Who This Is For

Anyone using SMS-based two-factor authentication (2FA) for crypto exchanges or wallets needs to understand SIM swap attacks. Even security-conscious users can be vulnerable if they rely on phone numbers for account security. This guide explains how these attacks work and how to protect yourself.

What Is a SIM Swap?

A SIM swap (also called SIM hijacking) is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control.

The result: The attacker receives all calls and text messages intended for you—including 2FA codes.

Why it matters for crypto: Many exchanges and services use SMS codes for:

• Two-factor authentication (2FA)
• Password resets
• Withdrawal confirmations
• Account recovery

Once the attacker controls your phone number, they can bypass these protections.

How SIM Swap Attacks Work

Step 1: Information Gathering

The attacker collects information about you:

• Full name
• Phone number
• Address
• Date of birth
• Last 4 digits of SSN (from data breaches)
• Email address
• Mother's maiden name
• Carrier name

Sources:

• Social media profiles
• Data breaches (credentials sold on dark web)
• Public records
• Phishing attacks

Step 2: Social Engineering the Carrier

The attacker contacts your mobile carrier's customer service:

Attacker: "Hi, I'm [your name]. I lost my phone and need to activate a new SIM card."

They provide the personal information they've gathered to verify identity.

Common tactics:

• Claims phone was lost or stolen
• Says SIM card is damaged
• Pretends to be at a carrier store
• May bribe or collude with carrier employee
• Uses urgency ("I need this for work emergency")

Step 3: Number Transfer

If successful, the carrier transfers your phone number to the attacker's SIM card.

You notice:

• Your phone suddenly shows "No Service"
• Calls and texts aren't coming through
• You can't make calls

Step 4: Account Takeover

The attacker now receives your text messages and calls:

They target crypto accounts:

1. Go to exchange website (Coinbase, Kraken, Binance, etc.)
2. Click "Forgot Password"
3. Enter your email address
4. Receive password reset code via SMS (to their phone now)
5. Reset your password
6. Log into your account
7. Bypass SMS 2FA (they receive the code)
8. Withdraw all funds to their wallet

They also target:

• Your email (to prevent you from getting alerts)
• Your bank accounts
• Other financial services

Step 5: Fund Theft

Once they control your accounts:

• Disable notifications
• Change passwords
• Add their withdrawal addresses to whitelist
• Withdraw maximum amounts
• Transfer funds through mixing services to hide trail

Timeline: This entire process can happen in under an hour.

Real Examples

Case 1: The Investor

A crypto investor had $100K on Coinbase with SMS 2FA enabled.

What happened:

• Attacker found investor's info from LinkedIn and data breach
• Called carrier pretending to be the investor
• Transferred phone number to their SIM
• Reset Coinbase password via SMS
• Bypassed SMS 2FA
• Withdrew all funds

Time elapsed: 45 minutes from SIM swap to funds gone.

Case 2: The Public Figure

A Twitter crypto influencer was SIM swapped.

What happened:

• Attacker gathered info from public Twitter profile
• Bribed carrier employee to perform swap
• Took over Twitter account and posted scam
• Accessed linked email and exchange accounts
• Stole funds and damaged reputation

Lesson: High profile = higher target risk.

Why SIM Swaps Work

Mobile Carrier Vulnerabilities

Weak verification:

• Customer service reps vary in diligence
• Easy-to-guess "security questions"
• Public information used for verification
• Remote procedures less secure than in-store

Insider threats:

• Carrier employees bribed to perform swaps
• Compromised accounts with access to systems
• Insufficient employee background checks

Process issues:

• Inconsistent security procedures
• Override mechanisms for "legitimate emergencies"
• Difficulty distinguishing real customers from imposters

SMS 2FA Weaknesses

SMS-based 2FA was never designed to be highly secure:

• SMS messages unencrypted
• Vulnerable to interception
• Relies on phone number remaining under your control
• Can't verify the message recipient's identity

It's better than no 2FA, but not by much for high-value accounts.

Account Takeover Beyond SIM Swaps

SIM swaps aren't the only way accounts get compromised:

Email Compromise

If attacker gains access to your email:

• Can reset passwords for linked accounts
• Receives security alerts and can delete them
• Can change account settings

How email gets compromised:

• Phishing
• Weak passwords
• Password reuse across sites
• Malware/keyloggers

Password Reuse

Many people use the same password across multiple sites:

• One site gets breached
• Credentials leaked and sold
• Attackers try those credentials on other sites (credential stuffing)
• Gain access to accounts

Malware

Malicious software on your device:

• Keyloggers recording passwords
• Clipboard hijackers changing wallet addresses
• Remote access tools (RATs)
• Fake wallet apps

Physical Access

Someone with physical access to your devices:

• Can view saved passwords
• Access logged-in sessions
• Install spyware
• Copy recovery information

How to Protect Against SIM Swaps

1. Remove Phone Number from Accounts

Best practice: Don't link your phone number to accounts if possible.

On exchanges:

• Use authenticator app 2FA instead of SMS
• Remove phone number from account settings
• Use email for communications only

On email:

• Use authenticator app or hardware key 2FA
• Don't use phone number for recovery

Challenge: Some services require phone numbers. For these, use other protections below.

2. Set Up Carrier Security

Contact your mobile carrier and request:

Port protection:

• Add PIN or password required for any changes
• Require in-store visit for SIM changes
• Enable port freeze (prevents number transfers)

Account security:

• Create complex security questions (not guessable from social media)
• Require multi-step verification for changes
• Get alerts for any account changes

Carriers vary, but most offer some protections:

• Verizon: Number Lock, Account PIN
• AT&T: Extra Security, Passcode
• T-Mobile: Account Takeover Protection, Port Validation

Call your carrier and ask what's available.

3. Use Authenticator Apps, Not SMS

Replace SMS 2FA with authenticator apps:

Recommended apps:

• Google Authenticator
• Authy
• Microsoft Authenticator
• Duo Mobile

How they work:

• Generate time-based codes on your device
• Don't rely on phone number or carrier
• Work offline
• Not vulnerable to SIM swaps

Setup:

1. Enable 2FA in account settings
2. Choose "Authenticator app" option
3. Scan QR code with app
4. Save backup codes in secure location
5. Verify it works before disabling SMS

More details: Two-Factor Authentication Guide

4. Use Hardware Security Keys

For maximum security on important accounts:

Hardware keys (YubiKey, Titan Security Key):

• Physical device required to log in
• Immune to phishing and remote attacks
• No codes to intercept
• Attacker needs physical access to key

Best for:

• Exchange accounts
• Email accounts
• Cryptocurrency wallets with key support

Drawback: Need backup key in case you lose primary key.

5. Create Separate Email for Crypto

Use a dedicated email address only for crypto:

• Don't share it publicly
• Don't use it for other services
• Enable strongest 2FA available
• Use unique, complex password
• Monitor for breach attempts

Benefits:

• Reduces attack surface
• Phishing less likely to target it
• Easier to monitor for suspicious activity

6. Limit Personal Information Online

Make it harder for attackers to gather info about you:

Reduce social media exposure:

• Don't post full name + phone number
• Limit date of birth visibility
• Don't share address or location
• Use privacy settings
• Don't post about crypto holdings

Remove from data broker sites:

• Use services like DeleteMe, PrivacyDuck
• Opt out of people search sites manually
• Google yourself regularly to see what's public

Don't overshare:

• Don't mention what exchanges you use
• Don't post about crypto success
• Don't link wallet addresses to identity

7. Monitor for Warning Signs

Watch for signs you're being targeted:

Phone indicators:

• Sudden loss of service
• Unusual carrier account login attempts
• Text messages about SIM changes you didn't make
• Calls from "carrier" asking for info (likely scammers)

Account indicators:

• Login attempts from unfamiliar locations
• Password reset requests you didn't initiate
• Changes to account settings you didn't make
• Unusual 2FA code requests

If you notice these, act immediately (see section below).

8. Use Google Voice or Alternative Number

For services that require a phone number:

Consider Google Voice:

• Free virtual phone number
• Linked to Google account (protect with hardware key)
• Not vulnerable to traditional SIM swaps
• Can be recovered through Google account

Other options:

• Skype number
• Burner app
• Secondary device with separate number

Important: Secure the underlying account (Google, etc.) with strong 2FA.

What to Do If You're SIM Swapped

If your phone suddenly shows "No Service" and you suspect SIM swap:

Act immediately:

1. Contact Your Carrier

• Call from another phone or use online chat
• Report unauthorized SIM change
• Request immediate number reversal
• Set up account PIN/password if not done already
• File formal complaint

2. Secure Your Accounts

Priority order:

1. Email: Change password from computer, enable 2FA, review recent activity
2. Crypto exchanges: Change passwords, enable app-based 2FA, check for withdrawals
3. Bank accounts: Change passwords, freeze accounts if needed, contact bank
4. Other financial services: Change passwords, review for suspicious activity

If you can't access accounts:

• Contact support immediately through official channels
• Request account freeze
• Provide any verification information you can

3. Check for Damage

• Review all transaction history
• Check for new withdrawal addresses
• Look for changed account settings
• See what information may have been accessed

4. Document Everything

• Screenshot timeline of events
• Save communication with carrier
• Record transaction IDs of stolen funds
• Note any suspicious emails or messages

5. Report the Crime

• File police report
• Report to FBI IC3 (ic3.gov)
• Report to FTC (reportfraud.ftc.gov)
• Report to exchange/service where funds stolen
• Consider consulting attorney

Reality: Recovery is unlikely, but reporting helps track patterns and may assist investigation.

More info: What to Do If You've Been Scammed

Account Security Checklist

Implement these protections on all crypto-related accounts:

• [ ] Remove phone number from accounts where possible
• [ ] Replace SMS 2FA with authenticator app or hardware key
• [ ] Enable port protection/PIN with mobile carrier
• [ ] Create dedicated email for crypto with strong 2FA
• [ ] Use unique, complex passwords (password manager)
• [ ] Enable withdrawal address whitelisting on exchanges
• [ ] Set up withdrawal delays (if available)
• [ ] Limit personal information on social media
• [ ] Monitor accounts regularly for suspicious activity
• [ ] Keep recovery codes in secure offline location

Prevention vs. Recovery

Harsh truth: Prevention is the only effective defense.

Why recovery fails:

• Crypto transactions are irreversible
• Attackers move funds quickly through mixers
• Cross-border jurisdictional issues
• Limited law enforcement resources for individual cases
• Funds often gone before you regain account control

Time matters: The window between attack and fund theft can be under an hour. By the time you realize what's happening, it's often too late.

Therefore: Invest time now in prevention rather than hoping for recovery later.

Common Mistakes

"I'm not a target"

Reality: Attackers target opportunity, not specific people. If you have funds and use SMS 2FA, you're a potential target.

"My carrier is secure"

Reality: Every major carrier has had customers SIM swapped. No carrier is immune.

"SMS 2FA is good enough"

Reality: SMS 2FA is better than nothing, but inadequate for accounts with significant funds or access.

"I'll switch to app-based 2FA eventually"

Reality: Procrastination is the attacker's best friend. Switch now while you still control your accounts.

"I'm careful about phishing"

Reality: SIM swaps don't require you to make a mistake. The attack targets the carrier, not you directly.

Key Takeaways

• SIM swap attacks are real and increasingly common
• SMS 2FA is vulnerable and should not be used for crypto accounts
• Switch to authenticator apps or hardware keys
• Set up carrier security protections (PIN, port freeze)
• Remove phone numbers from accounts where possible
• Prevention is the only effective defense—recovery is rarely successful
• Don't wait until it's too late

The attacker only needs to succeed once. You need to be vigilant always.

Further Reading

• Two-Factor Authentication Guide
• Phishing and Fake Support Scams
• What to Do If You've Been Scammed
• Safe Transaction Habits