SIM swapping: The real-world attack vector for your crypto accounts

Overview

While much of crypto security focuses on the digital realm of malware and phishing, one of the most devastating and increasingly common attack vectors begins in the physical world: the SIM swap attack. This is a sophisticated form of identity theft where a scammer tricks a mobile phone carrier into transferring a victim’s phone number to a SIM card in the scammer’s possession.

Once they have control of the phone number, they can intercept all of the victim’s calls and text messages, including the two-factor authentication (2FA) codes that are meant to protect their most sensitive online accounts. For a cryptocurrency holder, a successful SIM swap can be catastrophic, giving an attacker the final key needed to unlock and drain their exchange accounts.

How the attack unfolds

The SIM swap attack is a multi-stage process that combines social engineering with technical exploitation.

Information Gathering: The attack begins with reconnaissance. The scammer will gather personal information about the target from a variety of sources, including social media profiles (which might reveal their phone number, hometown, or pet’s name) and data breaches from other websites (which might expose old passwords or answers to security questions).

Social Engineering the Carrier: Armed with this personal information, the scammer contacts the victim’s mobile provider. They will impersonate the victim, claiming that their phone has been lost or damaged and that they need to activate a new SIM card. They use the information they’ve gathered to answer the security questions posed by the customer service representative. In some cases, scammers even have insiders working at the mobile carriers who assist them.

Taking Control and Draining Accounts: Once the carrier representative is convinced, they port the victim’s phone number to the scammer’s SIM card. The victim’s own phone will suddenly lose service. At this point, the scammer has control of the phone number. They can then go to a cryptocurrency exchange where the victim has an account and initiate a password reset.

The password reset link is sent to the victim’s email (which the scammer may have already compromised or can access via a password reset sent to the phone), and the crucial 2FA code is sent via SMS directly to the scammer’s device. Within minutes, the scammer can log in, change the password, and transfer all of the crypto out of the account to an untraceable wallet.

Mitigation strategies and enhanced security

Protecting against SIM swaps requires a proactive, multi-layered security posture.

Move Away from SMS-Based 2FA: The single most important step is to stop using SMS for two-factor authentication on any sensitive account. Instead, use an authenticator app like Google Authenticator or Authy, which generates time-based codes directly on the device and is not vulnerable to SIM swapping. For the highest level of security, use a physical security key like a YubiKey.

Secure Your Mobile Carrier Account: Contact the mobile provider and add a PIN or password to the account. This adds an extra layer of verification that a scammer is unlikely to have. Some carriers also offer a “port freeze” option that prevents the phone number from being transferred without additional authorization.

Limit Publicly Shared Information: Be mindful of the personal information shared on social media. Details like a mother’s maiden name, a first pet’s name, or a high school mascot are often used as answers to security questions.

Understand the Broker’s Role: While the primary defense is personal, the security features offered by a brokerage are also crucial. A platform that encourages or mandates the use of app-based 2FA over SMS is demonstrating a commitment to client security. High-quality account types may also offer additional security features like “whitelisting” withdrawal addresses, which prevents funds from being sent to a new, unauthorized address.

SIM Swap Protection: Step-by-Step

Step 1 — Carrier Lock

Contact your mobile carrier directly — by phone or in a physical store — and request the following protections:

• Account PIN or passcode: add a unique PIN that must be provided for any account changes including SIM swaps. Do not use a PIN derived from your date of birth or phone number.
• Port freeze or SIM lock: many carriers offer a “port freeze” or “number lock” feature that prevents your number from being transferred to a new carrier or SIM without additional in-person or multi-step verification. Ask specifically for this — it is not always offered proactively.
• In-store only changes: some carriers allow you to restrict account changes so they can only be made in person with a government-issued ID — not over the phone.
• Remove security questions where possible: if your carrier uses memorable answers as a security layer, use random strings rather than real answers. Store these in a password manager.

Step 2 — >Step 2 — Replace SMS 2FA

• Authenticator app: Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes on the device itself and are not affected by SIM swaps. Set these up on every exchange, email account, and password manager that supports them.
• Hardware security key: a physical key (YubiKey or similar) provides the highest level of 2FA protection. Even if a scammer has your password and your phone number, they cannot log in without the physical device.
• Priority order for replacement: start with accounts that hold the most value or provide access to other accounts — email accounts first (email resets control everything else), then crypto exchanges, then password managers.
• Check every account: go through each service you use and confirm whether SMS 2FA is active. Many services default to SMS even after an authenticator app is added unless SMS is explicitly disabled.

Step 3 — Recovery>Step 3 — Recovery Evidence

• Time your phone lost service: note the exact time your phone displayed “No Service” or “SOS Only” — this is the timestamp of the SIM swap
• Carrier account records: request a full account activity log from your carrier showing all recent SIM change or port requests — get this in writing
• Exchange access logs: request login history from any exchange or service that was accessed during the period of the SIM swap — most exchanges provide this in account security settings
• Transaction hashes: any blockchain transactions executed by the attacker — find these on the relevant block explorer using your wallet address
• Wallet addresses used by attacker: the destination addresses funds were sent to
• Screenshots of unauthorized account activity: email notifications, password reset confirmations, withdrawal confirmations received during the attack window
• Any communications from the attacker: if you received any messages from the attacker or their infrastructure, preserve them

Report a SIM swap attack to your carrier’s fraud team, your national telecoms regulator, and law enforcement. In the US: FBI IC3 at ic3.gov and FCC at fcc.gov/consumers/guides/spoofing-and-caller-id. In the UK: Action Fraud at actionfraud.police.uk. If funds were lost from a crypto exchange, contact the exchange’s security team with your transaction hashes and the attacker’s wallet addresses.

If you have encountered a platform, service, or actor connected to a SIM swap attack on a crypto account, submit a report at scammerwatch.com/report-a-scam
.