A dramatic saga that began with a civil lawsuit between AT&T and former employees has resulted in a high-profile arrest. Muhammad Fahd, 34, and his co-conspirators allegedly paid AT&T employees more than $1 million in bribes over five years to install malware and spying devices at their offices in Washington, according to a Department of Justice indictment unsealed Monday. He was first arrested in Hong Kong in February 2018, and was extradited to the United States Friday. Fahd is accused of orchestrating an elaborate conspiracy from the other side of the world, designed not to steal sensitive customer data or proprietary information but to illegally “unlock” more than 2 million AT&T cell phones.
The newest iPhones and Android smartphones can now cost upwards of $700. To afford them, millions of Americans sign one- or two-year contracts with their mobile carriers, which allows them to pay for their phones in monthly installments. As a protection against theft, carriers “lock” the devices, stopping them from being easily sold or used with another mobile network. Customers can request to unlock their phones for valid reasons like traveling overseas, but an ecosystem of shady entities has sprung up that offer to do it without proper authorization. Some claim to carry out the process via technical means, but Fahd and those who worked with him are accused of recruiting AT&T employees to help unlock phones from the inside, paying one worker as much as $428,500 over five years.
The indictment unsealed this week is just the latest development in a case that’s been playing out in US courts for years. In 2015, AT&T filed a civil lawsuit against three former employees in connection with a phone unlocking scheme. Kyra Evans, Marc Sapatin, and Nguyen Lam all worked in an AT&T customer call center in Bothell, Washington, where AT&T alleged they unlocked thousands of phones by installing malware on company computers. The lawsuit also named anonymous John Doe defendants who allegedly helped run the operation. According to the lawsuit, AT&T was tipped off to their activity in September 2013, when IT staff noticed a surge in unlock requests, which “occurred within milliseconds of one another, suggesting the use of an automated or scripted process.” The lawsuit was halted a month after it was filed, when some of the defendants learned they were “targets of a long-running federal criminal investigation” that had already been underway for more than two years.
Federal investigators were after more than a handful of call center workers. They were looking for the operation’s leaders. Last fall, Evans, Sapatin, and a third ex-employee not named in the 2015 lawsuit, DeVaughn Woods, reached plea agreements with the US government. All three pleaded guilty to charges connected to their dealings with Fahd, and agreed to testify against him at trial, according to court documents. Fahd has now been charged with wire fraud, accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act, among other charges. The indictment names another co-conspirator, Ghulam Jiwani, who court documents say passed away while in custody in Hong Kong.
“We have been working closely with law enforcement since this scheme was uncovered to bring these criminals to justice and are pleased with these developments,” a spokesperson for AT&T said in an email. Lawyers for Fahd, Evans, Lam, Woods, and Sapatin did not immediately respond to requests for comment. The AT&T spokesperson said the company didn’t have anything additional to share about the status of the civil lawsuit.
Unlocking the Case
The Justice Department’s charges describe an elaborate ruse that began in 2012. At first, the indictment alleges, Fahd and Jiwani ran their unlocking business without the use of any fancy technology. Fahd reached out to the AT&T employees on Facebook, over the phone, and through other means, often going by “Frank” or “Frankie.” He then offered to pay them for unlocking AT&T devices, which they normally could in response to legitimate customer requests. Fahd instructed them to communicate with him using prepaid cell phones and anonymous email addresses, according to court records. Once they were on board, the workers were given lists of international mobile equipment identity numbers—unique to each device—and told to free the phones from their associated AT&T contract plans. To receive their payments, the AT&T workers were told to set up business banking accounts and fake shell companies. One even traveled to Dubai to accept a bribe, according to the DOJ.
Jiwani and Fahd’s scheme soon grew more complex, according to the indictment. In April 2013, they began asking AT&T employees to install malware on their work computers, which was designed to observe how the company’s network functioned. Using that information, they developed a software program that made it possible to carry out the unlocking process remotely, ostensibly so bribed employees didn’t need to enter each IMEI number manually at their desk. Six months later, Fahd and Jiwani ran into a problem: AT&T had discovered their malware, and several of the employees who were using it subsequently left the company or were fired, including Evans, Sapatin, and Lam. But the hiccup didn’t stop the scam for very long.
Not all of the bribed AT&T employees were apparently caught. Fahd allegedly went on to instruct the remaining workers to install not only malware but also hardware devices, which were used to process unauthorized unlock requests until approximately September 2017. All the while, federal authorities were apparently investigating the criminal activity, according to court documents. In February of 2018, Fahd was finally arrested. He made his first appearance in a Seattle federal court on Monday.
There’s an enormous, global appetite for secondhand smartphones, which are useless if still tethered to years-long contracts with US carriers like AT&T. The DOJ’s indictment provides a glimpse at some of the ways that demand is met. “The wireless industry has frequently fallen victim to large-scale phone trafficking operations in which illegal operators buy or steal large quantities of phones,” lawyers for AT&T wrote in their original 2015 lawsuit. They “unlock them, and resell them in foreign markets.”
The case is also evidence of a cybersecurity threat that’s proven difficult for wireless carriers to combat: their own customer service employees. Customer service reps need access to sensitive data and tools in order to do their jobs, but they may also be overworked and poorly compensated. In a separate case from May, the Department of Justice accused two former AT&T contract employees and one Verizon employee of providing customer information in exchange for bribes, which was used to steal victims’ phone numbers.