A man who the Department of Justice of the United States says unlocked AT&T customers’ phones for a fee was sentenced to 12 years in prison, in what the judge called “a terrible cybercrime over an extended period,” which allegedly continued even after authorities were on to the scheme.

According to a news release from the DOJ, in 2012, Muhammad Fahd, a citizen of Pakistan and Grenada, contacted an AT&T employee via Facebook and offered the employee “significant sums of money” to help him secretly unlock AT&T phones, freeing the customers from any installment agreement payments and from AT&T’s service.

Fahd used the alias Frank Zhang, according to the DOJ, and persuaded the AT&T employee to recruit other employees at its call center in Bothell, Washington, to help with the elaborate scheme. Fahd instructed the AT&T employees to set up fake businesses and phony bank accounts to receive payments, and to create fictitious invoices for deposits into the fake accounts to create the appearance that money exchanged as part of the scheme was payment for legitimate services.

In 2013, however, AT&T put into place a new unlocking system which made it harder for Fahd’s crew to unlock phones’ unique IMEI numbers, so according to the DOJ he hired a developer to design malware that could be installed on AT&T’s computer system. This allegedly allowed him to unlock more phones, and do so more efficiently. The AT&T employees working with Fahd helped him access information about its systems and other employees’ credentials, allowing his developer to tailor the malware more precisely, the DOJ said.

A forensic analysis by AT&T showed Fahd and his helpers fraudulently unlocked more than 1.9 million phones, costing the company more than $200 million. Fahd was arrested in Hong Kong in 2018 and extradited to the US in 2019. He pleaded guilty in September 2020 to conspiracy to commit wire fraud.

It’s not clear from the DOJ release whether anyone besides AT&T was harmed as a result of the scheme; there’s no mention of customers’ phones being otherwise compromised or any personal data being accessed. We’ve reached out to the DOJ to clarify whether any AT&T customers were affected.

The Verge