John Binns was originally identified as the possible culprit by Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock.
On Twitter earlier this month, Gal shared a message he received from Binns that said, "The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019," the hacker allegedly told Gal.
"We did it to harm US infrastructure," Binns allegedly told Gal at the time.
Binns has now spoken out publicly in an interview with the Wall Street Journal, telling the newspaper he was in fact behind the attack and conducted it from his home in Izmir, Turkey, where he lives with his mother. His father, who died when he was two, was American, and his mother is Turkish. They moved back to Turkey when Binns was 18.
Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile's network through an unprotected router in July.
According to the Wall Street Journal, he had been searching for gaps in T-Mobile's defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington, where he could explore more than 100 of the company's servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4, he had stolen millions of files.
"I was panicking because I had access to something big. Their security is awful," Binns told the Wall Street Journal. "Generating noise was one goal."
He would not confirm if the data he stole has already been sold or if someone else paid him to hack into T-Mobile. While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile's systems.
The Wall Street Journal story also noted that T-Mobile was initially notified of the breach by a cybersecurity company called Unit221B LLC, which said their customer data was being marketed on the dark web.
Binns repeated his assertion that the attack was done because he was angry about how he was treated by US law enforcement agencies in recent years.
Binns filed a lawsuit against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrime, including participation in the Satori botnet conspiracy. In the lawsuit, he said he had been tortured and spied on for being an alleged member of the Islamic State militant group. He denied being a member of the group in his lawsuit.
He repeated his claims that he had been abducted in both Germany and Turkey and unfairly placed in a mental institution against his will by US law enforcement agencies.
"I have no reason to make up a fake kidnapping story, and I'm hoping that someone within the FBI leaks information about that," he explained in his messages to the Wall Street Journal.
T-Mobile did not respond to requests for comment but released a statement last week confirming that the names, dates of birth, SSNs, driver's licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.
Another 40 million former or prospective customers had their names, dates of birth, SSNs and driver's licenses leaked. More than 5 million "current postpaid customer accounts" also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed.
T-Mobile said another 667 000 accounts of former T- Mobile customers had their information stolen alongside a group of 850 000 active T-Mobile prepaid customers whose names, phone numbers and account PINs were exposed. The names of 52 000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile.
The telecom giant, which is the second largest in the US behind Verizon, is offering victims two years of free identity protection services with McAfee's ID Theft Protection Service.