers get your password, they can’t get in without your physical Yubikey.
How to Use Yubikey:
- Set up the Yubikey with your accounts: Follow the instructions to pair your Yubikey with each account that supports it (most major platforms do).
- Keep a backup key: Have a second Yubikey stored in a safe place in case you lose the primary one.
- Use it regularly: Make it a habit to use your Yubikey every time you log in.
By applying these steps, you can significantly reduce your vulnerability to hackers and safeguard your digital assets and personal information.
Without this device, your digital life is a diamond in a public tuk-tuk.
With it, it’s a diamond in a submarine vault.