SIM Swap Attack
A social engineering attack where an attacker convinces a carrier to transfer a victim's phone number, intercepting 2FA codes.
Key Takeaways
- A SIM swap attack tricks a mobile carrier into transferring a victim's phone number to an attacker-controlled SIM card, enabling interception of SMS-based two-factor authentication codes used to protect exchange accounts and email.
- Cryptocurrency holders are prime targets: once an attacker controls the phone number, they can reset passwords and bypass SMS 2FA on custodial exchanges, draining funds within minutes. Using self-custody with a signing device eliminates this attack vector entirely.
- Effective mitigations include hardware security keys (FIDO2), authenticator apps, carrier account PINs, and proper key management practices that remove phone numbers from the authentication chain.
What Is a SIM Swap Attack?
A SIM swap attack (also called SIM hijacking or SIM splitting) is a form of social engineering fraud where an attacker convinces a mobile carrier to transfer the victim's phone number from their legitimate SIM card to one controlled by the attacker. Once the transfer completes, the attacker receives all calls and text messages sent to that number, including one-time passwords and account verification codes.
The attack exploits a fundamental weakness in SMS-based authentication: phone numbers were never designed to be identity verification tokens, yet millions of accounts rely on them as a second factor. A 2020 Princeton University study tested five major US prepaid carriers and found that roughly 80% of SIM swap attempts succeeded on the first try, largely because carriers relied on weak authentication challenges that used easily obtainable personal information.
The FBI's Internet Crime Complaint Center (IC3) recorded over 2,000 SIM swap complaints in 2022 with losses exceeding $72 million. Cryptocurrency holders represent a disproportionate share of victims because of the irreversible nature of crypto transactions and the high value of exchange accounts protected only by SMS 2FA.
How It Works
A SIM swap attack unfolds in four stages, each building on the previous one:
Stage 1: Reconnaissance
The attacker gathers personal information about the target: full name, date of birth, address, phone number, and often the last four digits of their Social Security number. This data comes from phishing emails, social media scraping, data breaches sold on darknet markets, or public records. The attacker needs just enough information to pass the carrier's identity verification questions.
Stage 2: Social Engineering the Carrier
Armed with the victim's personal data, the attacker contacts the mobile carrier by phone, online chat, or in person at a retail store. They impersonate the victim and claim they have lost their phone, need a SIM replacement, or are upgrading to a new device. The carrier agent, following standard support procedures, asks verification questions that the attacker can answer using stolen data.
In more sophisticated attacks, the attacker bribes or coerces carrier employees directly. Several high-profile cases have involved employees at authorized retail locations who performed SIM swaps for payment, bypassing all security protocols.
Stage 3: Number Transfer
Once the carrier agent is satisfied with the verification, they port the victim's phone number to the attacker's SIM card or issue an eSIM QR code. The victim's phone immediately loses cellular service. This is often the first sign something is wrong, but victims frequently assume it is a temporary network issue, giving the attacker a critical window of time.
Stage 4: Account Takeover
With control of the phone number, the attacker triggers password resets on email accounts, cryptocurrency exchanges, banking apps, and social media platforms. SMS verification codes arrive on the attacker's device. Within minutes, the attacker can change passwords, disable other security settings, and drain funds.
Attack timeline (typical):
[00:00] Attacker calls carrier, requests SIM swap
[00:15] Carrier agent verifies identity, processes transfer
[00:16] Victim's phone loses service
[00:17] Attacker receives SMS codes on new SIM
[00:18] Attacker resets email password via SMS code
[00:20] Attacker resets exchange password via email
[00:22] Attacker disables remaining 2FA on exchange
[00:25] Attacker initiates withdrawal to external wallet
[00:30] Funds are gone — transactions are irreversibleReal-World Impact
SIM swap attacks have caused some of the largest individual cryptocurrency thefts on record. These cases illustrate both the scale of the threat and the evolving legal landscape around carrier liability.
High-Profile Cases
| Case | Year | Loss | Outcome |
|---|---|---|---|
| Michael Terpin vs. AT&T | 2018 | $24 million in crypto | Lawsuit filed for $224M; Ninth Circuit revived FCA claim against AT&T; case heading toward trial as of 2025 |
| Joseph Jones vs. T-Mobile | 2020 | 1,500+ BTC (~$38M at the time) | $33 million arbitration award against T-Mobile in March 2025, establishing carrier liability precedent |
| SEC X (Twitter) Account | 2024 | Market manipulation (BTC price spike) | Attacker Eric Council Jr. sentenced to 14 months in prison in May 2025 |
In the Jones case, attackers bypassed an eight-digit PIN and a "NOPORT" security flag on the account by convincing a T-Mobile call center agent to issue an eSIM QR code instead. The $33 million arbitration award in 2025 marked a landmark ruling for carrier liability in SIM swap fraud.
The SEC X account hack in January 2024 demonstrated that SIM swaps affect institutions too: a fake post announcing Bitcoin ETF approval caused Bitcoin to spike over $1,000 before crashing more than $2,000 when corrected. The attacker used a portable ID printer to create a physical fake ID at an AT&T store.
Scale of the Problem
FBI IC3 data shows SIM swap fraud has been a persistent and costly threat:
| Year | Complaints | Reported Losses |
|---|---|---|
| 2021 | 1,611 | $68 million |
| 2022 | 2,026 | $72.6 million |
| 2023 | 1,075 | $48.8 million |
| 2024 | 982 | $26 million |
These numbers likely undercount the true scale: SIM swapping often functions as an access method rather than the final crime, so victims tend to report the downstream fraud (identity theft, investment loss) rather than the phone number takeover itself.
Mitigations
Defending against SIM swap attacks requires layering multiple protections across authentication, carrier security, and asset custody.
Replace SMS 2FA with Phishing-Resistant Methods
The single most effective step is removing SMS from the authentication chain entirely. NIST published SP 800-63B-4 in July 2025, formally classifying SMS one-time passcodes as a "restricted authenticator" category due to SIM swap and interception risks.
- Hardware security keys (FIDO2/U2F): devices like YubiKey or Google Titan store cryptographic private keys on a dedicated chip. Authentication requires physical possession of the key plus a PIN or biometric. Private keys never leave the device, making them completely immune to remote interception. Register at least two keys: one for daily use and one as a backup stored securely.
- Authenticator apps (TOTP): apps like Google Authenticator or Authy generate time-based one-time passwords locally on the device. Codes are not transmitted via SMS, so SIM swaps cannot intercept them. While less secure than hardware keys (vulnerable to device malware), they are a significant upgrade over SMS.
Carrier Account Security
In November 2023, the FCC adopted new rules (Report and Order 23-95) requiring carriers to strengthen SIM swap protections:
- Carriers must verify customer identity through secure methods before processing SIM changes or port-outs, and cannot rely solely on easily obtainable information like SSNs or birthdates
- Carriers must immediately notify customers via backup channels (alternate email, secondary phone) before completing any SIM change
- All carriers must offer free account-locking mechanisms to block unauthorized SIM changes and port-outs
Regardless of regulation, users should proactively set a unique account PIN with their carrier, enable number lock or port-freeze features, and request that SIM changes require in-store verification with government-issued ID.
Operational Security Practices
- Use a dedicated email address for financial accounts that is not linked to your phone number
- Minimize personal information shared on social media (birthday, address, phone number)
- Use a password manager with unique passwords per account
- Enable login alerts and account activity notifications on all financial platforms
- Monitor your phone for unexpected loss of service, which is the primary indicator of an in-progress SIM swap
Why Self-Custody Eliminates This Risk
SIM swap attacks target a specific architecture: custodial accounts protected by SMS-based authentication. The attack chain requires a custodian (an exchange, bank, or service provider) that uses phone numbers for identity verification. Self-custody removes both of these dependencies.
When you hold your own keys using a hardware signing device, transaction authorization requires physical possession of the device and knowledge of its PIN. There is no carrier in the loop, no SMS code to intercept, and no account password to reset. Even if an attacker successfully SIM-swaps your phone number and accesses your email, they cannot move funds from a cold storage wallet without the physical device.
This is a core argument for self-custodial wallet architectures: they eliminate entire categories of remote attacks by removing the need for intermediary authentication. Proper key management practices, including storing seed phrases on metal backup plates in secure physical locations and never digitally, ensure that the only attack vector left is physical theft.
For users who need custodial exchange access (for trading or fiat on/off-ramps), the best practice is to keep only working balances on exchanges protected by hardware security keys, and sweep the rest into self-custody. Solutions like Spark enable flexible custody models that combine the convenience of instant transfers with the security of self-custodial key control.
Risks and Considerations
Evolving Attack Methods
As carriers tighten security procedures, attackers adapt. Methods now include eSIM hijacking (requesting remote eSIM provisioning instead of physical SIM swaps), insider corruption (bribing carrier employees), and creating fraudulent physical IDs to bypass in-store verification. The April 2025 Marks & Spencer breach demonstrated how the cybercriminal group Scattered Spider used SIM swapping of employee phone numbers as an entry point for a full ransomware attack on enterprise infrastructure.
Global Inconsistency
Regulatory protections vary dramatically by jurisdiction. While the FCC has mandated stronger SIM swap protections for US carriers, many countries lack equivalent regulations. The UK saw a 1,055% year-over-year surge in unauthorized SIM swap cases in 2024, and Australia reported a 240% increase in SIM swap fraud assistance requests. Users traveling internationally or using carriers in less-regulated markets face elevated risk.
Recovery Challenges
Unlike traditional bank fraud where transactions can be reversed, cryptocurrency stolen via SIM swap is typically unrecoverable. Bitcoin and other cryptocurrency transactions are final once confirmed. Chain analysis firms can sometimes trace stolen funds, but recovery depends on law enforcement cooperation and the attacker's operational security. The legal landscape is evolving: the $33 million arbitration award against T-Mobile in 2025 suggests carriers may face increasing liability, but this does not guarantee victim recovery.
False Sense of Security
Carrier-level protections like account PINs and port-out locks are helpful but not foolproof. The Jones vs. T-Mobile case proved that even an eight-digit PIN and a NOPORT security flag could be bypassed by a single call center agent. No amount of carrier-side security matches the protection of removing SMS from the authentication chain entirely and adopting multisig or hardware-key-based authentication.
This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.