The Michael Turpin Crypto Heist: How a 15-Year-Old and SIM Swap Scam Netted $24 Million

When crypto investor Michael Turpin left a tech conference in 2020, he had no idea that his digital life was about to be methodically dismantled by a group of teenagers on the other side of the country. What unfolded over the following hours would become one of the most audacious crypto thefts in history—a $24 million heist orchestrated largely by a 15-year-old named Ellis Pinsky. The incident would expose critical vulnerabilities in telecommunications security and demonstrate how blockchain wealth could be targeted and drained through surprisingly simple social engineering tactics.

The Perfect Storm: How Ellis Pinsky Targeted a Cryptocurrency Investor

The attack began with Michael Turpin’s phone. Ellis Pinsky and his associates had done their homework. They bribed workers at a major telecom company to transfer Turpin’s phone number to a SIM card under their control—a technique known as SIM swapping. This simple act gave them access to something far more valuable than a phone line: it gave them the keys to Turpin’s digital identity.

Once they controlled the number, Ellis deployed a series of scripts from a Skype call that systematically scraped Turpin’s online accounts. Emails, cloud storage files, password recovery options—everything became accessible to the attackers. They were hunting for cryptocurrency wallet credentials, looking for the private keys that would unlock digital fortunes. The scale of what they found was staggering: $900 million in Ethereum scattered across multiple wallets. But there was a problem. Most of it was locked behind security measures they couldn’t bypass.

So they dug deeper. They searched for Bitcoin holdings, additional Ethereum accounts, any accessible crypto assets. Hours passed as the teenagers systematically compromised account after account, moving through Michael Turpin’s digital infrastructure like experienced penetration testers. Then they found it: a $24 million wallet that wasn’t locked. It was accessible, and within moments, it was gone.

Inside the SIM Swap Scheme: The Technical Exploitation

The SIM swap attack that victimized Michael Turpin represents one of the most effective—yet preventable—methods of compromising high-net-worth crypto holders. Here’s how the scheme works:

Step 1: Social Engineering - Attackers convince telecom company employees to transfer a target’s phone number to a new SIM card. This typically involves pretexting (lying about who they are) or in Ellis’s case, offering financial incentives to insiders.

Step 2: Authentication Hijacking - Once they control the phone number, they receive all two-factor authentication (2FA) codes via SMS. Most crypto exchanges and email providers send recovery codes this way.

Step 3: Account Takeover - With 2FA codes, attackers can reset passwords, access email accounts, and eventually reach cryptocurrency exchanges where funds are stored.

Step 4: Withdrawal - The final step is draining wallets before security systems detect the intrusion.

In Turpin’s case, Ellis moved with precision. The teenager had taught himself hacking through forums, learning SQL injection techniques and other exploits. He’d already run small operations—selling rare Instagram accounts for modest profits. But this was different. This was crypto, and the stakes were incomparably higher. At the time, BTC was trading around $68,328, and ETH hovered near $1,982. The sheer dollar value of stealing digital assets dwarfed anything Ellis had attempted before.

The Teenager Turned Millionaire: How Ellis Spent the $24 Million

Ellis Pinsky was suddenly wealthy beyond measure. But he was still 15, still living in a tight New York City apartment, still thinking like a teenager. The money went in predictable directions: luxury goods, nightlife, and attempts to maintain his new status among associates who hadn’t been with him on the heist.

He purchased a $100,000 Rolex watch and hid it under his bed like a secret. He spent lavishly at high-end nightclubs. He threw money around as if the supply were endless. But maintaining a group of conspirators proved difficult. One teammate absconded with $1.5 million in stolen crypto. Another faced personal problems and jokingly mentioned hiring someone to commit violence. The group was fracturing under pressure and suspicion.

Ellis had built his reputation through persistence: an Xbox at age 13, entry into hacker forums, learning to code, successfully selling illicit accounts online. But none of that had prepared him for managing a criminal organization, even an informal one.

The Unraveling: How Truglia’s Carelessness Led to the FBI

The operation might have remained undiscovered longer if not for Ellis’s co-conspirator, Truglia. The pressure of having stolen millions, the paranoia, the interpersonal conflicts—it all became too much. Truglia began posting on social media about the theft, essentially bragging about the crime in posts like “Stole $24M. Still can’t keep a friend.”

This carelessness proved catastrophic. Truglia had made a rookie mistake: he used his real name on Coinbase when attempting to move or access some of the stolen crypto. The digital trail led straight to him, and from there, it led to the rest of the operation. The FBI’s investigation moved quickly. Law enforcement had a specific target, a trail of transactions, and digital evidence tying Truglia directly to the crime.

Truglia was arrested and ultimately served prison time. But Ellis presented a legal complication: he was underage. While Michael Turpin had been defrauded of $24 million, the fact that the perpetrator was a minor complicated criminal prosecution. Ellis was not formally charged. Instead, he was required to return most of the stolen funds—though not all.

Turpin pursued civil remedies, filing a lawsuit against Ellis for approximately $22 million in damages. But before that lawsuit could fully play out, something far more sinister occurred: masked gunmen broke into Michael Turpin’s home. Whether this was related to the heist or a separate matter remained unclear, but it demonstrated the danger that came with being the victim of such a high-profile theft.

From Cybercriminal to Philosophy Student: Ellis Pinsky Today

Today, Ellis Pinsky attends NYU, pursuing degrees in both philosophy and computer science. He has publicly stated his intention to work in legitimate startups and to eventually repay his debt to Turpin and society more broadly. Whether his transformation is genuine or performative, only time will tell.

What remains certain is the damage: Michael Turpin lost $24 million to a SIM swap attack orchestrated by a minor. The incident exposed how vulnerable even relatively sophisticated crypto investors can be to social engineering attacks. By age 15, Ellis had accumulated assets that most adults never achieve, compromised the security of a crypto investor, and launched a crime that would define his early life.

The case stands as a cautionary tale for the crypto community: no amount of sophisticated security protocols can overcome a compromised phone number and access to SMS-based 2FA codes. As digital assets continue to grow in value, so too will the sophistication and desperation of those seeking to steal them—sometimes with accomplices hardly old enough to drive.