A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US on Friday and is being detained pending trial.

An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars—paying one co-conspirator $428,500 over the five-year scheme."

In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T.

The first indictment against Fahd was filed in November 2017, and he was arrested in Hong Kong at the request of the United States in February 2018, but the case was just unsealed yesterday. Fahd is facing 14 charges in US District Court for the Western District of Washington. The charges are conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act.

AT&T generally locks phones to its network, preventing them from being used with other carriers. AT&T grants customers' unlock requests after they've paid off their contracts or device installment plans.

If a phone is unlocked before it has been paid off, resulting in a customer switching to another carrier, AT&T might not be able to collect the rest of the payments, a DOJ indictment of Fahd noted.

"Unlocked phones were a valuable commodity because they could be resold and used on any other compatible network around the world... When phones were unlocked fraudulently without AT&T's authorization and customers switched service to other carriers, the fraudulent transactions deprived AT&T of the stream of payments that were due under the service contracts and installment plans," the indictment said.

The alleged conspiracy involved "the installation of malware and unauthorized hardware on AT&T's internal network," which Fahd and co-conspirators used to sell fraudulent phone-unlocking services to the general public, the indictment said.

Former AT&T workers pleaded guilty

Three now-former AT&T employees cooperated with the government and pleaded guilty to charges related to the conspiracy, and they are expected to testify at trial against Fahd, a court document said. Their names are Kyra Evans, DeVaughn Woods, and Marc Sapatin. All three agreed to pay financial penalties that will be transferred to AT&T, but they could also face prison time after their November 1 sentencing hearings.

Sapatin agreed to pay $441,500 in an October 2018 plea agreement. Evans agreed to pay restitution of $280,200, and Woods agreed to pay $155,032.

"We have been working closely with law enforcement since this scheme was uncovered to bring these criminals to justice and are pleased with these developments," AT&T told Ars.

We asked AT&T if it made any security improvements to prevent this from happening again, but we did not receive an answer. An AT&T spokesperson said that the scheme did not result in improper access to customer information.

The DOJ also charged Ghulam Jiwani, one of Fahd's alleged co-conspirators. Jiwani was arrested in Hong Kong, "but died prior to being transferred to United States custody," a court document said. The charges against him were dropped as a result of his death.

Fahd and Jiwani had other co-conspirators "known and unknown to the Grand Jury," the indictment said.

Evans, Woods, and Sapatin apparently were not the only AT&T employees who allegedly were involved in the scheme. The DOJ alleges that "between 2012 and 2017, Fahd recruited various AT&T employees to the conspiracy. Some early recruits were paid to identify other employees who could be bribed and convinced to join the scheme. So far, three of those co-conspirators have pleaded guilty admitting they were paid thousands of dollars for facilitating Fahd's fraudulent scheme."

Fahd and his co-conspirators instructed AT&T employees "to create shell companies and open business banking accounts in the names of the shell companies" in order to receive their bribes, the indictment said.

More details from the indictment

The scheme began in April 2012 when Fahd and his co-conspirators gave the bribed AT&T employees "instructions... including lists of cellular telephone international mobile equipment identity (IMEI) numbers for the insiders to submit for fraudulent and unauthorized unlocking," the indictment said.

The alleged malware-planting part of the conspiracy began around April 2013. Fahd, Jiwani, and others allegedly "bribed insiders to plant malware on AT&T's internal protected computers for the purpose of gathering confidential and proprietary information on how AT&T's computer network and software applications functioned."

Fahd and his co-conspirators used this information to create "additional malware designed to interact with AT&T's internal protected computers and process fraudulent and unauthorized unlock requests submitted... from remote servers controlled by members of the conspiracy," the indictment said.

With this malware, Fahd and his crew were able to "log into AT&T's internal protected computers under false pretenses and to process fraudulent and unauthorized unlock requests," the indictment said.

From November 2014 to September 2017, Fahd and others allegedly bribed AT&T insiders "to install unauthorized computer hardware devices, including wireless access points designed to provide the conspiracy with unauthorized access to AT&T's internal protected computers." With these hardware devices, Fahd and others "facilitate[d] the automated process of submitting fraudulent and unauthorized unlock requests on behalf of the conspiracy."