Cybercrime , Cybercrime as-a-service , Endpoint Security

Fraudster Gets 12-Year Sentence for AT&T 'Unlocking' Scheme

Man Allegedly Recruited, Trained AT&T Employees to Act as Hackers
Fraudster Gets 12-Year Sentence for AT&T 'Unlocking' Scheme
(Photo: Mike Mozart via Flickr)

A dual Pakistan and Grenada citizen has been sentenced to 12 years in prison for orchestrating a seven-year scheme that unlawfully unlocked nearly 2 million AT&T smartphones, which the carrier says amounted to $200 million in subscriber losses, according to the U.S. Department of Justice.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

The DOJ says Muhammad Fahd, 35, used the alias "Frank Zhang" and began the criminal activity in 2012, recruiting AT&T employees from a call center in Bothell, Washington, to unlock smartphones for profit. Fahd bribed AT&T employees to use their credentials to unlock phones for ineligible customers, later prompting them to install custom malware and hacking tools and allowing the illicit activity to proceed from Pakistan, The DOJ says.

Fahd pleaded guilty to conspiracy to commit wire fraud in September 2020. At a sentencing hearing Thursday, U.S. District Judge Robert S. Lasnik of the Western District of Washington called Fahd's activity a "terrible cybercrime," saying the criminal behavior continued after an investigation was underway, according to the DOJ.

DOJ officials say Fahd targeted AT&T's phone financing policy, in which customers pay the retail price of the phone in installments. But unlocking a device effectively removes it from the network, freeing account holders from the device cost and AT&T's service charges.

Years of Activity

The DOJ report indicates that beginning in June or July of 2012, Fahd first contacted an AT&T employee via Facebook, offering "significant sums of money" for secretly unlocking AT&T devices - and urging the individual to recruit others.

Fahd went as far as instructing co-conspirators on how to launder their earnings - including setting up fake businesses and bank accounts to receive payments, documented through fictitious invoices, DOJ officials say.

After a new AT&T unlocking system went into effect in 2013 making it more difficult to cut the devices off from the network, Fahd turned to malware deployment - hiring a software developer to design custom malware to inject on AT&T's computer system, allowing the dealings to continue and in fact escalate, officials say.

Fahd had employees provide confidential information about AT&T's computer network and procedures, and ultimately install malware to survey the network, gather access credentials and continue to customize malware that could prop up their operation, the DOJ says.

AT&T did not immediately respond to a request for comment Friday. A spokesperson told CNET in 2019 that its network was unaffected by the malware and the plot did not involve improper access to customer information.

Allison Nixon, chief research officer for the security firm Unit 221B, which did not assist in the investigation of this phone-unlock case, tells Information Security Media Group, "There are many employees in this country with access that's worth more than their paycheck. Thankfully, the vast majority are honest, but it only takes one to cause a major problem."

Nearly 2 Million Devices Affected

Forensic analysis from AT&T suggests that Fahd's actions fraudulently unlocked 1,900,033 phones, amounting to $201,497,430.94 in losses, since customers failed to complete payments, the DOJ says.

Fahd was indicted in 2017 and later arrested in Hong Kong in 2018. Extradited to the U.S., he first appeared in federal court in August 2019 and pleaded guilty the following September.

A co-conspirator, Ghulam Jiwani, was also indicted for allegedly making illicit payments and meeting with insiders in the U.S. and Dubai. He was arrested in Hong Kong but died prior to extradition, according to court documents.

'Swift Unlocks'

In a 2015 lawsuit against the call-center insiders - who had been investigated for bribes amounting to tens of thousands of dollars and later fired - AT&T said the conspiracy entailed the now-defunct company, Swift Unlocks, which offered related services via its remote access to AT&T's systems.

The company's website reportedly informed consumers that unlocked devices made it easier to do SIM-card switching during international travel, to earn a higher resale return, and to enroll in other carriers' promotions, according to GeekWire.

Speaking to ISMG about the case, Unit 221B's Nixon says, "Countering schemes like this is never possible with automated tools alone. Human investigators need to be on staff to look into ongoing fraud patterns and determine if they indicate ongoing abuse of an exploit. The creativity demonstrated in such schemes is beyond the detection capabilities of any automated tool."

SIM Fraud Suit

AT&T has previously been named in insider threat actions. In 2018, cryptocurrency investor Michael Terpin filed a $223.8 million lawsuit against the telecommunications giant. He accused AT&T of ignoring SIM fraud in a case involving 3 million cryptocurrency tokens, worth $24 million, allegedly stolen from a digital wallet while Terpin was at an AT&T branch where his SIM card was seized.

In September 2020, a California judge dismissed the sizable damages claim and narrowed allegations filed by Terpin, allowing the suit to continue for $24 million in losses.

CTIA Standards

The U.S. Federal Communications Commission has posted guidance on device unlocking developed by the CTIA, a trade association representing the wireless communications industry. The organization added unlocking standards to its Consumer Code for Wireless Service in 2014, including:

  • Wireless carriers agree to disclose policies on device unlocking and:
  • Unlock eligible mobile devices after fulfillment of postpaid service contract or applicable early termination;
  • Notify customers if they are eligible for unlocking.
  • Unlock eligible devices within two business days after receiving a request, or initiate a request to the original equipment manufacturer, or explain why the device does not qualify or if additional processing time is required.

About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as, and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.