I think google should be suable. The situation is completely absurd. But obviously T Mobile is a stronger case. Your aim is go away money imo.
That said, I'm not a lawyer.
A third option if you're rich is to hire someone to find this guy. Send them whatever details you have. Or put a $10K bounty on reddit or a black hat forum for the verified name and address of the hacker. If they're super careful it might be impossible to find them, but most people are a bit sloppy and leave fingerprints/IPs/browser IDs which can be traced down with the right connections. You are also still in contact with the guy and he's happy to receive stuff from you (money), so that gives an avenue for someone creative and talented to trap and track him. Please read Brian's article above for what the proper attitude is