Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

DOJ: Bribed AT&T Workers Planted Malware on Carrier's Network

Scheme Involved Unlocking 2 Million Smartphones to Enable Fraud
DOJ: Bribed AT&T Workers Planted Malware on Carrier's Network
(Photo: Mike Mozart via Flickr/CC )

Over a five-year period, two men allegedly paid over $1 million in bribes to AT&T employees who helped plant malware on the company's internal systems that enabled the unlocking of smartphones to permit use outside the carrier's network, according to an indictment unsealed this week by the U.S. Department of Justice.

See Also: OnDemand | CybeRx - How to Automatically Protect Rockwell OT Customers from Today’s Cyber-Attacks

In addition to planting malware, these AT&T employees allegedly accessed the carrier's internal systems and installed illegal hardware within the network to help the suspects gain remote access and unlock millions of smartphones, according to the indictment.

Between 2012 and 2017, the scheme cost AT&T millions in lost revenue and other expenses, according to the Justice Department. It does not appear, however, that the two suspects or the employees involved in the bribery accessed customer data.

"We have been working closely with law enforcement since this scheme was uncovered to bring these criminals to justice and are pleased with these developments," an AT&T spokesperson tells Information Security Media Group.

The Charges

One of the two men charged with paying the bribes is Muhammad Fahd, a 34-year-old from Pakistan, who was arrested in Hong Kong on Feb. 4, 2018. He was extradited to the U.S. on Aug. 2 and now faces 14 federal charges, including conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, wire fraud, accessing a protected computer in furtherance of fraud and intentional damage to a protected computer, according to federal prosecutors.

Fahd, who remains in custody, could face up to 20 years in federal prison if convicted on all charges, the Justice Department says.

Federal prosecutors also indicted a second man - Ghulam Jiwani - as a co-conspirator in the case, although he’s believed to be deceased, according to the Justice Department.

Escalating Scheme

Over the course of five years, starting in 2012, Fahd and Jiwani allegedly worked together to bribe AT&T employees to unlock smartphones, federal prosecutors say.

At first, the two men allegedly bribed AT&T employees working at the carrier's call center in Bothell, Washington. Fahd would send over batches of international mobile equipment identity numbers to the employees, who would use these numbers to identify which smartphones to unlock, according to the indictment.

The indictment alleges that Fahd would contact AT&T customers who wanted to use another carrier's network and then have the company's employees unlock the smartphones. AT&T did now allow its customers to stop using its network while they were under contract with the carrier, according to the indictment.

"The object further was to sell to members of the public the resulting ability fraudulently to unlock phones, so that the members of the public could stop using AT&T wireless services and thereby deprive AT&T of the stream of payments it was owned under customers' service contracts and installment plans," the indictment states.

The unlocked smartphones were valuable because they could be resold and used on a different carrier's network, according to the indictment. The indictment does not specify how much money Fahd and Jiwani made from this alleged scheme, or if they were alone in finding AT&T customers who wanted to unlock their smartphones.

At first, Fahd and Jiwani allegedly paid out tens of thousands of dollars in bribes to AT&T employees. Some of these workers would also recruit others, according to the indictment. One insider collected over $428,000 in bribes during this time, prosecutors allege.

The indictment also alleges that Fahd and Jiwani instructed AT&T employees on how to set up phony shell corporations to hide the flow of bribes and to communicate about what smartphones to unlock. The two suspects in the case allegedly used a number of companies - with names such as Endless Trading FZE, Endless Connections Inc., and iDevelopment - to hide their activities, according to the indictment.

Planting Malware

At one point, AT&T began investigating some of its employees, and several who were suspected of taking bribes left their jobs or were fired, according to the indictment. To keep the unlocking scheme going, however, Fahd and Jiwani allegedly recruited new insiders, and in October 2013, they started giving them malware to plant on the company's network, according to the indictment.

At first, the malware, which is not specified in the indictment but appears to have been some type of keylogger or information stealer, helped Fahd learn more about AT&T's internal network and how its proprietary software worked, according to the indictment.

Later, federal prosecutors allege that Fahd made changes to the malware that allowed him to access the network using employees' credentials and begin remotely unlocking smartphones. AT&T insiders also planted remote access points within the Bothell call center building to give Fahd and Jiwani even greater access to the internal network, according to the indictment.

Over the course of five years, federal investigators believe that Fahd and Jiwani, along with the AT&T employees that they allegedly bribed, unlocked more than 2 million smartphones, according to the indictment.

The Justice Department notes that three unnamed AT&T employees have pleaded guilty to various charges, including taking bribes to help unlock these smartphones.

"This defendant [Fahd] thought he could safely run his bribery and hacking scheme from overseas, making millions of dollars while he induced young workers to choose greed over ethical conduct," U.S. Attorney Brian T. Moran, who is overseeing this case, notes in a statement.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.