SIM Swap Attacks on Crypto
SIM Swap Attacks on Crypto
SIM swap attacks represent a critical vulnerability for cryptocurrency users who rely on two-factor authentication (2FA) through text messages. By convincing mobile carriers to transfer a victim's phone number to a new SIM card in the attacker's possession, scammers can intercept authentication codes and gain access to cryptocurrency exchange accounts. The attack is particularly insidious because it exploits trust in established telecommunications infrastructure and because victims often do not realize their phone number has been compromised until substantial funds are missing.
Understanding SIM Swap Technology
A SIM (Subscriber Identity Module) card is a small chip that identifies a phone to a mobile carrier's network. When you switch phones, your carrier transfers your phone number to a new SIM by updating its database. The process is designed to be straightforward so customers can upgrade phones without significant friction.
However, the streamlined process creates a vulnerability. Attackers can contact a mobile carrier's customer service or visit a physical retail location and impersonate the phone number's owner. By providing personal information and social engineering techniques, they convince the carrier representative to transfer the number to a new SIM card they control.
Once the attacker has the victim's phone number active on their SIM card, they receive all SMS messages intended for the victim, including two-factor authentication codes sent by cryptocurrency exchanges and other services. This gives them temporary access to the victim's accounts, which is sufficient to drain cryptocurrency holdings.
How SIM Swap Attacks Unfold
The typical SIM swap attack follows a deliberate sequence. First, the attacker conducts reconnaissance on the target. They gather personal information about the victim through social media, data breaches, or other sources. This information includes the victim's full name, phone number, address, date of birth, and sometimes the last four digits of their social security number.
Next, the attacker contacts the cryptocurrency exchange or service where the victim holds funds. They attempt to log in to the victim's account. If the account has email-based 2FA, the attacker might attempt account recovery through the email address, which often involves security questions or account verification. If the account uses SMS-based 2FA, they proceed to the next step.
The attacker then initiates a SIM swap. They contact the victim's mobile carrier, either by phone or by visiting a retail location. They claim to be the phone number's owner, providing personal details gathered during reconnaissance. They request a SIM swap, claiming they have a new phone or that they have lost their phone. The carrier representative, if the attacker is convincing and has provided sufficient information, processes the swap.
Once the SIM swap is complete, the victim's phone number is no longer active on their original SIM card. All incoming calls and SMS messages to that number are now received by the attacker's phone. If the victim tries to use their phone immediately after the swap, they will discover no cellular service and possibly no ability to receive calls or texts.
The attacker now uses the stolen time window to access the victim's cryptocurrency accounts. They initiate a login to the exchange, triggering a 2FA code to be sent via SMS. They receive the code on their phone and enter it, gaining access to the account. They then execute a withdrawal of all cryptocurrency to a wallet or exchange account under their control.
The Role of SMS-Based Two-Factor Authentication
SMS-based 2FA is part of the problem, though it is still more secure than no 2FA. The security community has long warned that SMS-based 2FA is vulnerable, and SIM swap attacks demonstrate why. The NIST (National Institute of Standards and Technology) recommends against SMS-based 2FA for high-value accounts, instead recommending app-based authenticators or hardware security keys.
Despite these recommendations, many cryptocurrency exchanges still use SMS-based 2FA as their default option. Some users choose SMS 2FA because it is simpler than app-based authenticators—they do not need to install and manage an additional application. However, this convenience comes at the cost of vulnerability to SIM swap attacks.
App-based authenticators like Google Authenticator, Authy, or Microsoft Authenticator are more secure because they generate codes locally on a device that the attacker cannot access without having the phone itself. However, even app-based 2FA can be bypassed if the victim has set up account recovery methods that the attacker can access.
Attacker Motivation and Target Selection
SIM swap attacks are typically perpetrated by organized crime groups rather than individual amateur hackers. The attacks are labor-intensive and require social engineering skills, access to personal information, and coordination between different actors. Groups that conduct SIM swaps often focus on cryptocurrency specifically because cryptocurrency represents one of the few theft targets that can be instantly liquidated and transferred internationally without traditional financial controls.
Victims are selected based on several factors. First, the target must be known or suspected to have significant cryptocurrency holdings. This information might come from social media, leaked data from exchange hacks, or analysis of blockchain transactions. Some victims are specifically targeted because they have made their interest in cryptocurrency publicly known through Twitter accounts, YouTube channels, or public profiles.
Second, the target must have a phone number that is relatively easy to impersonate as the owner. This means victims with uncommon names are sometimes at higher risk than those with common names, because customer service representatives are less likely to be suspicious when someone claims to be "John Smith" but more likely to investigate claims from people with distinctive names.
Third, the target must use a cryptocurrency exchange that will allow rapid withdrawals. Some exchanges limit daily withdrawal amounts, which would slow down an attacker. Exchanges that allow large, immediate withdrawals are more attractive targets.
Red Flags and Warning Signs
The most obvious warning sign of a SIM swap is sudden loss of cellular service on your phone. If you attempt to make a call or send a text and receive an error, or if you have no bars or signal where you normally have service, you might be the victim of a SIM swap. This is particularly concerning if you did not request a SIM swap or a new phone.
Check your phone periodically for what are called "indicator lights" that might suggest unusual activity. If your phone suddenly restarts unexpectedly or if you discover you have been logged out of accounts, this could indicate an SIM swap has occurred.
More subtle warning signs include emails from your cryptocurrency exchange or other services indicating that login attempts have been made. Many exchanges send email notifications when someone logs in from a new location or device. If you receive such notifications and you were not the one attempting to log in, this is a critical warning sign.
Check your email inbox for password reset requests or account recovery requests from cryptocurrency exchanges or email providers. If you receive such requests when you did not initiate them, an attacker might be attempting account recovery through email.
Proactively monitor your cryptocurrency exchange accounts for login activity. Most major exchanges display recent login history, including timestamps, locations, and devices. Review this information regularly. If you see login activity you did not perform, you might be the target of an attempted SIM swap attack.
Prevention and Protection Strategies
The most effective protection against SIM swap attacks is to avoid SMS-based 2FA for sensitive accounts. Switch cryptocurrency exchange accounts to app-based authenticators like Google Authenticator, Authy, or Microsoft Authenticator. Hardware security keys like YubiKey or Titan provide even stronger protection.
Contact your cryptocurrency exchange and inquire about 2FA options. Ask specifically whether they support authenticator apps or hardware keys. If your exchange does not offer app-based 2FA, consider moving your funds to an exchange that does.
Strengthen your mobile carrier account security. Add a PIN to your account that must be provided before any changes can be made, including SIM swaps. Most carriers offer this feature, though it must be explicitly enabled. When adding a PIN, use a strong, randomly generated PIN that is unrelated to your personal information.
Visit your mobile carrier's website or retail location in person to set up the PIN. Doing this in person, rather than by phone, adds an extra layer of verification. Document the PIN somewhere secure, just as you would a seed phrase.
Limit the personal information you share on social media. Scammers use public social media information to conduct the reconnaissance phase of SIM swap attacks. The less personal information available publicly, the harder it is for attackers to impersonate you.
Consider using a separate phone number for your cryptocurrency accounts. If you have a second phone line or a Google Voice number, use this for your exchange accounts rather than your primary mobile number. This isolates your cryptocurrency accounts from your primary phone number, making them a less attractive target.
Register important accounts—including your email, exchanges, and wallets—with strong, unique passwords. Use a password manager to store these. If an attacker attempts to access your email or exchange account through account recovery, the strong password makes it more difficult.
Set up email forwarding alerts. If your email has a forwarding rule set up by an attacker, they can receive copies of all emails while you continue to receive them normally. Many email providers allow you to check this. In Gmail, look for forwarding rules. In Outlook, check your forwarding rules. Review these regularly.
Enable login alerts on all cryptocurrency exchanges and critical services. These alerts notify you immediately when someone logs in to your account, allowing you to revoke access if necessary.
What to Do If You Are a Victim
If you suspect a SIM swap has occurred, act immediately. Contact your mobile carrier and report the unauthorized SIM swap. Ask them to reactivate your number on your original SIM card. Provide any information they require to verify your identity.
If you have regained access to your phone, immediately log in to all cryptocurrency exchanges and change your passwords. Check your account activity for any unauthorized transactions. If funds have been withdrawn, contact the exchange immediately to report the theft.
Check your email for any forwarding rules or recovery email addresses that might have been modified. Reset any that appear to have been changed without your authorization.
Reset your authentication apps. If the attacker has access to your phone, they might have attempted to set up authenticator apps. Remove any authenticators that you do not recognize.
File a report with the FTC at reportfraud.ftc.gov, with the FBI's IC3 at ic3.gov, and with law enforcement. Provide details about the attack: when the SIM swap occurred, how much cryptocurrency was stolen, and which mobile carrier was involved.
Ask your exchange to provide detailed transaction records, including the wallet address the funds were sent to. This information will be valuable for law enforcement.
Carrier Accountability
Criticism has mounted against mobile carriers for their role in enabling SIM swap attacks. The FCC and FTC have both issued guidance and warnings to carriers. However, enforcement and accountability have been limited. Victims have increasingly filed lawsuits against carriers for negligent business practices that allowed the unauthorized SIM swap.
Some carriers have made improvements, implementing stricter verification procedures and offering PIN protection more prominently. However, the responsibility remains with users to proactively protect their accounts. Carriers have little financial incentive to make SIM swaps more difficult, as they do not bear the cost of cryptocurrency theft.
Advocacy groups have called for regulatory requirements that would mandate carriers to implement stronger security measures. Until such regulations exist, users must take personal responsibility for protecting their phone numbers.
Next: Identifying Suspicious Crypto Tokens
Related Reading: