How a 15-year-old from New York became linked to one of the most extraordinary SIM-swap thefts of the cryptocurrency era and the bedroom heist that shocked Crypto
In the strange, volatile world of cryptocurrency, fortunes can move at the speed of a password reset. In January 2018, one of the most dramatic examples of that new digital vulnerability unfolded when investor Michael Terpin lost nearly $24 million in cryptocurrency after his mobile phone number was taken over in a SIM-swap attack.
At the centre of the civil allegations was Ellis Pinsky, a teenager from Irvington, New York, who was just 15 at the time. Later dubbed “Baby Al Capone” by sections of the American press, Pinsky became a symbol of a new kind of cybercrime: young, technically fluent, socially manipulative, and able to exploit the weakest link in the modern security chain.
The case did not involve masked men, getaway cars or a drilled-open vault. It involved a mobile phone number, telecoms procedures, online accounts and the fragile trust placed in two-factor authentication.
Who Was Ellis Pinsky?
Ellis Pinsky was a high school student from a comfortable New York suburb when he became associated with one of the most notorious cryptocurrency thefts of the decade. According to civil claims brought by Michael Terpin, Pinsky was not merely a bystander, but an alleged organiser in a group that targeted people known to hold large sums of cryptocurrency.
By the time Terpin sued him in 2020, Pinsky was 18. The alleged theft had occurred two years earlier, when he was still legally a child.
It was that detail which made the story so irresistible to the press. Here was not the familiar image of a veteran cybercriminal operating from some shadowy bunker but a teenager accused of helping to orchestrate a multimillion-dollar digital raid from the world of schoolwork, bedrooms and online chat groups.
The contrast was almost cinematic: suburban adolescence on one side, a $23.8 million crypto theft on the other.
What Was a SIM-Swap Attack?
The method allegedly used against Terpin was known as SIM swapping. It is one of the most dangerous forms of digital identity theft because it does not begin by breaking into a crypto wallet directly. Instead, attackers seize control of a victim’s mobile phone number.
Once a phone number is transferred to a SIM card controlled by attackers, they may be able to receive text messages intended for the victim. That can include password reset codes, login confirmations and security prompts.
In effect, the mobile number becomes a stolen master key.
Court records in Terpin’s wider litigation against AT&T later described how Pinsky and an associate allegedly bribed an employee at an AT&T authorised retailer to bypass security measures and transfer Terpin’s number onto a SIM card under their control. After that, the attackers were able to use password recovery systems to access online aAT&T-authorisedto Terpin.
The brilliance of the attack, if that is the word, was also its ugliness. The cryptocurrency itself was not necessarily hacked in some grand mathematical assault. Instead, the attackers allegedly exploited people, procedures and trust.
How Much Was Stolen?
The sum most commonly reported is $23.8 million, often rounded to $24 million.
Michael Terpin, a well-known figure in cryptocurrency investing, alleged that Pinsky and others were responsible for stealing the funds after gaining control of his phone number and digital accounts. In his civil claim, Terpin sought $71.4 million in damages, arguing that the theft caused vast financial harm.
The number was staggering. For the general public, cryptocurrency already seemed mysterious enough, a realm of invisible money and strange jargon. The idea that almost $24 million could disappear through a hijacked mobile number made the whole system look less like a futuristic bank and more like a glass house with a very expensive doorbell.
Was Ellis Pinsky Criminally Charged?
One of the most striking elements of the case is that Pinsky was not publicly reported to have been criminally charged over the Terpin theft.
That does not mean the allegations vanished. Nor does it mean there were no consequences. It means that the central public reckoning for Pinsky came through civil litigation rather than a criminal trial.
This distinction matters. Pinsky was accused in lawsuits and press reporting, but he was not convicted in a criminal court for the Terpin theft. For any responsible account of the case, that line must be kept bright and visible.
The story is therefore not simply “teen hacker jailed after crypto raid”. It is more complicated and more revealing. It is a story about civil liability, settlement, cooperation and a justice system that treated different alleged participants in different ways.
The Settlement
In 2022, Pinsky agreed to pay Michael Terpin $22 million. The agreement was filed in the Southern District of New York and was linked to the SIM-swap case.
As part of the settlement, Pinsky was also expected to cooperate with Terpin in his continuing legal battle against AT&T. Terpin had argued that the telecoms giant failed to protect his account properly, allowing attackers to seize control of his mobile number.
For Pinsky, the settlement became the major public consequence of the affair. For Terpin, it formed part of a much wider campaign to hold both individuals and institutions accountable for the security failures that made the theft possible.
Nicholas Truglia and the Wider Case
Another figure connected to the broader affair was Nicholas Truglia, who did face criminal prosecution. Truglia was sentenced to 18 months in prison and ordered to pay more than $20 million in restitution to Terpin.
That contrast is one of the most fascinating parts of the case. Truglia was criminally punished. Pinsky, despite being accused in civil proceedings of playing a central role, appears to have resolved his part of the matter through a settlement and cooperation rather than a criminal conviction.
The result leaves a legal aftertaste: one case, several actors, different forms of accountability.
Why the Case Became So Notorious
The Pinsky case captured attention because it punctured several illusions at once.
First, it challenged the idea that large-scale financial crime required age, status or traditional criminal networks. A teenager with access to the right online circles and the right social engineering skills could allegedly help trigger a theft of enormous scale.
Second, it exposed the fragility of mobile phone-based security. Banks, email accounts, crypto platforms and cloud services have long treated phone numbers as reliable identity anchors. But a phone number is only as secure as the company and staff responsible for protecting it.
Third, it showed how cryptocurrency wealth created new targets. Crypto investors could hold huge sums outside traditional banking systems, but many still depended on ordinary telecoms infrastructure to secure their accounts. That contradiction created a hunting ground for SIM swappers.
The New Face of Cybercrime
The image of cybercrime has often lagged behind reality. Popular culture still imagines hackers as solitary geniuses typing green code in dark rooms. The Terpin case suggested something more mundane and more disturbing.
Modern cybercrime can be part technical skill, part manipulation, part customer-service fraud and part old-fashioned greed. The attackers do not always need to smash through the strongest wall. Sometimes they simply persuade someone to open the side gate.
That is what made SIM swapping so dangerous. It turned the mobile phone industry into an accidental accomplice, not intentionally, but structurally. If a phone number could be moved with the wrong employee, the wrong bribe or the wrong security lapse, then the entire fortress could be compromised.
A Cautionary Tale for the Crypto Age
Ellis Pinsky’s story is not just about one teenager or one investor. It is about the architecture of trust in the digital age.
Cryptocurrency was often sold as a way to escape traditional finance, but the Terpin case showed that even decentralised wealth could still depend on very centralised weaknesses: phone companies, email accounts, password resets and human judgment.
The blockchain may be difficult to tamper with, but the people standing around it remain wonderfully, dangerously human.
That is the real lesson of the Pinsky affair. The vault was digital, the money was virtual, but the flaw was as old as crime itself: someone found a person, a process or a pressure point that could be exploited.
In the end, the case of “Baby Al Capone” became a warning from the new frontier of finance. In a world where millions can be stored behind a screen, the smallest crack in identity security can become a doorway big enough for a fortune to walk through.
