The Ellis Pinsky Case: How a Teenager Executed a $24 Million SIM Swap Heist

When a 15-year-old from New York decided to turn his hacking skills into profit, he didn’t just steal from an average victim. Ellis Pinsky coordinated one of the largest single-person SIM swap attacks ever recorded, compromising a crypto investor’s digital assets and exposing critical vulnerabilities in how we protect our phone numbers and wallets. This case became a cautionary tale that would reshape conversations around telecom security and cryptocurrency asset protection.

The Attack on Michael Turpin: The Largest Individual SIM Swap on Record

The target was Michael Turpin, a crypto investor who attended a conference and felt secure in his digital holdings. What Turpin didn’t know was that across the country, a group of teenage hackers had already begun their operation. They bribed telecom workers to hijack his phone number—a technique that would give them access to everything protected by SMS verification.

Ellis Pinsky directed the operation remotely. Using scripts launched over Skype, his team systematically worked through Turpin’s digital infrastructure: emails, cloud storage, any gateway that might lead to cryptocurrency wallet keys. They discovered Ethereum holdings worth approximately $900 million, but those were secured with additional protections they couldn’t breach. However, they found an alternative target with $24 million in accessible cryptocurrency. Within hours, the money was gone from Turpin’s accounts. It marked the largest individual SIM swap theft ever documented.

From NYC Hacker Forums to High-Risk Operations

Ellis Pinsky’s journey into this world started much earlier. Raised in a cramped New York City apartment, he received his first Xbox at age 13—an entry point into online communities where young tech enthusiasts gathered. He progressed from learning SQL injection techniques to trading rare Instagram handles, building reputation and clout in underground forums. But status wasn’t enough. The real appeal was accessing actual wealth.

SIM swapping offered a pathway: bribe a telecom representative, gain control of someone’s phone number, intercept text message verification codes, reset passwords, and ultimately drain cryptocurrency wallets. It was a technique that turned a teenager’s technical knowledge into immediate financial power. By age 15, Ellis Pinsky had assembled a network: 562 Bitcoin in seized assets, telecom insiders on his payroll, and access to millions in cryptocurrency accounts.

The Technology Behind SIM Swap Attacks and Why They Work

The SIM swapping method exploits a fundamental weakness in how telecommunications companies and digital platforms handle account recovery. When a phone number is transferred to a new SIM card (or a hacker’s SIM), all text-based verification codes go to the attacker instead of the legitimate owner. This single vulnerability cascades across email accounts, banking platforms, and cryptocurrency exchanges.

The attack succeeded because most security relies on SMS verification as a “second factor” protection. Once the phone number was compromised, Ellis Pinsky’s team bypassed these supposed safeguards systematically. They gained access to cloud storage containing sensitive files, email accounts with password recovery links, and ultimately the weakest links in Turpin’s digital defense.

The Unraveling: When Accomplices Become Liabilities

The operation began to crack from internal pressure. One accomplice fled with $1.5 million, disappearing from the network. Another member, apparently unaware of the risks, openly discussed hiring someone to commit violence—conversations that raised immediate red flags. But the biggest mistake came from Nicholas Truglia, one of Ellis’s partners in the crime.

Truglia couldn’t resist bragging. Online, he boasted about the theft: “Stole $24M. Still can’t keep a friend.” He made the fatal error of using his real name on Coinbase when attempting to convert stolen funds. The FBI traced this directly back to him, leading to his arrest and prison sentence. His slip demonstrated a crucial point: operational security unravels when participants seek recognition.

Ellis Pinsky’s Aftermath: Legal Consequences and Attempted Redemption

When the FBI arrived at Ellis Pinsky’s door, his status as a minor became both shield and burden. The legal system treated him differently than adult perpetrators. He avoided the most severe charges partly due to his age, but not without cost. Turpin filed a $22 million civil lawsuit against him for the stolen funds. Additionally, masked gunmen once broke into his home—a consequence of the underground world he’d entered.

Today, Ellis Pinsky is a philosophy and computer science major at NYU. He claims to be redirecting his talents toward building startups while attempting to repay his significant legal debts. Whether this represents genuine rehabilitation or another chapter in an ongoing narrative remains an open question. His case demonstrates how quickly a teenager with technical skills can access enormous sums—and how precarious such wealth becomes.

The Broader Implications: What the Ellis Pinsky Case Reveals

This incident exposed how dependent modern security remains on outdated telecommunications infrastructure. Major cryptocurrency holders learned that owning digital assets wasn’t enough; they needed to protect the phone numbers associated with account recovery. The case prompted exchanges, email providers, and financial institutions to implement stronger verification methods beyond SMS codes.

For the cryptocurrency industry, the Ellis Pinsky case became evidence that security vulnerabilities don’t always require sophisticated zero-day exploits. Sometimes the weakest link is the telecom worker willing to accept a bribe, or the simplicity of SIM swapping as an attack vector. By age 15, Ellis Pinsky had demonstrated a $24 million lesson in why multi-factor authentication strategies must evolve beyond text message verification.