SIM Swap

A SIM swap attack happens when a hacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once your number is on their device, they intercept every SMS sent to you, including the two-factor authentication codes protecting your crypto exchange accounts, email, and password reset flows.

How SIM Swap Attacks Work

Your phone number is tied to your identity in more ways than most people realize. Banks, email providers, and crypto exchanges use SMS verification as a security layer. It feels secure, but the weakest link is not your device. It is your carrier's customer service team.

A SIM swapper calls your carrier pretending to be you. They provide the last four digits of your Social Security number, your address, or answers to security questions, all of which are often available from past data breaches or social media profiles. If the representative is convinced, they transfer your number to the attacker's SIM card. Your phone loses signal. The attacker starts receiving your texts.

From there, the attacker requests password resets on your exchange accounts. The reset codes arrive on their phone. They change your password, disable your 2FA, and drain your wallets. The entire process can complete in under an hour.

High-Profile Cases

SIM swap attacks have produced some of the largest crypto thefts on record. In 2019, Michael Terpin won a $75.8 million judgment against Nicholas Truglia after Truglia SIM swapped Terpin's phone and stole $24 million in crypto. The U.S. Department of Justice arrested a 22-year-old named Ahmed Hossam Eldin Elbadawy in 2023 for a SIM swap scheme that stole approximately $400 million from FTX during its bankruptcy proceedings.

How to Protect Your Crypto From SIM Swaps

The most important step is removing your phone number as a recovery or authentication method for any account holding significant value. Here is how.

• Switch to an authenticator app. Google Authenticator, Authy, and hardware keys like YubiKey generate time-based codes on your device. They do not depend on your phone number. An attacker who SIM swaps you cannot intercept these codes.
• Use a hardware security key. A YubiKey or similar FIDO2 device requires physical possession to authenticate. Even if your password and phone number are compromised, the attacker cannot log in without the physical key.
• Add a carrier PIN. Call your mobile carrier and request a SIM lock or customer service PIN. This adds a required verbal passcode before any account changes can happen. Most major carriers support this feature.
• Use a Google Voice or VOIP number for account recovery. Link a number that has no physical SIM card to your accounts. An attacker cannot SIM swap a number that lives in a software system rather than a carrier's SIM network.
• Remove SMS from your exchange accounts entirely. Log into every exchange and disable SMS 2FA. Replace it with an authenticator app before removing SMS.

What to Do If You Are SIM Swapped

Call your carrier immediately and report the unauthorized SIM transfer. They can restore your number to your physical SIM in most cases. Then check every account linked to that number for unauthorized access. Change passwords from a device that was not connected to the compromised account sessions. Enable authenticator-based 2FA everywhere before reactivating your number on any account.

Sources

https://www.fbi.gov/contact-us/field-offices/ic3/media/annual-report
https://www.ftc.gov/news-events/topics/identity-theft/phone-based-identity-theft
https://www.justice.gov/opa/pr/man-convicted-multi-million-dollar-sim-hijacking-scheme